Slashdot Mirror
Wells Fargo Web-Enables ATMs
smooth wombat writes "Wells Fargo has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. Now the ATMS will be Windows based rather than OS/2 based. Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this.""
What was wrong with OS/2 atms?
I RTFA and have no idea why they did this. OS/2 is not EOL'ed yet. Methinks someone did a snow job on thiese guys.
Help fight continental drift.
Maybe I'm wrong, but aren't they essentially the same kernel, with Embedded being a stripped down version?
Either way, I wouldn't be the house on the kernel and networking components of XP being free from holes and possible exploits, Embedded or otherwise...
Sunday you're Thinking Different, Monday you're a huge tool, paying too much and waiting to think like everyone else.
A couple of weeks ago I saw an ATM that had crashed. It was running Netscape on some version of Windows.
Surely enough, it was made by the same manufacturer who f***ed up US voting machines. I do have some pictures if anyone is interested.
where's all that Karma?
Are you implying that a Gartner analyst may not know what they're talking about?
That would certainly be a first.
Hardly.
Just because analysts see how past trends have fallen doesn't mean they're 100% on mark 100% of the time. That'd be like saying O'Reilly isn't a lying, bigoted windbag because he's managed to get a few lucky hits when he's bullying his "guests" in his 'No Spin Zone'. All the while telling them to shut up or he'll kick they're asses and then later lying about it when confronted with the evidence.
To drag myself back on topic - this is completely stupid. OS/2? Uhm, it has an IP stack thats more compliant than MS' (read: follows the RFCs) and last I checked was capable of connecting to the internet just fine (I should know, I used to work L2 IP/MPTS support @ IBM).
Way to go Wells Fargo. I certainly hope your ATMs get hacked and you lose a shitload of customers over this.
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
am I the only one who finds the new Wells Fargo ATM key response time to be laggardly?
After I enter my pin, the beep sound and the asterisk that's displayed take so long that I think i've miskeyed, so press again getting a double entry which i have to cancel and slowly and carefully retry.
Is it because of being Windowized, or just bad programming? The old OS/2 ATMs responded instantly.
I went to the hole in the wall (ATM) and it was displaying a windows taskbar, a dos window with some process running with a dos full stop sequence progress meter and another McAfee window - I asked in the bank and they said it had been on and off all morning and an "engineer" was trying to fix it.
/. article on UK banks going ove to windoze but I never thought i'd see the day.
;-)
I remember a
Was I ever laughing.
I wonder if my atm card has a virus by now.
PS It was Bank of Scotland
Well I guess an OS and their money are easyily restarted.
I used to work for IBM in OS/2 TCP/IP support. People would be amazed at how much OS/2 is still out there. Banking, industry, CIA, NSA, Vatican Bank, etc. Heart/Lung machines, ATM machines and the machines that make fritos. When OS/2 went down at friot-lay, no more fritos...not good times. I'm sad to see it go, it was great for apps such as these.
The Windows-based infrastructure is designed to allow Wells Fargo to update and add services such as new languages and envelope-free deposits to its entire network remotely.
Umm... Wouldn't envelope-free deposits require an on-site hardware shift anyway? That is, unless Windows Embedded now runs rapid prototype machinery.
Sounds like they're running WtFXML.
The ______ Agenda
Windows-based, web-enabled (does this mean on a public network?) ATMs.
Dear God. The shit has hit the fan. Head for the hills!
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
now they'll finally test the old adage "No one ever got fired for choosing Microsoft".. when someone gets really fired for choosing Microsoft. Wonder if they'll hold MS responsible for security breaches?
meh
"The San Francisco-based bank said it also installed more than 3,000 online stations in nearly all of its 6,046 branch locations."
How is it that less than half is considered nearly all? Or are they stretching their ATMs so that it is so large that it is physically touching more than one branch, or just building branches next to eachother and throwing an ATM in between?
The math is appaling.
All your searching needs (and free money!) - 4Lancer.net
Unfortunately, this might very well be the future of ATMs (only a bit exxagerated, but maybe not by much). Ad-sponsored ATMs are not that out of the question. So, instead of a "cute" logo from the bank, you might, in some future, be seeing a few ads while drawing some cash. Of course, the ATM vendor will claim to the banks that their system is totally secure and cannot be hijacked. We all know what that means.
The implication here are grave, and important, Additionally it should be questioned is:
For how many years have ATM terminals been exposed to the entire internet? The 2003 nachi worm exposed the fact that important financial networks have been susceptible to exploitation for a long time.
It's the more embarrassing to realize that none of the so called Analysts, Gartner Analysts (a $9 billion advice giving outfit), or so called security experts, who now have the gall to pontificate (http://www.securityfocus.com/), had anything useful to say prior.
No it took some script-kiddy with too much time on her hands to post a worm to mirc networks (perhaps) to bring the real issue to the fore.
The dangerous ones are not the worm writing script-kiddies, it's the smart ones who notice the vulnerability and exploit them quietly.
Simply: Prior to nachi, know one can account for what went on [skimmer], except that your accounts were unsafe and exposed, after nachi you at least have the opportunity know it.
TFA says these ATMs are web-based and Windows-based. That means they are almost certainly running the same rendering engine as Internet Explorer.
I wouldn't trust Firefox in an ATM, let alone Internet Explorer. If my bank of choice starts deploying these in large quantities (they're around, but less prevalent than the old kind), I will run, not walk, to the competition.
On another point, HTML and TCP/IP are HEAVILY stress tested. There are flaws but they are known and everybody and their dog has had a chance to work out flaws with them.
The greatest possibility for one of these to get hacked is that the one admin is not really familiar with the system and makes a mistake on setup that leaves things functional but insecure. With HTML and TCP/IP the admin is more likely to be familiar and less like to make a mistake with the system.
"I don't know what my bank's ATMs run as their operating system, and that's a good thing because it means the bad guys may not, either."
The bad guys know in detail how the circuit processes the image of a dollar bill in a change machine so they can fool it. Do you? Of course not, they know because they have no scrupples and they want to know.
Microsoft spends hundreds of billions of dollars writing custom and obscure protocols, deliberately designing every aspect of systems far more complex than these to be difficult to reverse engineer. It is the ultimate example of security through obscurity. And with MS it is what, 3-4yrs tops for their interfaces to be reverse engineered by hackers?
You trust obscurity. I'll take a system that is easy to setup properly; is built on tried, true, tested, and stable technology (windows meets none of these critera embedded or not); and requires a bad guy to get past someone with a gun to get to the wire. If the bank wants to remote admin that is fine, they better use fiber links with quantum encryption, otherwise the cost is needed.
I was once the technician at a small consulting firm trying to explain to a bank manager that he shouldn't have the network the bank terminals are on connected to the web and that a bank really should get something a tad more secure than norton internet security on their internet connection. In the end the bank just wanted something that said intrusion detection on the label to get the bank inspector off their back.
What a timely post! Today I got back from a week long contract job and went to deposit some checks at the bank. Well, the local Wells Fargo closes at 4pm and I just missed it by about 10 minutes, so I went to deposit in the ATM. I inserted my card as instructed and voila, a nice windows fatal error message requiring me to click OK, but of course no mouse to click the button with and the Green enter button does nothing. In fact, none of the buttons did anything. Eventually, the ATM rebooted itself and came up with a nice "This ATM is out of service." message, and of course kept my card. So, I called Wells Fargo customer service to find out how long it would take to replace my business ATM card and it's 7-10 business days!!! Ouch! Why exactly am I paying for a business account when I get the same service as for my personal checking account? I don't know. *sigh*
The NT kernel is an unstable POS (tell all the admins out there that have spent many a weekend re-booting locked NT machines it's a lean kernel that rivals Linux). I would certainly not call it secure nor even close to rivaling the Linux (or any other modern) kernel.
In addition, the NT kernel has far more lines of code than the Linux kernel (as does any Windows kernel since), embedded Windows is essentially the same as desktop Windows with fewer bells and whistles. The fact that the ATM system is written using a combination of C++, MFC, and uses a Web interface (which strongly implies embedded IE), makes the entire thing a cyber-bomb waiting to go off.
That decides it for me. Time to research a new bank, and if there aren't any that don't use Windows based ATMs, then I won't use ATMs.
PGA
If it ain't broken, don't fix it. If an OS/2 based laptop is getting the job done, and there is no value add or return on your investment in running a windows/linux on these laptops... is it really worth it? Plus remember, when a new version of Z/OS comes out, it must support ALL the features of previous versions... the ultimate in backwards compatibility.
These laptops run Communications Manager which in some of its abilities can emulate a 3270 terminal.. (yeah tn3270 does the same thing...)
Presumably the ATM/Windows XP part of the box is *not* connected directly to the network. That there is a VPN box/pair between the ATM and the home networks...
ATM -- VPN -- Internet -- VPN -- Wells Fargo
So the real question is how secure are THOSE boxes...
The ATM makers are making themselves obsolete. By providing low security publicly accessible terminals running windows, they've made them less secure than your home computer doing internet banking. Because, at least when it's in your house, you can do some due diligence in ensuring that your computer is secure. The only reason for ATMs is for getting money. Which is of minimal importance when just about everyone accepts bank cards for payment. You could even visit the bank once a week and take out cash for those smaller transactions where you can't use the bank card.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
The Otto-ATMs in Finland have been running Windows NT 4 for years. AFAIK, the UI itself is a Java-applet running in Internet Explorer.
And yes, I've seen the IE on them crash, leaving the standard NT4 desktop, error dialog, and a command prompt window.
Scary.
This fits right in with the rigid Wells Fargos "take a penny, leave a penny" company policy.
(truthy) not long after refinancing w/ WF, we got a letter saying our mortgage records were on a laptop that was stolen from WF and would we like to buy mortgage insurance to prevent fraud ?
yeah - sure. riiiiiight.
Mmmmmm - That's mighty good bungling Wells Fargo !