Slashdot Mirror
Wells Fargo Web-Enables ATMs
smooth wombat writes "Wells Fargo has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. Now the ATMS will be Windows based rather than OS/2 based. Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this.""
What was wrong with OS/2 atms?
However, come to think of it, a lot of those things would look better with that Aquarium Screensaver. I think I'll click on the ok download button next time.
Don't blame Durga. I voted for Centauri.
What could possibly go wrong?
Gretings, I am Govermet Minster of Nigeria, and if you send me your PIN you wil share 20% of 1.3 milion American US dolars that I must retrive. THis wil only take a moment since you are already at your ATM.
"We want to make sure our ATMs are integrated with every other channel so when I do a deposit in a [branch] I want to be able to go to [an] ATM immediately and see that deposit"
I do that regularly anyway. An ATM doesn't have to be on "the net" to do that. It has to communicate to the central handling server regardless of it's OS.
Are you implying that a Gartner analyst may not know what they're talking about?
That would certainly be a first.
Maybe I'm wrong, but aren't they essentially the same kernel, with Embedded being a stripped down version?
Either way, I wouldn't be the house on the kernel and networking components of XP being free from holes and possible exploits, Embedded or otherwise...
Sunday you're Thinking Different, Monday you're a huge tool, paying too much and waiting to think like everyone else.
This is not a great move. Try and search for 0S/2 exploits even with Google. You're not going to find tons. I sure don't want to use an ATM running Windows and IE where someone that use the security expoit(s) of the month on it.
... darn I hope this gets submitted because my browser crashed when all the results came back.
Search on Windows security exploits and display the results and oh
So you are saying that Microsoft has no problems making the embedded version secure and they introduce the holes in XP just for fun? I fail to see how Microsofts track record should make me go "Ohhh, it the *embedded* version. In that case I trust your security completely!"
They can't all be fake, and I have a good feeling about this one.
It's good too, because I needed a place to see MSNBC tickers and movie trailers and also get money at the same time.
Now that this has rolled out on all Wells Fargo ATM's, they will allow you to watch full movies on them and will be opening concession stands. If you pull up to an ATM, and the car in front of you has the windows all fogged up
or else!
Does anyone else remember the end of Sneakers? Because that's what this reminds me of. I'm just thinking about the potential news headlines...
"Wells-Fargo reportedly went bankrupt yesterday. Company spokesman: 'The money... it just disappeared...'
In other news, the EFF is reporting record donations!"
pb Reply or e-mail; don't vaguely moderate.
While it's unlikely that these machines are actually on the internet, but if they are it's probably not a big deal anyways. They'd likely be using some kind of hardware VPN, and even if they weren't they are most likely shutting off all external ports other than their own software, making it no more vulnerable than any other OS they might choose. No open ports, no way to exploit it.
If you need web hosting, you could do worse than here
A couple of weeks ago I saw an ATM that had crashed. It was running Netscape on some version of Windows.
Surely enough, it was made by the same manufacturer who f***ed up US voting machines. I do have some pictures if anyone is interested.
where's all that Karma?
am I the only one who finds the new Wells Fargo ATM key response time to be laggardly?
After I enter my pin, the beep sound and the asterisk that's displayed take so long that I think i've miskeyed, so press again getting a double entry which i have to cancel and slowly and carefully retry.
Is it because of being Windowized, or just bad programming? The old OS/2 ATMs responded instantly.
I went to the hole in the wall (ATM) and it was displaying a windows taskbar, a dos window with some process running with a dos full stop sequence progress meter and another McAfee window - I asked in the bank and they said it had been on and off all morning and an "engineer" was trying to fix it.
/. article on UK banks going ove to windoze but I never thought i'd see the day.
;-)
I remember a
Was I ever laughing.
I wonder if my atm card has a virus by now.
PS It was Bank of Scotland
Well I guess an OS and their money are easyily restarted.
Great. As if waiting for some jerk to
- Check his balance
- transfer funds
- buy stamps
wasn't bad enough, now I have to wait for him toOverrated / Underrated : Moderation
I used to work for IBM in OS/2 TCP/IP support. People would be amazed at how much OS/2 is still out there. Banking, industry, CIA, NSA, Vatican Bank, etc. Heart/Lung machines, ATM machines and the machines that make fritos. When OS/2 went down at friot-lay, no more fritos...not good times. I'm sad to see it go, it was great for apps such as these.
Uh, no Windows XP Embedded is EXACTLY the same code base as Windows XP. It's basically a componentized version of Windows PE, much along the lines of what the community did with Bart's PE. Now if they were using Windows CE.net THEN it would be a different code base, but many DCOM components for CE.net share source code with their windows counterparts so running on x86 hardware means that many of the same exploits may exist. Now if Wells Fargo knows what they are doing there won't be any unnecessary services installed, but the way the component selection engine for XP Embedded works means that things like the IE engine get dragged into almost any usefull selection, meaning that all sorts of vulnarabilies exist.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
They weren't helpful enough, Well Fargo ATM customers can now look forward to the ATM Assistant(TM)!
"Hi, I'm Clippy, would you like help:
Depositing Funds?
Withdrawing Funds?
Transfer your entire balance to r00m4n14n d00d?
Selecting the proper brick to smash my keyboard with?
A feeling of having made the same mistake before: Deja Foobar
Blue Screen Of Debt
That can't mean they have more than 3000 in total, as that's only around half of 6046. Even in marketing-land where the margins are bigger, you'd need at least 5000 out of 6000 to claim "nearly all". Logically, this means they must have more than 3000 online stations in each of their 6046 branches. That's over 18 million Windows licenses. Some sales guy at MS just got a new yacht.
Chernobyl 'not a wildlife haven' - BBC News
Existing Windows XP embedded based ATMs, made by Diebold, have already been effected by Windows XP-targetting worms. This should be sufficient to demonstrate that the code bases at least share whatever code caused vulnerability to the Nachi worm. The obvious question then becomes, if and when further holes in Windows XP are discovered, what happens if they too are in the code shared with Windows XP Embedded?
I mean, it's just an awfully funny coincidence that the sudden emergence of the term "cyber-crime" in connection with ATMs just happens, after all these years of computer ATMs, to coincide with the introduction of Windows based ATMs.
And I somehow suspect that in five years, when WinXPEmbedded ATMs are everywhere, if anyone observes it as odd that how ATMs suddenly have a security track record now, we'll have people saying "oh that's just part of the technology, there's nothing you can do about it, it would be the same with any other vendor"...
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
And in a not unrelated story: Hacker takes 3 minutes to get your cash
--
Linux VPS Hosting you can Bank On
You can hold down the "B" button for continuous firing.
TFA says these ATMs are web-based and Windows-based. That means they are almost certainly running the same rendering engine as Internet Explorer.
I wouldn't trust Firefox in an ATM, let alone Internet Explorer. If my bank of choice starts deploying these in large quantities (they're around, but less prevalent than the old kind), I will run, not walk, to the competition.
"I see you have used this ATM before. Would you like me to remember your PIN so you won't have to enter it again?"
There's a Wells Fargo ATM close to where I work, not inside a bank, and the guy who puts the money in it is always accompanied by an armed guard.
I wouldn't trust a bank that had an untrained teller doing that.
Particularly one who is taking instructions from someone over the phone. Yeah, I really trust that system.
What bank do you work for? I want to be sure that I don't have any accounts with it.
Part of security is being correctly trained. An untrained person (problem #1) taking instructions over the phone (problem #2) to service a machine that is "web enabled" (problem #3) is a script for disaster.
On another point, HTML and TCP/IP are HEAVILY stress tested. There are flaws but they are known and everybody and their dog has had a chance to work out flaws with them.
The greatest possibility for one of these to get hacked is that the one admin is not really familiar with the system and makes a mistake on setup that leaves things functional but insecure. With HTML and TCP/IP the admin is more likely to be familiar and less like to make a mistake with the system.
"I don't know what my bank's ATMs run as their operating system, and that's a good thing because it means the bad guys may not, either."
The bad guys know in detail how the circuit processes the image of a dollar bill in a change machine so they can fool it. Do you? Of course not, they know because they have no scrupples and they want to know.
Microsoft spends hundreds of billions of dollars writing custom and obscure protocols, deliberately designing every aspect of systems far more complex than these to be difficult to reverse engineer. It is the ultimate example of security through obscurity. And with MS it is what, 3-4yrs tops for their interfaces to be reverse engineered by hackers?
You trust obscurity. I'll take a system that is easy to setup properly; is built on tried, true, tested, and stable technology (windows meets none of these critera embedded or not); and requires a bad guy to get past someone with a gun to get to the wire. If the bank wants to remote admin that is fine, they better use fiber links with quantum encryption, otherwise the cost is needed.
I was once the technician at a small consulting firm trying to explain to a bank manager that he shouldn't have the network the bank terminals are on connected to the web and that a bank really should get something a tad more secure than norton internet security on their internet connection. In the end the bank just wanted something that said intrusion detection on the label to get the bank inspector off their back.
I work for a mid size bank and we are doing the same thing. We are getting rid of our OS/2 based ATMs and replacing them with ones that run Windows XP. The ATM software is gonna run in IE in kiosk mode. I don't believe that it is our choice to run this configuration. Our ATM vendor is passing this along to us as the new solution to our ATM needs.
The patch management of these things is really becoming a nightmare, and we haven't even rolled them out yet!
What a timely post! Today I got back from a week long contract job and went to deposit some checks at the bank. Well, the local Wells Fargo closes at 4pm and I just missed it by about 10 minutes, so I went to deposit in the ATM. I inserted my card as instructed and voila, a nice windows fatal error message requiring me to click OK, but of course no mouse to click the button with and the Green enter button does nothing. In fact, none of the buttons did anything. Eventually, the ATM rebooted itself and came up with a nice "This ATM is out of service." message, and of course kept my card. So, I called Wells Fargo customer service to find out how long it would take to replace my business ATM card and it's 7-10 business days!!! Ouch! Why exactly am I paying for a business account when I get the same service as for my personal checking account? I don't know. *sigh*