Wells Fargo Web-Enables ATMs

smooth wombat writes "Wells Fargo has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. Now the ATMS will be Windows based rather than OS/2 based. Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this.""

was a change required?

[Frogmum]

What was wrong with OS/2 atms?

Re:was a change required?

The marketing people at Microsoft convinced them that .NET made everything secure!

Re:was a change required?

[ceejayoz]

No one sells 'em anymore, at least not in the quantities Wells-Fargo needs.

Re:was a change required?

Navigating around popup windows: 2 minutes of user frustration

Pressing "cancel" 10+ times to stop spyware installs: 2 minutes of user frustration

Entering pin number after someone else already pressed "ok" on spyware install: priceless

Re:was a change required?

[QMO]

The BOFH hates OS/2, and you DON'T want to make him mad.

Re:was a change required?

[Deviate_X]

IBM recommends OS/2 users migrate off OS/2 to either Linux or Windows 2000. Thats whats wrong with it, probably nothing technically (yes OS/2 developers are relics), more comercial.

Given than Wells Fargo, is a substatial entity, it would be interesting and credible to know how/why they decided to go the windows route since it is possible to maintain a large number networked Linux nodes for remote updates/admin as is cited in the article about windows.

Are windows embedded ATMs really the only game in town?

Re:was a change required?

http://en.wikipedia.org/wiki/OS/2

The collaboration between IBM and Microsoft unravelled in 1990, between the releases of Windows 3.0 and OS/2 1.3. The increasing popularity of Windows prompted Microsoft to shift its development focus from OS/2, and IBM grew concerned about delays in development of OS/2 2.0. Initially, the companies agreed that IBM would take over maintenance of OS/2 1.0 and development of OS/2 2.0, while Microsoft would continue development of OS/2 3.0, then known as "NT OS/2". However, Microsoft decided to recast NT OS/2 as Windows NT, leaving all future OS/2 development to IBM. Windows NT's OS/2 heritage can be seen in its initial support for the HPFS filesystem (although write support was dropped in Windows NT 4.0 and read support was dropped in Windows 2000) and text mode OS/2 1.x applications (support dropped in Windows XP).

So they basically upgraded to a newer version of OS/2 in a weird twisted Microsoft sort of way.

Re:was a change required?

[rsmoody]

I asked that myself when the bank I work for started upgrading our ATM's to 3DES. Some are still OS/2 but some are windows bassed. And it uses regular Windows, not embeded, it's straight Windows 2000. To tell you the truth, I acutally liked the Windows based ATM. From a stand point of having to hold the tellers hand over the phone because they are not trained properly, it makes it easier on us because the Windows ATM actually have help screens and short movie clips that can walk the undertrained (read stupid) teller through the proceedure of properly inserting a cassette of money (as if it were that difficult). The OS/2 ATMs are only character menu driven, the Windows ATM's are all graphical. The actual screens the customer sees are actually web pages so it's easy to make them look how you want and not be a programmer.

Re:was a change required?

I work for a financial services provider that has about 100 ATMs in the field. They're from Diebold, and up until very recently, they ran OS/2. Why'd we switch? Well, first of all, Diebold does not provide NEW machines that run anything other than Windows, so if you are doing a major deployment, and you buy from Diebold, you're getting Windows. Second of all, the industry is moving to 3DES at gunpoint (that gun wielded by our friends at Visa and MasterCard) and Diebold only supports 3DES on Windows-based ATMs.
Now, it's true that you don't have to TCP/IP-connect a Windows-based ATM, you can operate it solely over SNA or SDLC or whatever you have -- but if you do you don't get all the features of the ATM, and not just the annoying things like HTML-based UI -- you don't get the handy stuff like remote management which means that you spend $$ sending humans out to the site rather than just doing task 'x' from your network.

Re:was a change required?

[mpaque]

Simply put, the OS/2 based ATMs didn't run the mission critical software that the Wells Fargo IT department felt was necessary on public access terminals, which is fundamentally what ATMs are. They require applications like Disk Defragmenter, Scandisk, Norton AV, Windows Update and Ad-Aware - none of which are available for the OS/2 platform.

In today's climate of non-stop worms, trojans and viruses, deploying an ATM with no virus removal software would be irresponsible on the part of Wells Fargo.

(With apologies to divisiontwo.com. :-)

Re:was a change required?

They're from Diebold, and up until very recently, they ran OS/2. Why'd we switch?

They're from Diebold. Enough reason to switch right there.

Re:was a change required?

[morcheeba]

handy stuff like remote management

I think that's the problem that everyone is worried about... that all of the sudden all the machines will be "remote managed" by someone and they'll start spitting out free money. Or logging card numbers/PINs.

Re:was a change required?

[shaitand]

"The actual screens the customer sees are actually web pages so it's easy to make them look how you want and not be a programmer."

Yeah but do you REALLY want a feature that allows unqualified individuals modify the interface of ATM machines? Isn't that something you want the bar set a little higher on?

Re:was a change required?

[The_Dougster]

The BOFH hates OS/2, and you DON'T want to make him mad.

If the BOFH had done this job, he would have had Wells-Fargo purchase a super-deluxe QNX licensing contract, then he would have installed BSD on the machines and pocketed the change.

Ahh, OS/2, I miss it. The last time I whipped out my OS/2 Warp disks and tried to install it, it didn't seem to like my 10 years newer hardware and couldn't find a HDD driver. Bummer. I can only imagine how fast it would have run on my 2GHz box.

I think that Wells-Fargo should have used QNX, and now whoever made the decision is probably going to pay. Windows on an ATM connected to the internet is pretty damn frightening. Time to withdraw all my zorkmids out of the bank and stuff it under the mattress.

Re:was a change required?

[Flywheel]

"Ahh, OS/2, I miss it. The last time I whipped out my OS/2 Warp disks and tried to install it, it didn't seem to like my 10 years newer hardware and couldn't find a HDD driver. Bummer. I can only imagine how fast it would have run on my 2GHz box."

Try the Danis506 drivers, et even has got some SATA support. eComStation runs rather nice om my 1.8Ghz Athlon XP - Barton box, especially with the new kernel.

Re:was a change required?

[Flywheel]

Well actually OS/2 does have support for and uses a graphical user interface today - somehow it shuld be possible to add animations and graphical multicolour menus ... well I'll return to my DVD watching, on my eComStation (OS/2) box.

Re:was a change required?

[Rohan427]

Your source for this bit of info?

In addition, they couldn't go to another OS because?

I've been contemplating changing banks for some time now (from Wells Fargo), but haven't for several reasons. This could be the straw that breaks this camel's back.

(FYI, a few years ago I walked up to a WF ATM, started to put my card in, and noticed a M$ Dev. Studio GPF dialog asking if I wanted to debug the application or cancel!!)

PGA

Re:was a change required?

[ScrappyLaptop]

You know, before writing in such a condescending manner about the "stupid" tellers who don't know how to use an ATM from the backside, you might consider learning how to use the English language.

It's "based", not "bassed" and "procedure", not "proceedure". "Acutally" I can only assume was actually supposed to be "actually". Oh, and "stand point" is one word, "standpoint". "It uses regular Windows" should be "They use regular Windows"; plurality matters. I won't even get into the structure of that sentence. "The Windows ATM actually have help screens" should be the plural "Windows ATMs", with no apostrophe since the "M" is not lowercase.

Finally, "tellers" is plural, but "teller's" is possessive, as in "hold the teller's hand", which is what I believe was what you wanted, but that will never happen if you do not treat them with the respect another human being deserves.

Language and writing are tools like any other and you are obviously, well, "undertrained".

Re:was a change required?

[morcheeba]

That's the problem... If I were designing it, I'm not so sure I'd go with IP-based communications. I'd prefer dedicated phone lines with a simple serial protocol that is easy to make secure. Of course, there are situations where an IP-based protocol would be necessary (high traffic areas, like a grocery store), so I'd use a hard firewall like this TCP/IP-to-serial converter -- that way, if the network stack gets hacked and the processor compromised, it won't have access to the bill-spitter or the keyboard.

Of course, there would still be the encryption and authentication... but, there won't be vulnerabilities from tcp packet reassembly, open ports, activeX, javascript, and html exploits. And, if a machine is compromised (inside job), there's no way to connect to the internet in general to report back phished data (unless the main server is also compromised, in which case, you're already in deep doo-doo).

Re:was a change required?

[NoodleSlayer]

Most of the Wells Fargo ATMs I've seen recently, are Diebold machines.

I would imagine that Diebold was the one who made the decision to go to Windows.

Re:was a change required?

[DrXym]

Given the amount of legacy OS/2 stuff out there and IBM's push on Linux, it is a wonder that they haven't released an OS/2 emulation layer for Linux. I can understand that it might not be possible to open source everything, but to not release nothing at all and advise to use someone elses product?

Something akin to WINE but for OS/2 with IBM's endorsement would be a useful thing. They could open source headers, specifications, internal docs and other unencumbered things to set things off.

Re:was a change required?

[NoSuchGuy]

...whoever made the decision is probably going to pay...

Probably he is being payed an undisclosed sum by a Redmond based software vendor.

That's what I guess.

I thinks this guy is clever, because he has no accounts at Wells Fargo!

Just what I want....

[AtariAmarok]

...having to kill a couple dozen pop-up windows when I want to take $20 out of the ATM.

However, come to think of it, a lot of those things would look better with that Aquarium Screensaver. I think I'll click on the ok download button next time.

Re:Just what I want....

[alset_tech]

But if properly marketed....
"Open a new account to take advantage of our new patented savings-encouragement-system."

Re:Just what I want....

[johansalk]

Don't forget the card games. Playing poker against an ATM computer appeals to me. Now that's a computer I'd like to beat!

Re:Just what I want....

[MerlinTheWizard]

Unfortunately, this might very well be the future of ATMs (only a bit exxagerated, but maybe not by much). Ad-sponsored ATMs are not that out of the question. So, instead of a "cute" logo from the bank, you might, in some future, be seeing a few ads while drawing some cash. Of course, the ATM vendor will claim to the banks that their system is totally secure and cannot be hijacked. We all know what that means.

Re:Just what I want....

[mrseigen]

"Would you like to go double-or-nothing on this withdrawal?" (Yes) (No)

Re:Just what I want....

[fermion]

Which is in reality what happens. The old ATM did one thing, and did it very well. It gave you money. You put in your card, entered your pin, and completed a requested operation.

The big reason for the change, as far as I can see, it to allow advertising and force a primary GUI input. The big thing is the advertising when you drive up, the advertising when you wait for your money, and the advertising when you leave.

The other thing are the touch screens which often get borked. I push my finger and nothing happens. I understand that they may be more reliable than the old soft buttons, but realy.

I am sure the key selling point was the propoganda. It would be a same not to fully utilize the customers time when said customer was a captive audience. it is fully justified because the customer does not have to use the ATM, the customer can just go to a teller!

Yes, but...

[xeon4life]

They're going to use Windows Embedded, not Windows XP. Two completely different code bases.

Just because one has security issues does not mean the other will too.

Re:Yes, but...

[HarryCaul]

Are you implying that a Gartner analyst may not know what they're talking about?

That would certainly be a first.

Re:Yes, but...

[Gilesx]

Maybe I'm wrong, but aren't they essentially the same kernel, with Embedded being a stripped down version?

Either way, I wouldn't be the house on the kernel and networking components of XP being free from holes and possible exploits, Embedded or otherwise...

Re:Yes, but...

[marvin2k]

So you are saying that Microsoft has no problems making the embedded version secure and they introduce the holes in XP just for fun? I fail to see how Microsofts track record should make me go "Ohhh, it the *embedded* version. In that case I trust your security completely!"

Re:Yes, but...

[afidel]

Uh, no Windows XP Embedded is EXACTLY the same code base as Windows XP. It's basically a componentized version of Windows PE, much along the lines of what the community did with Bart's PE. Now if they were using Windows CE.net THEN it would be a different code base, but many DCOM components for CE.net share source code with their windows counterparts so running on x86 hardware means that many of the same exploits may exist. Now if Wells Fargo knows what they are doing there won't be any unnecessary services installed, but the way the component selection engine for XP Embedded works means that things like the IE engine get dragged into almost any usefull selection, meaning that all sorts of vulnarabilies exist.

Re:Yes, but...

Uh, almost right.

Windows XP Embedded is exactly the same codebase as Windows XP, and is a componentized version of same. It is completely unrelated to either Windows PE (nee WinPE) or "BartPE". WinPE has nothing to do with XP Embedded. BartPE is simply a reverse engineering of WinPE - and as such also has nothing to do with XP Embedded.

CE and NT forked source so long ago that undoubtedly many of the exploits that are in XP aren't in CE. And vice versa...

It's also less about the way the component selection engine works, and more the fact that IE over time has actually established dependencies throughout the OS that numerous components do pull in IE. But it isn't rocket science to build a device image that would meet the needs of a simple ATM and not have IE in it. Quite easy, actually.

Re:Yes, but...

They're going to use Windows Embedded, not Windows XP. Two completely different code bases.

Hell, at this point I don't care whether or not it runs windows, its the "web enabled" part that scares me.

Re:Yes, but...

[drsmithy]

Since the vast bulk of security "problems" in XP come from end users downloading and installing spyware, I'm not sure why XP would be a problem in itself...

Re:Yes, but...

[Baricom]

TFA says these ATMs are web-based and Windows-based. That means they are almost certainly running the same rendering engine as Internet Explorer.

I wouldn't trust Firefox in an ATM, let alone Internet Explorer. If my bank of choice starts deploying these in large quantities (they're around, but less prevalent than the old kind), I will run, not walk, to the competition.

Re:Yes, but...

[zootm]

It seems unlikely that an ATM would be designed, or allowed, to run code which was not provided by those in charge of the ATM. The rendering engine is not a problem in this instance -- you're rendering code you've written yourself. These are not web browsers we're talking about, the application is much thinner.

Re:Yes, but...

[shaitand]

On another point, HTML and TCP/IP are HEAVILY stress tested. There are flaws but they are known and everybody and their dog has had a chance to work out flaws with them.

The greatest possibility for one of these to get hacked is that the one admin is not really familiar with the system and makes a mistake on setup that leaves things functional but insecure. With HTML and TCP/IP the admin is more likely to be familiar and less like to make a mistake with the system.

"I don't know what my bank's ATMs run as their operating system, and that's a good thing because it means the bad guys may not, either."

The bad guys know in detail how the circuit processes the image of a dollar bill in a change machine so they can fool it. Do you? Of course not, they know because they have no scrupples and they want to know.

Microsoft spends hundreds of billions of dollars writing custom and obscure protocols, deliberately designing every aspect of systems far more complex than these to be difficult to reverse engineer. It is the ultimate example of security through obscurity. And with MS it is what, 3-4yrs tops for their interfaces to be reverse engineered by hackers?

You trust obscurity. I'll take a system that is easy to setup properly; is built on tried, true, tested, and stable technology (windows meets none of these critera embedded or not); and requires a bad guy to get past someone with a gun to get to the wire. If the bank wants to remote admin that is fine, they better use fiber links with quantum encryption, otherwise the cost is needed.

I was once the technician at a small consulting firm trying to explain to a bank manager that he shouldn't have the network the bank terminals are on connected to the web and that a bank really should get something a tad more secure than norton internet security on their internet connection. In the end the bank just wanted something that said intrusion detection on the label to get the bank inspector off their back.

Re:Yes, but...

[Rohan427]

The NT kernel is an unstable POS (tell all the admins out there that have spent many a weekend re-booting locked NT machines it's a lean kernel that rivals Linux). I would certainly not call it secure nor even close to rivaling the Linux (or any other modern) kernel.

In addition, the NT kernel has far more lines of code than the Linux kernel (as does any Windows kernel since), embedded Windows is essentially the same as desktop Windows with fewer bells and whistles. The fact that the ATM system is written using a combination of C++, MFC, and uses a Web interface (which strongly implies embedded IE), makes the entire thing a cyber-bomb waiting to go off.

That decides it for me. Time to research a new bank, and if there aren't any that don't use Windows based ATMs, then I won't use ATMs.

PGA

Putting ATMs on the Web

What could possibly go wrong?

Why!

[bstadil]

I RTFA and have no idea why they did this. OS/2 is not EOL'ed yet. Methinks someone did a snow job on thiese guys.

Re:Why!

[NutscrapeSucks]

IBM has been discouraging people from using OS/2 for a while, and will certainly EOL it as soon as people stop paying the legacy support contracts. I can't imagine why someone would want to build a new product on it.

Hello, I am Govermet Minster

[tbuckner]

Gretings, I am Govermet Minster of Nigeria, and if you send me your PIN you wil share 20% of 1.3 milion American US dolars that I must retrive. THis wil only take a moment since you are already at your ATM.

Re:Hello, I am Govermet Minster

[4Lancer.net]

This must be my lucky day! As you already have my ATM card information, once I enter my PIN you'll know that too, but just in case you don't recieve it, it's 7843. I eagerly await your deposit!

Thanks!
John Q. Public

choice quote

[Neophytus]

"We want to make sure our ATMs are integrated with every other channel so when I do a deposit in a [branch] I want to be able to go to [an] ATM immediately and see that deposit"

I do that regularly anyway. An ATM doesn't have to be on "the net" to do that. It has to communicate to the central handling server regardless of it's OS.

Re:choice quote

It's a ridiclous story. Using a SOAP/XML-based protocol is not "web enabling".

Not a good thing for bank users ....

[DARKFORCE123]

This is not a great move. Try and search for 0S/2 exploits even with Google. You're not going to find tons. I sure don't want to use an ATM running Windows and IE where someone that use the security expoit(s) of the month on it.

Search on Windows security exploits and display the results and oh ... darn I hope this gets submitted because my browser crashed when all the results came back.

mod insightful

[taxman_10m]

They can't all be fake, and I have a good feeling about this one.

Well Fargo Drive in Movies!

[nilbog]

Wells Fargo is moving to windows so they can run video on the ATM screens. They want to run traileras and MSNBC tickers. OS/2 doesn't have that capability.

It's good too, because I needed a place to see MSNBC tickers and movie trailers and also get money at the same time.

Now that this has rolled out on all Wells Fargo ATM's, they will allow you to watch full movies on them and will be opening concession stands. If you pull up to an ATM, and the car in front of you has the windows all fogged up ... it might be a while.

rofl... bwahahahahah...

[pb]

Does anyone else remember the end of Sneakers? Because that's what this reminds me of. I'm just thinking about the potential news headlines...

"Wells-Fargo reportedly went bankrupt yesterday. Company spokesman: 'The money... it just disappeared...'
In other news, the EFF is reporting record donations!"

Re:Not a good thing for bank users ....

[man_of_mr_e]

While it's unlikely that these machines are actually on the internet, but if they are it's probably not a big deal anyways. They'd likely be using some kind of hardware VPN, and even if they weren't they are most likely shutting off all external ports other than their own software, making it no more vulnerable than any other OS they might choose. No open ports, no way to exploit it.

Netscape

[danimrich]

A couple of weeks ago I saw an ATM that had crashed. It was running Netscape on some version of Windows.
Surely enough, it was made by the same manufacturer who f***ed up US voting machines. I do have some pictures if anyone is interested.

Re:Netscape

[hairykrishna]

That's nothing. Check out this one displaying windows media player:

http://midnightspaghetti.com/newsDiebold.php

Re:Netscape

[generic-man]

Diebold has been making ATMs long before they acquired a company that makes voting machines.

Of course, their old ATMs were relatively reliable although they couldn't run Windows Media Player.

Re:Netscape

[jd]

I've seen ATMs with BSOD on them. This demonstrates several things. First, there's no attempt at building a fault-tolerent system. If it crashes, it crashes and there's nothing to it but to wait until an engineer reboots it.

Second, it proves that there's no kind of high-availability, hardware watchdog, or other automagic restart system. These are minimal boxes, not solidly-built ones.

Third, it proves that the interest is in producing the most ATMs at the lowest initial cost, not in producing the best ATMs for the best long-term cost.

Re:Netscape

[jd]

That is possible, but hardware faults are less likely than software faults. Either way, you don't want the computer up and running in an uncontrolled state.

Generally, what you want is a known state - fully running or fully shut down. The most trivial way to do this is to have a hardware system that keeps a timer running. If the time to the next crash exceeds some pre-defined mark, you assume it is a software bug and reboot. If it happens before that mark, it is likely a hardware problem and you shut down all power and put the system into a locked-down mode.

A "better" solution would be to have a monitoring system checking sensors, memory levels, etc, maybe running occasional hardware checks. If the hardware looks flaky, it would be easy enough for such a system to notify maintenance before there is a problem, cutting downtime due to hardware issues to nearly zero.

Likewise, if the machine is idle but the OS is leaking memory like a sieve, it would be trivial for such a monitor to do a preventitive reboot.

Hardware sensors are built into most lines of chips and devices. Diagnostic tests can be downloaded for free or are relatively trivial to write. Hardware watchdog cards are plentiful and you can get software ones for most Operating Systems.

I don't understand the mindset of companies that brag about great uptimes (but invariably never deliver) when it would actually work out cheaper to have uptimes that were so good, you wouldn't need to brag about them at all. An ounce of real value is always better than a pund of bullshit - unless you're planting roses, and even then horseshit is generally considered superior.

s-l-o-w ATM keypad

[anadem]

am I the only one who finds the new Wells Fargo ATM key response time to be laggardly?

After I enter my pin, the beep sound and the asterisk that's displayed take so long that I think i've miskeyed, so press again getting a double entry which i have to cancel and slowly and carefully retry.

Is it because of being Windowized, or just bad programming? The old OS/2 ATMs responded instantly.

Re:s-l-o-w ATM keypad

[markxz]

Dunno about Wells Fargo, but all the banks in the UK have been going to these "richer client experience" terminals.

This is most noticeable on the older ATMs that were upgraded to newer animated software (The Clydesdale Bank machines seem to be the worst) where there is a noticeable time lag between button presses.

I think part of the slowness is due to the new 'chip and pin' bank cards in which the machine has to talk to the chip, rather than just read the data from the card.

Re:s-l-o-w ATM keypad

[Scrameustache]

am I the only one who finds the new Wells Fargo ATM key response time to be laggardly?

I dunno the make of the new ATMs around here, but you are not alone.

It is incredibly annoying to have the "beep" of a pressed key come as I'm one or two keypresses further along. I have to stop and wait for all the beeps to catch up, look closely at the screen, make sure it's all ok. Very, very annoying. I'm thinking of changing banks just to save me the frustration.

Re:s-l-o-w ATM keypad

[Jerf]

Oh god, not another one.

In 2005, you should not have a perceptible delay between keypress and a simple ack. response like putting up an asterisk.

The problem, of course, is not technology. It's this god-damned "save every fraction of a penny at all costs, and fuck the customer/user!" mentality. A couple of cents more per terminal is probably all it would take to eliminate the delay, but, well, like I said, fuck the user.

I can't use Comcast digital cable boxes because of the multi-second delay before button presses react. (That one boggles the mind, I think they had to work to make it suck that bad.) It pisses me off that in the time it takes to navigate to one On Demand movie, the value of my time for the time it took to do the navigation would have been sufficient to make a snappy, responsive system. You could quite literally rack up hours spent just waiting for their interface to update in a year if you actually tried to use it (from what I gather from the way they keep dropping the price on On-Demand things, nobody does), and that says they care so little about my time that they'd rather save 5 cents.

Normally, I don't much care about "bloat" in desktop computers, I think most people bitching about it don't really understand what that "bloat" is buying them. But in the embedded space, fire away with your "bloat" accusations. The work it takes to make a machine in 2005 react more slowly than a machine from 1970, no exaggeration, boggles the mind.

Fuckers.

What could possibly go wrong?

[Renraku]

Stolen from Fark.

"Wells Fargo Web-Enables ATMs. Hilarity ensues."

My ATM had crashed - UK

I went to the hole in the wall (ATM) and it was displaying a windows taskbar, a dos window with some process running with a dos full stop sequence progress meter and another McAfee window - I asked in the bank and they said it had been on and off all morning and an "engineer" was trying to fix it.

I remember a /. article on UK banks going ove to windoze but I never thought i'd see the day.

Was I ever laughing.

I wonder if my atm card has a virus by now. ;-)

PS It was Bank of Scotland

Well I guess an OS and their money are easyily restarted.

Re:My ATM had crashed - UK

[gibbsjoh]

I've seen this a few times, twice in the past few months at the Nationwide in Langley, Berks.. it was Windows NT IIRC.

Re:My ATM had crashed - UK

[Cerv]

PS It was Bank of Scotland
I've seen a BSOD on one of their machines before. Annoying since the branch was closed and the nearest other machine was in completely the opposite direction to where I was going.

Re:My ATM had crashed - UK

[Iason+Baldes]

My friend had an atm crash on him while he was withdrawring money (this wasn't one near a bank, it was infront of the cinema). He called the company that ran the atm and was informed that they no longer handled maintenance. One phone call later he was told that a person might be there the next day to fix it. He never got his card back. I guess he learnt his lesson of not typing 1337 into ATM's.

Slow a**holes in line

[mhesseltine]

Great. As if waiting for some jerk to

• Check his balance
• transfer funds
• buy stamps

wasn't bad enough, now I have to wait for him to

• Check his email
• view stock quotes
• Play a game of Bejeweled
• Install BonziBuddy
• view some pr0n

Article's leading text

[fsck!]

I nominate "The Windows-based infrastructure enables remote upgrades" as the loaded statement of the year. Anybody care to take a guess as to who will be writing "upgrades" for these things?

os/2 everywhere

[Lys0l]

I used to work for IBM in OS/2 TCP/IP support. People would be amazed at how much OS/2 is still out there. Banking, industry, CIA, NSA, Vatican Bank, etc. Heart/Lung machines, ATM machines and the machines that make fritos. When OS/2 went down at friot-lay, no more fritos...not good times. I'm sad to see it go, it was great for apps such as these.

Re:os/2 everywhere

[WillerZ]

The reason OS/2 hasn't been EOL'd yet is that you need an OS/2 box if you want to start a mainframe (you can IPL it from the terminal, but to get from powered-off to powered-on you need OS/2). At least up to 2003 if you bought a zSeries box you got 2 OS/2 thinkpads inside it on shelves (I haven't poked around in any of our newer zSeries kit).

For the curious, they're needed to tell each zSeries processor what it is. This isn't as dumb as it sounds, because each of the 16 processors can do one of 4 tasks depending on the microcode you load into it.

You need a fairly dependable OS for this job, and when I last asked them they didn't trust Windows or Linux to do it right.

New services

[cgenman]

The Windows-based infrastructure is designed to allow Wells Fargo to update and add services such as new languages and envelope-free deposits to its entire network remotely.

Umm... Wouldn't envelope-free deposits require an on-site hardware shift anyway? That is, unless Windows Embedded now runs rapid prototype machinery.

Sounds like they're running WtFXML.

Re:tested

[rco3]

So.... we can either use an OS that we KNOW has security problems, or we can use one that MIGHT have security problems. We can use an OS famous for crashes and instability (BMW's iDrive?) and limited platform availability, or one which runs solidly and reliably on damn near any hardware we want. We can use an OS whose source code is a secret and which we cannot review or analyze, or we can use an OS whose source code is completely open and available for review. We can use an OS who has lost a major IP lawsuit and is hoping to win on appeal (EOLAS v. Microsoft, which I frankly hope MS wins) or an OS which is on the verge of winning a major IP lawsuit and crushing the litigious bastards who filed it out of existence (SCO). Or we could use a BSD.

In any case, it's hard to justify the use of any flavor of Windows on technical grounds. Not when security is a primary concern, which it is if the ATMs are handling MY money. But when were technical issues ever the deciding factor? No, it'll some PHB who doesn't understand or care about the tech who makes the decision based on some saleshole stroking him/her just right...

Of course, that's just my opinion.

This was already tried...

[kevb]

..with home PCs.

We put Windows on them and gave them all high speed net access... it wasn't the most successful experiment, and they weren't stuffed full of cash.

Re:tested

[QMO]

Does OSX run outside the box?

They weren't deemed helpful enough

[ackthpt]

What was wrong with OS/2 atms?

They weren't helpful enough, Well Fargo ATM customers can now look forward to the ATM Assistant(TM)!

"Hi, I'm Clippy, would you like help:

Depositing Funds?

Withdrawing Funds?

Transfer your entire balance to r00m4n14n d00d?

Selecting the proper brick to smash my keyboard with?

Re:They weren't deemed helpful enough

[afd8856]

Asa another true romanian dude I say: fuck you and fuck off. You 313373 haxors are the reason I can't use paypall or purchase anything on the internet right now. Another time: fuck you

(Imi cer scuze pentru cazul in care tu nu te ocupi cu chestii de astea. Insa e frustrant sa vezi cat suntem de desconsiderati pe internet din cauza unor pungasi)

BSOD

[FunWithHeadlines]

Blue Screen Of Debt

Crashed ATM

[Nikademus]

Does this means more pics like these:
Runtime error
Bluescreen

Re:Crashed ATM

[v1]

Try this one at home, kids. Go to your local ATM, feed it your card. (ok, you're brave now) Pin in. Select Transfer, Savings to Checking. Now when it asks for how much, put 0. Yes, zero. Like I did when I realized I didn't know how much I had in savings. (and it doesn't tell you what your limit is... nerf?)

At several banks here in town, you get a ticket that says "Amount error #13", your card pops out, (thankfully!) and "TEMPORARILY OUT OF SERVICE" pops up on the display.

Whoopsie!

Digging Deeper...

[ploss]

Here's a link to their Press Release: Wells Fargo: All ATMs Now Web-Enabled, All Banking Stores With Online Stations (from March 1st)

And a tidbit about some new features:

Wells Fargo's webATM(R) machines feature six language screen options; customizable fast-cash amounts and MyATM(R) receipt preferences; access to 22 financial accounts; the highest level of security; and colorful, large font touch-screens that make it easier to navigate from screen to screen.

Accounting

[mollymoo]

The San Francisco-based bank said it also installed more than 3,000 online stations in nearly all of its 6,046 branch locations.

That can't mean they have more than 3000 in total, as that's only around half of 6046. Even in marketing-land where the margins are bigger, you'd need at least 5000 out of 6000 to claim "nearly all". Logically, this means they must have more than 3000 online stations in each of their 6046 branches. That's over 18 million Windows licenses. Some sales guy at MS just got a new yacht.

Yet somehow, it does.

[mcc]

Existing Windows XP embedded based ATMs, made by Diebold, have already been effected by Windows XP-targetting worms. This should be sufficient to demonstrate that the code bases at least share whatever code caused vulnerability to the Nachi worm. The obvious question then becomes, if and when further holes in Windows XP are discovered, what happens if they too are in the code shared with Windows XP Embedded?

I mean, it's just an awfully funny coincidence that the sudden emergence of the term "cyber-crime" in connection with ATMs just happens, after all these years of computer ATMs, to coincide with the introduction of Windows based ATMs.

And I somehow suspect that in five years, when WinXPEmbedded ATMs are everywhere, if anyone observes it as odd that how ATMs suddenly have a security track record now, we'll have people saying "oh that's just part of the technology, there's nothing you can do about it, it would be the same with any other vendor"...

Re:Yet somehow, it does.

[Deviate_X]

The implication here are grave, and important, Additionally it should be questioned is:

For how many years have ATM terminals been exposed to the entire internet? The 2003 nachi worm exposed the fact that important financial networks have been susceptible to exploitation for a long time.

It's the more embarrassing to realize that none of the so called Analysts, Gartner Analysts (a $9 billion advice giving outfit), or so called security experts, who now have the gall to pontificate (http://www.securityfocus.com/), had anything useful to say prior.

No it took some script-kiddy with too much time on her hands to post a worm to mirc networks (perhaps) to bring the real issue to the fore.

The dangerous ones are not the worm writing script-kiddies, it's the smart ones who notice the vulnerability and exploit them quietly.

Simply: Prior to nachi, know one can account for what went on [skimmer], except that your accounts were unsafe and exposed, after nachi you at least have the opportunity know it.

Re:Yet somehow, it does.

[mcc]

For how many years have ATM terminals been exposed to the entire internet?

Well, they weren't exposed to the entire internet. They were on a VPN. Such ATMs are always put on a VPN. But that's the fun part, because the VPN apparently had holes in it.

In other words-- at least this was the theory discussed at the time-- the ATMs had been put on a VPN so that they were inaccessible to the outside world. But other bank computers were apparently allowed in the same VPN. And somehow the Nachi worm got inside the VPN, at which point it was free to infect the ATMs...

Hacker takes 3 minutes to get your cash

[rimu+guy]

And in a not unrelated story: Hacker takes 3 minutes to get your cash

A New Zealand computer hacker has accessed the private bank accounts of dozens of unsuspecting Kiwis, showing how easy it is to break into our internet banking system.

The hacker installed software in a Wellington internet cafe that allowed him to gather the user names and passwords of people banking online at the cafe.

Police e-crime national manager Maarten Kleintjes says he has been urging banks "for years" to introduce systems that ensure internet banking is safe, but most have been slow to respond.

Kleintjes says the problem is that internet banking access relies on a simple password "which can easily be stolen". Other countries use "two-factor identification" where, in addition to a password, the customer is given a new security password for each internet banking session.

Only two local banks, ASB and BankDirect, have a two-part identification system, where the customer is sent a text with a security password to use before transferring money.

Online bankers can follow the advice on bank websites about using anti-virus software to detect and avoid key-logging programmes on home computers, but the software provides no guarantees. Kleintjes says it is "unreasonable and unrealistic" to expect all customers to know how to do this. He said the banks should introduce safe systems that have been available overseas for years.

--
Linux VPS Hosting you can Bank On

well..

[bigattichouse]

now they'll finally test the old adage "No one ever got fired for choosing Microsoft".. when someone gets really fired for choosing Microsoft. Wonder if they'll hold MS responsible for security breaches?

Re:I think the rhetoric is a bit overheated.

[PHAEDRU5]

Well, to me it looks like they've got a thin client in front of a J2EE backend.

I think their excitement is the new communications infrastructure: the fact that updates via a teller can immediately be checked on the ATM. They're really happy over their new SOAP/J2EE bits. Of course, all the user sees is the ATM, so it's the only drum they have to bang. They might as well bang it for all they're worth.

Half is nearly all?

[4Lancer.net]

"The San Francisco-based bank said it also installed more than 3,000 online stations in nearly all of its 6,046 branch locations."

How is it that less than half is considered nearly all? Or are they stretching their ATMs so that it is so large that it is physically touching more than one branch, or just building branches next to eachother and throwing an ATM in between?

The math is appaling.

Somebody set us up the ATM

[the+eric+conspiracy]

All your money belong to us!

And for those trying to pry the computer box...

[game+kid]

Clippy would pop up and say...

It looks like you are attempting to rob this ATM.

Would you like help?

• Get me therapy by
  dialing 911
• Just send the FBI,
  I can take them
  with my bare hands

(Cancel)

Re:Thank goodness

[Stumbles]

In that case it would be

Blue Sky Of Death

Clippy says.....

[MSDos-486]

"I see you have used this ATM before. Would you like me to remember your PIN so you won't have to enter it again?"

Why are untrained tellers doing that?

[khasim]

There's a Wells Fargo ATM close to where I work, not inside a bank, and the guy who puts the money in it is always accompanied by an armed guard.

I wouldn't trust a bank that had an untrained teller doing that.

Particularly one who is taking instructions from someone over the phone. Yeah, I really trust that system.

What bank do you work for? I want to be sure that I don't have any accounts with it.

Part of security is being correctly trained. An untrained person (problem #1) taking instructions over the phone (problem #2) to service a machine that is "web enabled" (problem #3) is a script for disaster.

Re:Why are untrained tellers doing that?

[E_elven]

...And this concludes our introductory lecture "It's true, no-one else knows what the hell they're doing either". Any questions?

No?

Thank you all for coming, the next "Corporations 101" lecture will be monday. Bring your notebooks.

On your mark...

First one to install Linux on these machines gets a cookie, not to mention lots of money and some prison time...

Does not dispense more then $640

[moanads]

The Windoze enabled ATMs do not dispense more than $640. When asked about it, Bill Gates said, "$640 should be enough for anyone."

My bank is doing the same thing...

[plazman30]

I work for a mid size bank and we are doing the same thing. We are getting rid of our OS/2 based ATMs and replacing them with ones that run Windows XP. The ATM software is gonna run in IE in kiosk mode. I don't believe that it is our choice to run this configuration. Our ATM vendor is passing this along to us as the new solution to our ATM needs.

The patch management of these things is really becoming a nightmare, and we haven't even rolled them out yet!

And then the ATM ate my card....

[jeffroe]

What a timely post! Today I got back from a week long contract job and went to deposit some checks at the bank. Well, the local Wells Fargo closes at 4pm and I just missed it by about 10 minutes, so I went to deposit in the ATM. I inserted my card as instructed and voila, a nice windows fatal error message requiring me to click OK, but of course no mouse to click the button with and the Green enter button does nothing. In fact, none of the buttons did anything. Eventually, the ATM rebooted itself and came up with a nice "This ATM is out of service." message, and of course kept my card. So, I called Wells Fargo customer service to find out how long it would take to replace my business ATM card and it's 7-10 business days!!! Ouch! Why exactly am I paying for a business account when I get the same service as for my personal checking account? I don't know. *sigh*

Comment removed

[account_deleted]

Comment removed based on user account deletion

It's the mainframe attitude...

[HockeyPuck]

If it ain't broken, don't fix it. If an OS/2 based laptop is getting the job done, and there is no value add or return on your investment in running a windows/linux on these laptops... is it really worth it? Plus remember, when a new version of Z/OS comes out, it must support ALL the features of previous versions... the ultimate in backwards compatibility.

These laptops run Communications Manager which in some of its abilities can emulate a 3270 terminal.. (yeah tn3270 does the same thing...)

ServiceOntario Kiosks

[persaud]

Back in 1992, IBM and the Ontario Govt. prototyped ServiceOntario kiosks to provide DMV services (license plate sticker renewal and dispensation, address changes, vehicle abstracts, fine payments).

Included digital audio and 30fps video. Special hardware was engineered to dispense license plate stickers. Not sure what the kiosks are running today, but in 1992 Windows couldn't cut it. The kiosks (advanced ATMS really) have won awards and have since been deployed into malls around the province.

Read more about government and self-service kiosks here, including US initiatives. If you think about the nature of transactions being performed, such kiosks must be connected to multiple government networks, yet be located in public spaces. Legal, technical and process innovations were required to make this hybrid device possible.

The real question is how secure are the VPN boxes?

[barfy]

Presumably the ATM/Windows XP part of the box is *not* connected directly to the network. That there is a VPN box/pair between the ATM and the home networks...

ATM -- VPN -- Internet -- VPN -- Wells Fargo

So the real question is how secure are THOSE boxes...

This was informative?

[Svartalf]

Invariably, the ATMs have to talk to the Bank's internal network at some point. Even over a VPN, you can have a propagation of a worm... That's how the last little inconvienence against Windows based ATMs happened. The worm got a machine on the inside of the Bank's LAN and propagated to the ATMs that were Windows based- right over the VPN.

It's a big deal. If it's going to be web-based on it's controls, etc., it will have exposed ports.

Simply put, Windows really, really isn't suitable to task for this sort of job. Never was. As far as Microsoft's track record shows, it never will be.

It has to be Diebold machines

[dbIII]

They make ATMS don't they? And no-one else would be stupid enough to put them on a public network when it is so easy to put them on a private network like we have now. How many dollars per machine do you need to save before it offsets the PR loss when the media reports instances of your machines getting owned? I suspect they won't be saving much at all per machine by putting them on the public network. If this sort of stupidity continues those bad movies about hackers getting into systems that should never be on a public network may become reality.

So, this is what we have come to.

[CastrTroy]

The ATM makers are making themselves obsolete. By providing low security publicly accessible terminals running windows, they've made them less secure than your home computer doing internet banking. Because, at least when it's in your house, you can do some due diligence in ensuring that your computer is secure. The only reason for ATMs is for getting money. Which is of minimal importance when just about everyone accepts bank cards for payment. You could even visit the bank once a week and take out cash for those smaller transactions where you can't use the bank card.

This just in...

[Anita+Coney]

US banks are going to start using ziplock bags instead of safety deposit boxes and "very strong wooden boxes" locked with Master brand locks instead of vaults. And instead of expensive security vans to transport money, they'll be using bike curriers. More news as it develops.

Finnish ATMs run NT4

[rsmeds]

The Otto-ATMs in Finland have been running Windows NT 4 for years. AFAIK, the UI itself is a Java-applet running in Internet Explorer.

And yes, I've seen the IE on them crash, leaving the standard NT4 desktop, error dialog, and a command prompt window.

Scary.