Slashdot Mirror
Wells Fargo Web-Enables ATMs
smooth wombat writes "Wells Fargo has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. Now the ATMS will be Windows based rather than OS/2 based. Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this.""
"We want to make sure our ATMs are integrated with every other channel so when I do a deposit in a [branch] I want to be able to go to [an] ATM immediately and see that deposit"
I do that regularly anyway. An ATM doesn't have to be on "the net" to do that. It has to communicate to the central handling server regardless of it's OS.
This is not a great move. Try and search for 0S/2 exploits even with Google. You're not going to find tons. I sure don't want to use an ATM running Windows and IE where someone that use the security expoit(s) of the month on it.
... darn I hope this gets submitted because my browser crashed when all the results came back.
Search on Windows security exploits and display the results and oh
IBM has been discouraging people from using OS/2 for a while, and will certainly EOL it as soon as people stop paying the legacy support contracts. I can't imagine why someone would want to build a new product on it.
Whenever I hear the word 'Innovation', I reach for my pistol.
So you are saying that Microsoft has no problems making the embedded version secure and they introduce the holes in XP just for fun? I fail to see how Microsofts track record should make me go "Ohhh, it the *embedded* version. In that case I trust your security completely!"
I nominate "The Windows-based infrastructure enables remote upgrades" as the loaded statement of the year. Anybody care to take a guess as to who will be writing "upgrades" for these things?
Just because one has security issues does not mean the other will too.
We are talking about the same Microsoft here? Big company, based in Redmond, convicted monopolist? Just checking.
So.... we can either use an OS that we KNOW has security problems, or we can use one that MIGHT have security problems. We can use an OS famous for crashes and instability (BMW's iDrive?) and limited platform availability, or one which runs solidly and reliably on damn near any hardware we want. We can use an OS whose source code is a secret and which we cannot review or analyze, or we can use an OS whose source code is completely open and available for review. We can use an OS who has lost a major IP lawsuit and is hoping to win on appeal (EOLAS v. Microsoft, which I frankly hope MS wins) or an OS which is on the verge of winning a major IP lawsuit and crushing the litigious bastards who filed it out of existence (SCO). Or we could use a BSD.
In any case, it's hard to justify the use of any flavor of Windows on technical grounds. Not when security is a primary concern, which it is if the ATMs are handling MY money. But when were technical issues ever the deciding factor? No, it'll some PHB who doesn't understand or care about the tech who makes the decision based on some saleshole stroking him/her just right...
Of course, that's just my opinion.
Ce n'est pas un vrai mouvement de robot!
They're going to use Windows Embedded, not Windows XP. Two completely different code bases.
Hell, at this point I don't care whether or not it runs windows, its the "web enabled" part that scares me.
Since the vast bulk of security "problems" in XP come from end users downloading and installing spyware, I'm not sure why XP would be a problem in itself...
The NT Kernel is a very lean kernel, rivaling the Linux Kernel in many aspects. Both kernels have very few security and stability issues, although how secure and stable the system is doesn't depend entirely on the kernel, but what is ontop of the kernel (for the most part).
Internet Explorer has very many security holes, but what makes them lethal is that they're tied right into kernel functions.
The big reason for the change, as far as I can see, it to allow advertising and force a primary GUI input. The big thing is the advertising when you drive up, the advertising when you wait for your money, and the advertising when you leave.
The other thing are the touch screens which often get borked. I push my finger and nothing happens. I understand that they may be more reliable than the old soft buttons, but realy.
I am sure the key selling point was the propoganda. It would be a same not to fully utilize the customers time when said customer was a captive audience. it is fully justified because the customer does not have to use the ATM, the customer can just go to a teller!
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
For how many years have ATM terminals been exposed to the entire internet?
Well, they weren't exposed to the entire internet. They were on a VPN. Such ATMs are always put on a VPN. But that's the fun part, because the VPN apparently had holes in it.
In other words-- at least this was the theory discussed at the time-- the ATMs had been put on a VPN so that they were inaccessible to the outside world. But other bank computers were apparently allowed in the same VPN. And somehow the Nachi worm got inside the VPN, at which point it was free to infect the ATMs...
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
There's a Wells Fargo ATM close to where I work, not inside a bank, and the guy who puts the money in it is always accompanied by an armed guard.
I wouldn't trust a bank that had an untrained teller doing that.
Particularly one who is taking instructions from someone over the phone. Yeah, I really trust that system.
What bank do you work for? I want to be sure that I don't have any accounts with it.
Part of security is being correctly trained. An untrained person (problem #1) taking instructions over the phone (problem #2) to service a machine that is "web enabled" (problem #3) is a script for disaster.
Second, it proves that there's no kind of high-availability, hardware watchdog, or other automagic restart system. These are minimal boxes, not solidly-built ones.
Third, it proves that the interest is in producing the most ATMs at the lowest initial cost, not in producing the best ATMs for the best long-term cost.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
They're from Diebold, and up until very recently, they ran OS/2. Why'd we switch?
They're from Diebold. Enough reason to switch right there.
Well what are the options of a linux solution to this? Can embedded linux be used ATM? Is it reliable enough... if they were willing to make the switch between OS/2 to Windows why not look at OS/2 to Linux?
Oh god, not another one.
In 2005, you should not have a perceptible delay between keypress and a simple ack. response like putting up an asterisk.
The problem, of course, is not technology. It's this god-damned "save every fraction of a penny at all costs, and fuck the customer/user!" mentality. A couple of cents more per terminal is probably all it would take to eliminate the delay, but, well, like I said, fuck the user.
I can't use Comcast digital cable boxes because of the multi-second delay before button presses react. (That one boggles the mind, I think they had to work to make it suck that bad.) It pisses me off that in the time it takes to navigate to one On Demand movie, the value of my time for the time it took to do the navigation would have been sufficient to make a snappy, responsive system. You could quite literally rack up hours spent just waiting for their interface to update in a year if you actually tried to use it (from what I gather from the way they keep dropping the price on On-Demand things, nobody does), and that says they care so little about my time that they'd rather save 5 cents.
Normally, I don't much care about "bloat" in desktop computers, I think most people bitching about it don't really understand what that "bloat" is buying them. But in the embedded space, fire away with your "bloat" accusations. The work it takes to make a machine in 2005 react more slowly than a machine from 1970, no exaggeration, boggles the mind.
Fuckers.
Generally, what you want is a known state - fully running or fully shut down. The most trivial way to do this is to have a hardware system that keeps a timer running. If the time to the next crash exceeds some pre-defined mark, you assume it is a software bug and reboot. If it happens before that mark, it is likely a hardware problem and you shut down all power and put the system into a locked-down mode.
A "better" solution would be to have a monitoring system checking sensors, memory levels, etc, maybe running occasional hardware checks. If the hardware looks flaky, it would be easy enough for such a system to notify maintenance before there is a problem, cutting downtime due to hardware issues to nearly zero.
Likewise, if the machine is idle but the OS is leaking memory like a sieve, it would be trivial for such a monitor to do a preventitive reboot.
Hardware sensors are built into most lines of chips and devices. Diagnostic tests can be downloaded for free or are relatively trivial to write. Hardware watchdog cards are plentiful and you can get software ones for most Operating Systems.
I don't understand the mindset of companies that brag about great uptimes (but invariably never deliver) when it would actually work out cheaper to have uptimes that were so good, you wouldn't need to brag about them at all. An ounce of real value is always better than a pund of bullshit - unless you're planting roses, and even then horseshit is generally considered superior.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It's "based", not "bassed" and "procedure", not "proceedure". "Acutally" I can only assume was actually supposed to be "actually". Oh, and "stand point" is one word, "standpoint". "It uses regular Windows" should be "They use regular Windows"; plurality matters. I won't even get into the structure of that sentence. "The Windows ATM actually have help screens" should be the plural "Windows ATMs", with no apostrophe since the "M" is not lowercase.
Finally, "tellers" is plural, but "teller's" is possessive, as in "hold the teller's hand", which is what I believe was what you wanted, but that will never happen if you do not treat them with the respect another human being deserves.
Language and writing are tools like any other and you are obviously, well, "undertrained".
Main reason for the change is the lack of motherboard chipset drivers for OS/2 (and also but lesser amount for graphics cards).
As an Ex ATM developer programming ATM's isn't that hard, Microsoft C v6 (creates OS/2 exe just fine or Intel Pascal are the main languages of choice).
OS/2 Warp4 still does the job just fine, and you'll find that OS/2 supported TCP/IP also it displays Mpegs just fine. Plus it runs quite nicely on 8/16 megs of ram on older 386/486 processors. Plus most of these machines are 10-18 years old.
There are numerous Linux based ATM's in Spain & Germany - and a number of banks around the world that do not/ will not go the windows based route.
But getting programming resource is far easier for windows if you want to program your ATM in VB. (those OK/Cancel error dialog boxes are much easier to create). if you replace the default windows exception handle you can get rid of system and application generated exception questions (Why these diaglog boxes appear is beyond me, although I'm sure VB developers wouldn't even know how to scratch thier ass).
Comment removed based on user account deletion
Most of the Wells Fargo ATMs I've seen recently, are Diebold machines.
I would imagine that Diebold was the one who made the decision to go to Windows.
Invariably, the ATMs have to talk to the Bank's internal network at some point. Even over a VPN, you can have a propagation of a worm... That's how the last little inconvienence against Windows based ATMs happened. The worm got a machine on the inside of the Bank's LAN and propagated to the ATMs that were Windows based- right over the VPN.
It's a big deal. If it's going to be web-based on it's controls, etc., it will have exposed ports.
Simply put, Windows really, really isn't suitable to task for this sort of job. Never was. As far as Microsoft's track record shows, it never will be.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
They make ATMS don't they? And no-one else would be stupid enough to put them on a public network when it is so easy to put them on a private network like we have now. How many dollars per machine do you need to save before it offsets the PR loss when the media reports instances of your machines getting owned? I suspect they won't be saving much at all per machine by putting them on the public network. If this sort of stupidity continues those bad movies about hackers getting into systems that should never be on a public network may become reality.