Wells Fargo Web-Enables ATMs

smooth wombat writes "Wells Fargo has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. Now the ATMS will be Windows based rather than OS/2 based. Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this.""

was a change required?

[Frogmum]

What was wrong with OS/2 atms?

Re:was a change required?

The marketing people at Microsoft convinced them that .NET made everything secure!

Re:was a change required?

[ceejayoz]

No one sells 'em anymore, at least not in the quantities Wells-Fargo needs.

Re:was a change required?

Navigating around popup windows: 2 minutes of user frustration

Pressing "cancel" 10+ times to stop spyware installs: 2 minutes of user frustration

Entering pin number after someone else already pressed "ok" on spyware install: priceless

Re:was a change required?

[QMO]

The BOFH hates OS/2, and you DON'T want to make him mad.

Re:was a change required?

[Deviate_X]

IBM recommends OS/2 users migrate off OS/2 to either Linux or Windows 2000. Thats whats wrong with it, probably nothing technically (yes OS/2 developers are relics), more comercial.

Given than Wells Fargo, is a substatial entity, it would be interesting and credible to know how/why they decided to go the windows route since it is possible to maintain a large number networked Linux nodes for remote updates/admin as is cited in the article about windows.

Are windows embedded ATMs really the only game in town?

Re:was a change required?

http://en.wikipedia.org/wiki/OS/2

The collaboration between IBM and Microsoft unravelled in 1990, between the releases of Windows 3.0 and OS/2 1.3. The increasing popularity of Windows prompted Microsoft to shift its development focus from OS/2, and IBM grew concerned about delays in development of OS/2 2.0. Initially, the companies agreed that IBM would take over maintenance of OS/2 1.0 and development of OS/2 2.0, while Microsoft would continue development of OS/2 3.0, then known as "NT OS/2". However, Microsoft decided to recast NT OS/2 as Windows NT, leaving all future OS/2 development to IBM. Windows NT's OS/2 heritage can be seen in its initial support for the HPFS filesystem (although write support was dropped in Windows NT 4.0 and read support was dropped in Windows 2000) and text mode OS/2 1.x applications (support dropped in Windows XP).

So they basically upgraded to a newer version of OS/2 in a weird twisted Microsoft sort of way.

Re:was a change required?

[rsmoody]

I asked that myself when the bank I work for started upgrading our ATM's to 3DES. Some are still OS/2 but some are windows bassed. And it uses regular Windows, not embeded, it's straight Windows 2000. To tell you the truth, I acutally liked the Windows based ATM. From a stand point of having to hold the tellers hand over the phone because they are not trained properly, it makes it easier on us because the Windows ATM actually have help screens and short movie clips that can walk the undertrained (read stupid) teller through the proceedure of properly inserting a cassette of money (as if it were that difficult). The OS/2 ATMs are only character menu driven, the Windows ATM's are all graphical. The actual screens the customer sees are actually web pages so it's easy to make them look how you want and not be a programmer.

Re:was a change required?

I work for a financial services provider that has about 100 ATMs in the field. They're from Diebold, and up until very recently, they ran OS/2. Why'd we switch? Well, first of all, Diebold does not provide NEW machines that run anything other than Windows, so if you are doing a major deployment, and you buy from Diebold, you're getting Windows. Second of all, the industry is moving to 3DES at gunpoint (that gun wielded by our friends at Visa and MasterCard) and Diebold only supports 3DES on Windows-based ATMs.
Now, it's true that you don't have to TCP/IP-connect a Windows-based ATM, you can operate it solely over SNA or SDLC or whatever you have -- but if you do you don't get all the features of the ATM, and not just the annoying things like HTML-based UI -- you don't get the handy stuff like remote management which means that you spend $$ sending humans out to the site rather than just doing task 'x' from your network.

Re:was a change required?

[mpaque]

Simply put, the OS/2 based ATMs didn't run the mission critical software that the Wells Fargo IT department felt was necessary on public access terminals, which is fundamentally what ATMs are. They require applications like Disk Defragmenter, Scandisk, Norton AV, Windows Update and Ad-Aware - none of which are available for the OS/2 platform.

In today's climate of non-stop worms, trojans and viruses, deploying an ATM with no virus removal software would be irresponsible on the part of Wells Fargo.

(With apologies to divisiontwo.com. :-)

Re:was a change required?

They're from Diebold, and up until very recently, they ran OS/2. Why'd we switch?

They're from Diebold. Enough reason to switch right there.

Re:was a change required?

[shaitand]

"The actual screens the customer sees are actually web pages so it's easy to make them look how you want and not be a programmer."

Yeah but do you REALLY want a feature that allows unqualified individuals modify the interface of ATM machines? Isn't that something you want the bar set a little higher on?

Re:was a change required?

[The_Dougster]

The BOFH hates OS/2, and you DON'T want to make him mad.

If the BOFH had done this job, he would have had Wells-Fargo purchase a super-deluxe QNX licensing contract, then he would have installed BSD on the machines and pocketed the change.

Ahh, OS/2, I miss it. The last time I whipped out my OS/2 Warp disks and tried to install it, it didn't seem to like my 10 years newer hardware and couldn't find a HDD driver. Bummer. I can only imagine how fast it would have run on my 2GHz box.

I think that Wells-Fargo should have used QNX, and now whoever made the decision is probably going to pay. Windows on an ATM connected to the internet is pretty damn frightening. Time to withdraw all my zorkmids out of the bank and stuff it under the mattress.

Re:was a change required?

[Flywheel]

"Ahh, OS/2, I miss it. The last time I whipped out my OS/2 Warp disks and tried to install it, it didn't seem to like my 10 years newer hardware and couldn't find a HDD driver. Bummer. I can only imagine how fast it would have run on my 2GHz box."

Try the Danis506 drivers, et even has got some SATA support. eComStation runs rather nice om my 1.8Ghz Athlon XP - Barton box, especially with the new kernel.

Re:was a change required?

[Rohan427]

Your source for this bit of info?

In addition, they couldn't go to another OS because?

I've been contemplating changing banks for some time now (from Wells Fargo), but haven't for several reasons. This could be the straw that breaks this camel's back.

(FYI, a few years ago I walked up to a WF ATM, started to put my card in, and noticed a M$ Dev. Studio GPF dialog asking if I wanted to debug the application or cancel!!)

PGA

Re:was a change required?

[ScrappyLaptop]

You know, before writing in such a condescending manner about the "stupid" tellers who don't know how to use an ATM from the backside, you might consider learning how to use the English language.

It's "based", not "bassed" and "procedure", not "proceedure". "Acutally" I can only assume was actually supposed to be "actually". Oh, and "stand point" is one word, "standpoint". "It uses regular Windows" should be "They use regular Windows"; plurality matters. I won't even get into the structure of that sentence. "The Windows ATM actually have help screens" should be the plural "Windows ATMs", with no apostrophe since the "M" is not lowercase.

Finally, "tellers" is plural, but "teller's" is possessive, as in "hold the teller's hand", which is what I believe was what you wanted, but that will never happen if you do not treat them with the respect another human being deserves.

Language and writing are tools like any other and you are obviously, well, "undertrained".

Re:was a change required?

[NoodleSlayer]

Most of the Wells Fargo ATMs I've seen recently, are Diebold machines.

I would imagine that Diebold was the one who made the decision to go to Windows.

Just what I want....

[AtariAmarok]

...having to kill a couple dozen pop-up windows when I want to take $20 out of the ATM.

However, come to think of it, a lot of those things would look better with that Aquarium Screensaver. I think I'll click on the ok download button next time.

Re:Just what I want....

[johansalk]

Don't forget the card games. Playing poker against an ATM computer appeals to me. Now that's a computer I'd like to beat!

Re:Just what I want....

[mrseigen]

"Would you like to go double-or-nothing on this withdrawal?" (Yes) (No)

Yes, but...

[xeon4life]

They're going to use Windows Embedded, not Windows XP. Two completely different code bases.

Just because one has security issues does not mean the other will too.

Re:Yes, but...

[HarryCaul]

Are you implying that a Gartner analyst may not know what they're talking about?

That would certainly be a first.

Re:Yes, but...

[Gilesx]

Maybe I'm wrong, but aren't they essentially the same kernel, with Embedded being a stripped down version?

Either way, I wouldn't be the house on the kernel and networking components of XP being free from holes and possible exploits, Embedded or otherwise...

Re:Yes, but...

[marvin2k]

So you are saying that Microsoft has no problems making the embedded version secure and they introduce the holes in XP just for fun? I fail to see how Microsofts track record should make me go "Ohhh, it the *embedded* version. In that case I trust your security completely!"

Re:Yes, but...

[afidel]

Uh, no Windows XP Embedded is EXACTLY the same code base as Windows XP. It's basically a componentized version of Windows PE, much along the lines of what the community did with Bart's PE. Now if they were using Windows CE.net THEN it would be a different code base, but many DCOM components for CE.net share source code with their windows counterparts so running on x86 hardware means that many of the same exploits may exist. Now if Wells Fargo knows what they are doing there won't be any unnecessary services installed, but the way the component selection engine for XP Embedded works means that things like the IE engine get dragged into almost any usefull selection, meaning that all sorts of vulnarabilies exist.

Re:Yes, but...

They're going to use Windows Embedded, not Windows XP. Two completely different code bases.

Hell, at this point I don't care whether or not it runs windows, its the "web enabled" part that scares me.

Re:Yes, but...

[Baricom]

TFA says these ATMs are web-based and Windows-based. That means they are almost certainly running the same rendering engine as Internet Explorer.

I wouldn't trust Firefox in an ATM, let alone Internet Explorer. If my bank of choice starts deploying these in large quantities (they're around, but less prevalent than the old kind), I will run, not walk, to the competition.

Re:Yes, but...

[shaitand]

On another point, HTML and TCP/IP are HEAVILY stress tested. There are flaws but they are known and everybody and their dog has had a chance to work out flaws with them.

The greatest possibility for one of these to get hacked is that the one admin is not really familiar with the system and makes a mistake on setup that leaves things functional but insecure. With HTML and TCP/IP the admin is more likely to be familiar and less like to make a mistake with the system.

"I don't know what my bank's ATMs run as their operating system, and that's a good thing because it means the bad guys may not, either."

The bad guys know in detail how the circuit processes the image of a dollar bill in a change machine so they can fool it. Do you? Of course not, they know because they have no scrupples and they want to know.

Microsoft spends hundreds of billions of dollars writing custom and obscure protocols, deliberately designing every aspect of systems far more complex than these to be difficult to reverse engineer. It is the ultimate example of security through obscurity. And with MS it is what, 3-4yrs tops for their interfaces to be reverse engineered by hackers?

You trust obscurity. I'll take a system that is easy to setup properly; is built on tried, true, tested, and stable technology (windows meets none of these critera embedded or not); and requires a bad guy to get past someone with a gun to get to the wire. If the bank wants to remote admin that is fine, they better use fiber links with quantum encryption, otherwise the cost is needed.

I was once the technician at a small consulting firm trying to explain to a bank manager that he shouldn't have the network the bank terminals are on connected to the web and that a bank really should get something a tad more secure than norton internet security on their internet connection. In the end the bank just wanted something that said intrusion detection on the label to get the bank inspector off their back.

Putting ATMs on the Web

What could possibly go wrong?

Why!

[bstadil]

I RTFA and have no idea why they did this. OS/2 is not EOL'ed yet. Methinks someone did a snow job on thiese guys.

Hello, I am Govermet Minster

[tbuckner]

Gretings, I am Govermet Minster of Nigeria, and if you send me your PIN you wil share 20% of 1.3 milion American US dolars that I must retrive. THis wil only take a moment since you are already at your ATM.

choice quote

[Neophytus]

"We want to make sure our ATMs are integrated with every other channel so when I do a deposit in a [branch] I want to be able to go to [an] ATM immediately and see that deposit"

I do that regularly anyway. An ATM doesn't have to be on "the net" to do that. It has to communicate to the central handling server regardless of it's OS.

Re:choice quote

It's a ridiclous story. Using a SOAP/XML-based protocol is not "web enabling".

Not a good thing for bank users ....

[DARKFORCE123]

This is not a great move. Try and search for 0S/2 exploits even with Google. You're not going to find tons. I sure don't want to use an ATM running Windows and IE where someone that use the security expoit(s) of the month on it.

Search on Windows security exploits and display the results and oh ... darn I hope this gets submitted because my browser crashed when all the results came back.

mod insightful

[taxman_10m]

They can't all be fake, and I have a good feeling about this one.

Well Fargo Drive in Movies!

[nilbog]

Wells Fargo is moving to windows so they can run video on the ATM screens. They want to run traileras and MSNBC tickers. OS/2 doesn't have that capability.

It's good too, because I needed a place to see MSNBC tickers and movie trailers and also get money at the same time.

Now that this has rolled out on all Wells Fargo ATM's, they will allow you to watch full movies on them and will be opening concession stands. If you pull up to an ATM, and the car in front of you has the windows all fogged up ... it might be a while.

rofl... bwahahahahah...

[pb]

Does anyone else remember the end of Sneakers? Because that's what this reminds me of. I'm just thinking about the potential news headlines...

"Wells-Fargo reportedly went bankrupt yesterday. Company spokesman: 'The money... it just disappeared...'
In other news, the EFF is reporting record donations!"

Re:Not a good thing for bank users ....

[man_of_mr_e]

While it's unlikely that these machines are actually on the internet, but if they are it's probably not a big deal anyways. They'd likely be using some kind of hardware VPN, and even if they weren't they are most likely shutting off all external ports other than their own software, making it no more vulnerable than any other OS they might choose. No open ports, no way to exploit it.

Netscape

[danimrich]

A couple of weeks ago I saw an ATM that had crashed. It was running Netscape on some version of Windows.
Surely enough, it was made by the same manufacturer who f***ed up US voting machines. I do have some pictures if anyone is interested.

Re:Netscape

[hairykrishna]

That's nothing. Check out this one displaying windows media player:

http://midnightspaghetti.com/newsDiebold.php

Re:Netscape

[generic-man]

Diebold has been making ATMs long before they acquired a company that makes voting machines.

Of course, their old ATMs were relatively reliable although they couldn't run Windows Media Player.

s-l-o-w ATM keypad

[anadem]

am I the only one who finds the new Wells Fargo ATM key response time to be laggardly?

After I enter my pin, the beep sound and the asterisk that's displayed take so long that I think i've miskeyed, so press again getting a double entry which i have to cancel and slowly and carefully retry.

Is it because of being Windowized, or just bad programming? The old OS/2 ATMs responded instantly.

Re:s-l-o-w ATM keypad

[Jerf]

Oh god, not another one.

In 2005, you should not have a perceptible delay between keypress and a simple ack. response like putting up an asterisk.

The problem, of course, is not technology. It's this god-damned "save every fraction of a penny at all costs, and fuck the customer/user!" mentality. A couple of cents more per terminal is probably all it would take to eliminate the delay, but, well, like I said, fuck the user.

I can't use Comcast digital cable boxes because of the multi-second delay before button presses react. (That one boggles the mind, I think they had to work to make it suck that bad.) It pisses me off that in the time it takes to navigate to one On Demand movie, the value of my time for the time it took to do the navigation would have been sufficient to make a snappy, responsive system. You could quite literally rack up hours spent just waiting for their interface to update in a year if you actually tried to use it (from what I gather from the way they keep dropping the price on On-Demand things, nobody does), and that says they care so little about my time that they'd rather save 5 cents.

Normally, I don't much care about "bloat" in desktop computers, I think most people bitching about it don't really understand what that "bloat" is buying them. But in the embedded space, fire away with your "bloat" accusations. The work it takes to make a machine in 2005 react more slowly than a machine from 1970, no exaggeration, boggles the mind.

Fuckers.

What could possibly go wrong?

[Renraku]

Stolen from Fark.

"Wells Fargo Web-Enables ATMs. Hilarity ensues."

My ATM had crashed - UK

I went to the hole in the wall (ATM) and it was displaying a windows taskbar, a dos window with some process running with a dos full stop sequence progress meter and another McAfee window - I asked in the bank and they said it had been on and off all morning and an "engineer" was trying to fix it.

I remember a /. article on UK banks going ove to windoze but I never thought i'd see the day.

Was I ever laughing.

I wonder if my atm card has a virus by now. ;-)

PS It was Bank of Scotland

Well I guess an OS and their money are easyily restarted.

Re:My ATM had crashed - UK

[Iason+Baldes]

My friend had an atm crash on him while he was withdrawring money (this wasn't one near a bank, it was infront of the cinema). He called the company that ran the atm and was informed that they no longer handled maintenance. One phone call later he was told that a person might be there the next day to fix it. He never got his card back. I guess he learnt his lesson of not typing 1337 into ATM's.

Slow a**holes in line

[mhesseltine]

Great. As if waiting for some jerk to

• Check his balance
• transfer funds
• buy stamps

wasn't bad enough, now I have to wait for him to

• Check his email
• view stock quotes
• Play a game of Bejeweled
• Install BonziBuddy
• view some pr0n

os/2 everywhere

[Lys0l]

I used to work for IBM in OS/2 TCP/IP support. People would be amazed at how much OS/2 is still out there. Banking, industry, CIA, NSA, Vatican Bank, etc. Heart/Lung machines, ATM machines and the machines that make fritos. When OS/2 went down at friot-lay, no more fritos...not good times. I'm sad to see it go, it was great for apps such as these.

Re:os/2 everywhere

[WillerZ]

The reason OS/2 hasn't been EOL'd yet is that you need an OS/2 box if you want to start a mainframe (you can IPL it from the terminal, but to get from powered-off to powered-on you need OS/2). At least up to 2003 if you bought a zSeries box you got 2 OS/2 thinkpads inside it on shelves (I haven't poked around in any of our newer zSeries kit).

For the curious, they're needed to tell each zSeries processor what it is. This isn't as dumb as it sounds, because each of the 16 processors can do one of 4 tasks depending on the microcode you load into it.

You need a fairly dependable OS for this job, and when I last asked them they didn't trust Windows or Linux to do it right.

They weren't deemed helpful enough

[ackthpt]

What was wrong with OS/2 atms?

They weren't helpful enough, Well Fargo ATM customers can now look forward to the ATM Assistant(TM)!

"Hi, I'm Clippy, would you like help:

Depositing Funds?

Withdrawing Funds?

Transfer your entire balance to r00m4n14n d00d?

Selecting the proper brick to smash my keyboard with?

Re:They weren't deemed helpful enough

[afd8856]

Asa another true romanian dude I say: fuck you and fuck off. You 313373 haxors are the reason I can't use paypall or purchase anything on the internet right now. Another time: fuck you

(Imi cer scuze pentru cazul in care tu nu te ocupi cu chestii de astea. Insa e frustrant sa vezi cat suntem de desconsiderati pe internet din cauza unor pungasi)

BSOD

[FunWithHeadlines]

Blue Screen Of Debt

Accounting

[mollymoo]

The San Francisco-based bank said it also installed more than 3,000 online stations in nearly all of its 6,046 branch locations.

That can't mean they have more than 3000 in total, as that's only around half of 6046. Even in marketing-land where the margins are bigger, you'd need at least 5000 out of 6000 to claim "nearly all". Logically, this means they must have more than 3000 online stations in each of their 6046 branches. That's over 18 million Windows licenses. Some sales guy at MS just got a new yacht.

Yet somehow, it does.

[mcc]

Existing Windows XP embedded based ATMs, made by Diebold, have already been effected by Windows XP-targetting worms. This should be sufficient to demonstrate that the code bases at least share whatever code caused vulnerability to the Nachi worm. The obvious question then becomes, if and when further holes in Windows XP are discovered, what happens if they too are in the code shared with Windows XP Embedded?

I mean, it's just an awfully funny coincidence that the sudden emergence of the term "cyber-crime" in connection with ATMs just happens, after all these years of computer ATMs, to coincide with the introduction of Windows based ATMs.

And I somehow suspect that in five years, when WinXPEmbedded ATMs are everywhere, if anyone observes it as odd that how ATMs suddenly have a security track record now, we'll have people saying "oh that's just part of the technology, there's nothing you can do about it, it would be the same with any other vendor"...

Re:Yet somehow, it does.

[mcc]

For how many years have ATM terminals been exposed to the entire internet?

Well, they weren't exposed to the entire internet. They were on a VPN. Such ATMs are always put on a VPN. But that's the fun part, because the VPN apparently had holes in it.

In other words-- at least this was the theory discussed at the time-- the ATMs had been put on a VPN so that they were inaccessible to the outside world. But other bank computers were apparently allowed in the same VPN. And somehow the Nachi worm got inside the VPN, at which point it was free to infect the ATMs...

Hacker takes 3 minutes to get your cash

[rimu+guy]

And in a not unrelated story: Hacker takes 3 minutes to get your cash

A New Zealand computer hacker has accessed the private bank accounts of dozens of unsuspecting Kiwis, showing how easy it is to break into our internet banking system.

The hacker installed software in a Wellington internet cafe that allowed him to gather the user names and passwords of people banking online at the cafe.

Police e-crime national manager Maarten Kleintjes says he has been urging banks "for years" to introduce systems that ensure internet banking is safe, but most have been slow to respond.

Kleintjes says the problem is that internet banking access relies on a simple password "which can easily be stolen". Other countries use "two-factor identification" where, in addition to a password, the customer is given a new security password for each internet banking session.

Only two local banks, ASB and BankDirect, have a two-part identification system, where the customer is sent a text with a security password to use before transferring money.

Online bankers can follow the advice on bank websites about using anti-virus software to detect and avoid key-logging programmes on home computers, but the software provides no guarantees. Kleintjes says it is "unreasonable and unrealistic" to expect all customers to know how to do this. He said the banks should introduce safe systems that have been available overseas for years.

--
Linux VPS Hosting you can Bank On

And for those trying to pry the computer box...

[game+kid]

Clippy would pop up and say...

It looks like you are attempting to rob this ATM.

Would you like help?

• Get me therapy by
  dialing 911
• Just send the FBI,
  I can take them
  with my bare hands

(Cancel)

Clippy says.....

[MSDos-486]

"I see you have used this ATM before. Would you like me to remember your PIN so you won't have to enter it again?"

Why are untrained tellers doing that?

[khasim]

There's a Wells Fargo ATM close to where I work, not inside a bank, and the guy who puts the money in it is always accompanied by an armed guard.

I wouldn't trust a bank that had an untrained teller doing that.

Particularly one who is taking instructions from someone over the phone. Yeah, I really trust that system.

What bank do you work for? I want to be sure that I don't have any accounts with it.

Part of security is being correctly trained. An untrained person (problem #1) taking instructions over the phone (problem #2) to service a machine that is "web enabled" (problem #3) is a script for disaster.

Re:Why are untrained tellers doing that?

[E_elven]

...And this concludes our introductory lecture "It's true, no-one else knows what the hell they're doing either". Any questions?

No?

Thank you all for coming, the next "Corporations 101" lecture will be monday. Bring your notebooks.

Does not dispense more then $640

[moanads]

The Windoze enabled ATMs do not dispense more than $640. When asked about it, Bill Gates said, "$640 should be enough for anyone."

My bank is doing the same thing...

[plazman30]

I work for a mid size bank and we are doing the same thing. We are getting rid of our OS/2 based ATMs and replacing them with ones that run Windows XP. The ATM software is gonna run in IE in kiosk mode. I don't believe that it is our choice to run this configuration. Our ATM vendor is passing this along to us as the new solution to our ATM needs.

The patch management of these things is really becoming a nightmare, and we haven't even rolled them out yet!

And then the ATM ate my card....

[jeffroe]

What a timely post! Today I got back from a week long contract job and went to deposit some checks at the bank. Well, the local Wells Fargo closes at 4pm and I just missed it by about 10 minutes, so I went to deposit in the ATM. I inserted my card as instructed and voila, a nice windows fatal error message requiring me to click OK, but of course no mouse to click the button with and the Green enter button does nothing. In fact, none of the buttons did anything. Eventually, the ATM rebooted itself and came up with a nice "This ATM is out of service." message, and of course kept my card. So, I called Wells Fargo customer service to find out how long it would take to replace my business ATM card and it's 7-10 business days!!! Ouch! Why exactly am I paying for a business account when I get the same service as for my personal checking account? I don't know. *sigh*