Researcher Discovers ATM Hack, Gets Silenced

Al writes "A researcher working for networking company Juniper has been forced to cancel a Black Hat presentation that would have revealed a way to hack into ATMs. The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago. The article mentions a growing trend in ATM hacking: In November 2008 thieves stole nearly $9 million from more than 130 cash machines in 49 cities worldwide. And earlier this year, the second biggest maker of ATMs, Diebold, warned customers in an advisory that certain cash machines in Eastern Europe had been loaded with malicious software capable of stealing financial information and the secret PINs from customers performing ATM transactions."

If it's an exploit for ATM *Machines*...

[jeffb+(2.718)]

...it must be pretty abstract, since an "automated teller machine machine" is apparently running in emulation anyhow.

Re:If it's an exploit for ATM *Machines*...

[NastyNate]

Not emulation. Just a machine for making ATMs. Kind of like MasterMold (from X-Men) for ATMs.

Re:If it's an exploit for ATM *Machines*...

[N+Monkey]

...it must be pretty abstract, since an "automated teller machine machine" is apparently running in emulation anyhow.

No. It has to be an "ATM Machine" to in order to be able to enter a "PIN number".

Re:If it's an exploit for ATM *Machines*...

[MickyTheIdiot]

So clearly there someone should invent the "automated teller machine machine machine," the machine that automatically builds the machine that automatically builds the ATM.

The inventor would make a bundle.. at least until some invented the "automated teller machine machine machine machine."!

Re:If it's an exploit for ATM *Machines*...

[schon]

It has to be an "ATM Machine" to in order to be able to enter a "PIN number".

I wonder - how much RAM memory those is in those ATM machines to be able to hold all those PIN numbers?

And what kind of NIC card do they have?

Anyone want a peanut? :)

Re:If it's an exploit for ATM *Machines*...

[MattXBlack]

You mean a personal PIN number?

Re:If it's an exploit for ATM *Machines*...

[maxume]

And then some bastard invents the Generalized machine maker machine.

Re:If it's an exploit for ATM *Machines*...

[idontgno]

Done.

Re:If it's an exploit for ATM *Machines*...

[RichardJenkins]

'ATM' has been a pseudo-acronym since people stopped using the phrase 'automated teller machine' except to pretend that saying 'ATM machine' is silly. Bah!

Re:If it's an exploit for ATM *Machines*...

[seven+of+five]

Do they run on AC current?

Re:If it's an exploit for ATM *Machines*...

I would agree with you if I hadn't just got back from Germany. When I found people who spoke english and asked where I could find an ATM, they had no idea what I was talking about. When I said automated teller machine, they knew right away.

Re:If it's an exploit for ATM *Machines*...

[E+IS+mC(Square)]

That's interesting. Do they also ask how much random access memory does a computer have, along with the frequency for the central processing unit and if can write to digital video disc or it can be used only for read-only-memory.

Re:If it's an exploit for ATM *Machines*...

[DeusExMach]

I like how the article you reference states that they're designing a "Proto-prototype".

So! By that logic, they have developed a proto-prototype of a generalized machine maker machine that can be used to construct proto-nano-pin-number-generating-atm-machines using proto-nano-assemblers running on AC current.

This is worse than spaceballs: the video tape.

Now became then, just now. ...everybody got that?

Re:If it's an exploit for ATM *Machines*...

Digital Versatile Disc

Re:If it's an exploit for ATM *Machines*...

in order to be able to enter a "PIN number".

So what your saying is, I have to enter a PI number... Damn, this is gonna take a while

3.1415....

Re:If it's an exploit for ATM *Machines*...

Everybody spells it wrong.

It's "ATMachine" and "PINumber"

Duh.

Re:If it's an exploit for ATM *Machines*...

[DeadCatX2]

I hope the keypad isn't connected to the computer via the USB bus

Re:If it's an exploit for ATM *Machines*...

[cayenne8]

So...how are these ATM 'hackers'....actually getting the cash out of the machines, without being identified by the ATM and bank's cameras???

Re:If it's an exploit for ATM *Machines*...

[cayenne8]

"I would agree with you if I hadn't just got back from Germany. When I found people who spoke english and asked where I could find an ATM, they had no idea what I was talking about. When I said automated teller machine, they knew right away."

So, I take it they don't have TLA's in Germany??

Re:If it's an exploit for ATM *Machines*...

No I said 7 minute abs!

Re:If it's an exploit for ATM *Machines*...

[raddan]

I think you're supposed to say Geldautomat. Unfortunately, the last time I used one, it gave me stupid paper. Not gold :(

Re:If it's an exploit for ATM *Machines*...

I know it seems redundant, but there's actually a pretty good rationale for repeating the last word of an acronym after the letters. Otherwise, you'd have no indication whether this was an exploit for an Automated Teller Machine or an Asynchronous Transfer Mode network. Slightly more unlikely is that it would be for Adobe Type Manager.

Sure, you can pick it up from the context of the rest of the story, but you have to wait until the line about cash machines before it's no longer ambiguous. Adding the word "machines" after the first ATM makes it easier to read.

Re:If it's an exploit for ATM *Machines*...

[jd]

No, only personal PIN numbers for identification.

Re:If it's an exploit for ATM *Machines*...

[commodoresloat]

Oh, just STFU up.

Re:If it's an exploit for ATM *Machines*...

[VisceralLogic]

...it must be pretty abstract, since an "automated teller machine machine" is apparently running in emulation anyhow.

Perhaps the "machine" is to distinguish from the other potential meanings of ATM... such as "asynchronous transfer mode."

Re:If it's an exploit for ATM *Machines*...

[maxume]

I was thinking about it, I think the correct name for the device we are discussing would actually be the generalized machine maker machine machine.

Re:If it's an exploit for ATM *Machines*...

[DMUTPeregrine]

PNS syndrome is a horrible, horrible thing.

Re:If it's an exploit for ATM *Machines*...

The 'C' in NIC stands for 'Controller', not 'Card'.

Re:If it's an exploit for ATM *Machines*...

[fredklein]

From that link:

Reasons for use

There are several linguistic explanations for the prevalence of RAS syndrome:

        * A limited amount of redundancy can improve (or seem to the speaker to improve) the effectiveness of communication (the pure-logic ideal of zero redundancy is seldom maintained in human languages). A phonetic example of that principle is the need for spelling alphabets in radiotelephony. The redundancy in phrases such as "ATM machine" can be likened to that in "pine tree" or "panda bear"; such constructions are particularly prevalent in English.

        * Some instances of RAS syndrome can be viewed as syntactic examples of the principle where the speaker wishes to gently reinforce the meaning of an acronym or initialism, especially in pedagogical contexts (whether formal or informal). In such cases, the redundancy may help the listener by providing context and decreasing the 'alphabet-soup' quality of the communication.

        * Some occurrences are in the interest of another form of clarity: disambiguation (whereas the clarity discussed above was of a 'decryptifying' type). For example, when discussing a mainframe computer's requirements, the initialism "AC" might refer to air conditioning or alternating current depending on the context; the redundant phrase "AC current" is used by some to distinguish them, although the phrase "alternating current" is clear, correct, and not redundant.

, so there are reasonable reasons people do it.

Re:If it's an exploit for ATM *Machines*...

[schon]

The 'C' in NIC stands for 'Controller', not 'Card'.

some people, including 3Com and Cisco, disagree with you.

Re:If it's an exploit for ATM *Machines*...

[Omestes]

Easily, I'm sure. Its trivial to stand outside of the cameras area of view. If that (somehow) isn't possible, you can wear a mask.

Though this would be an interesting thing to develop; making ATMs with facial recognition needed to operate.

Re:If it's an exploit for ATM *Machines*...

[maxwell+demon]

so there are reasonable reasons people do it.

You mean: So there are reasonably reasonable reasons reasonably reasonable people do it.

Re:If it's an exploit for ATM *Machines*...

[maxwell+demon]

Well, when they invented the acronym DVD, it indeed stood for Digital Video Disk. Then they changed it from "Video" to "Versatile" to emphasize that you can store more on it than just video.
I somehow doubt that they would have used that name if there had not been the desire to keep the acronym the same.

Re:If it's an exploit for ATM *Machines*...

[RockDoctor]

So...how are these ATM 'hackers'....actually getting the cash out of the machines, without being identified by the ATM and bank's cameras???

Why do you think that ATMs in country X will have cameras mounted in them like you have in country Y? There's no fundamental law of physics controlling the construction of security policies around an ATM in the same way that there's a law of physics about the construction of gravitational potential gradients around masses.

Re:If it's an exploit for ATM *Machines*...

[fraik]

hehe, about.com:

"Some NIC cards work with wired connections while others are wireless. Most NICs support either wired Ethernet or WiFi wireless standards."

Re:If it's an exploit for ATM *Machines*...

...it must be pretty abstract, since an "automated teller machine machine" is apparently running in emulation anyhow.

No. It has to be an "ATM Machine" to in order to be able to enter a "PIN number".

They have an Ass-To-Mouth Machine that also accepts People In Need numbers? Sign me up!

Ridiculous

So they've had 8 months warning, and now suddenly when researchers want to publish they now want time to fix it? Not indicative of a company that gives a flying fuck about security. They don't deserve time.

Re:Ridiculous

No, they don't... but it depends on the hack.

If it gives out free money, only harming the company which didn't seem to care, then no, don't give them any more time.

If the hack gives them access to innocent people's account details, and they'd be out money, and/or time fighting the bogus withdrawals, then yes, give them time to fix it.

Re:Ridiculous

[mcgrew]

We're talking Diebold here, why are you surprised?

Re:Ridiculous

[furby076]

You're right they don't deserve it - but giving information to criminals to make it easier for them to steal - thus hurting society as a whole - is not the answer. Unfortunately the security of ATM's is greater then these researches desire to present their work.

Re:Ridiculous

[nthitz]

Agreed, 8 months is long enough. If they haven't fixed it by now, they certainly need some incentive to!

Re:Ridiculous

[Svartalf]

Actually, they HAD time to fix it. It still is highly problematic- but the big problem with all this thinking that bars people from disclosing this stuff at the stage it's at right now is the highly flawed thinking that disclosing a vulnerability discloses it to potential attackers which will use it.

It's a bad thing to think the bad guys don't already know what you're showing off and presume that they're not doing it. Depending on the hack, they may be prepping for it or already screwing you over with it and you just don't know it yet. If a white/grey hat found it, I can assure you a black hat either has already found it or will shortly.

Re:Ridiculous

[joelmax]

I agree the ATM manufacturer doesn't deserve time, but the consumer does. How would you like it if someone stole your account info on a hacked atm and pillaged your bank accounts and credit card info?? Not too good I'll bet. For the sake of protecting the consumer, this should be withheld.

Re:Ridiculous

Not sure where you see that. As far as I know Diebold, Wincor, and NCR only put out drivers for Win XP for their ATMs. This is a Win CE bug, it's probably a white-label machine.

Re:Ridiculous

[poetmatt]

Companies only move upon losses and public fiascos. Politeness should be gone by 8 months. Honestly, "this can slash your profits to 0 or below" doesn't sound like a cause for concern?

I'm sure departments within the company can make that same argument for losses but those are harder to take care of than simple software fixes that people are nice enough to be willing to tell them what the issue is. I mean how much easier can you get than someone else doing the job for you, that you didn't do originally? etc etc.

Re:Ridiculous

[jopsen]

You're right they don't deserve it - but giving information to criminals to make it easier for them to steal - thus hurting society as a whole - is not the answer. Unfortunately the security of ATM's is greater then these researches desire to present their work.

Releasing the hole does not hurt society, however, it does hurt Diebold customers and partners.

Re:Ridiculous

Unfortunately there is no way to know whether the "security of ATMs" is still intact. Individuals less scrupulous than the researcher may have already found this vulnerability and may be actively exploiting it.

Re:Ridiculous

[siloko]

You got it. The OP was right they don't give a fuck about security, what they give a fuck about is profits and a hullabaloo about folk losing cash as a result of compromised machines WILL effect their bottom line so each and every comment makes a difference. However it doesn't change the system that rewards secrecy over competence.

Re:Ridiculous

[arose]

Current situation: society as a whole does not know the vulnerability or it's scope, criminals might or might not know the vulnerability and might or might not be actively exploiting it.

Full disclosure:anyone with enough brains and guts can exploit the vulnerability, society at large can take steps to minimize the risk since it is now known what exactly the risk is.

Re:Ridiculous

[spun]

You've made the classic mistake of assuming corporations have any motivation to do the right thing, as opposed to the profitable thing. They don't give a rat's ass who is using this hack. All they care about is the price of their shares. If keeping a dangerous vulnerability semi-secret for a few more months will help their share price, they don't really care how many people get screwed over. Think of it this way: if their ATMs were electrocuting people at random, they would do a cost benefit analysis to figure out the likely damages awarded at trials, and compare that to the cost of fixing the problem. If fixing the problem were more expensive, the company would happily go on killing people. You think they care about your freaking finances?

Re:Ridiculous

[maxume]

Does murdering someone hurt society, or just that person?

It's a glib analogy, but it is possible for the consequences of harm to spread further than the entity it is directed at.

Re:Ridiculous

[compro01]

Being as the exploit is already in the fucking wild and being actively exploited, preventing the information from being presented is completely and totally pointless.

Re:Ridiculous

[MickyTheIdiot]

No. But I'd be even LESS surprised if the vulnerability simply gave money to of George Bush's bank account.

Go ahead and mod me "troll," but the only reason Diebold didn't "deliver" the election to George Bush is because they weren't organized and/or smart enough to do it. They had every opportunity.

Re:Ridiculous

[furby076]

Releasing the hole does not hurt society, however, it does hurt Diebold customers and partners.

1) Diebold customers/partners did not cause this issue
2) If you use an ATM you are a diebold customer
3) Diebold will pass the cost to companies which use ATMs and they will pass the cost to you
4) It does hurt society as a whole to enable criminals. Just because you are not directly effected does not make you immune to the effects.

Re:Ridiculous

[neomunk]

The argument being made isn't that people should get hacked, so this should be released. The argument being made is that by withholding this information corporate complacency will allow whoever is ALREADY using this exploit to continue to do so (as it has for the past 8 months). Your argument falls down from the point of view that releasing the information will force the company to promptly issue a fix for the vulnerability. In fact, your point of view is only valid if the company cannot or will not patch the exploit. Security through obscurity is a joke, plain and simple, trying to strengthen security via ARTIFICIAL obscurity is just plain desperate. If you really care about your accounts, push for fixes not whitewashes.

So, I say, for the sake of protecting the customer, this should be released.

Re:Ridiculous

[Talderas]

Not really. Despite the exploit being out there, there is likely only a few malicious people that know about it. If the hack requires physical access to the machine, this means the number of machines that are exploited is less. As other people have mentioned.... once the exploit is significantly more public, that will increase the number of malicious people that know about it and increases the number of exploited machines.

There's a lot of people who can apply exploits. There aren't as many that can discover them.

Re:Ridiculous

[furby076]

Current situation: society as a whole does not know the vulnerability or it's scope, criminals might or might not know the vulnerability and might or might not be actively exploiting it. Full disclosure:anyone with enough brains and guts can exploit the vulnerability, society at large can take steps to minimize the risk since it is now known what exactly the risk is.

Society as a whole does not know of the vulnerability. You are correct. Full disclosure of the vulnerability will allow those who have the desire/means to exploit it. No it won't be as easy as walking into a 7-11 with a shotgun, but there are plenty of computer geeks who would exploit such a loophole to make some cash.

Since we can't setup a security guard/cop by every ATm unit 24/7 until a patch is released criminals will be able to rob the machine...as simple as going to the unit at 4 Am with a ski mask and doing what needs to be done (assuming its not somethign that can be done remotely)

Re:Ridiculous

[MightyYar]

Releasing the hole does not hurt society, however, it does hurt Diebold customers and partners.

I'd have to know more details. The manufacturer is not the one who will feel the direct repercussions of this hack - the ATM owners will. It might have been more effective for the researcher to inform some of the larger customers rather than the company. I'd bet that a big bank leaning on Diebold would have been more effective than this researcher disclosing a secret exploit.

Re:Ridiculous

[spydabyte]

If it gives access to innocent people's accounts, then it should be released sooner, destroying the companies reputation, forcing the company to fix the issue in customer reimbursements after losing half of their customer base, to send them under. Sadly, customers would be forced to leave the banks, not the diebold machines, which supply all banks in certain regions.

Re:Ridiculous

[digitalunity]

Maybe in some regards, but the electrocuting ATM isn't a great example.

There exist numerous product safety laws that could affect the criminal culpability of decision makers in a company who refuse to address serious known safety concerns in their products.

Re:Ridiculous

[maxume]

The meat entities within a corporation may care about the price of the shares of the corporation, the corporation itself only cares about profits.

Re:Ridiculous

You're working under the assumption that this hack is not already out in the wild.

In fact, to protect the customer, it should be released to the general public: if everyone knows about the dangers of using an ATM, then they won't use one. Hence, their account info will be safer because it won't be taken by a rogue system. Plus, it gives the company much greater incentive to fix the problem and restore trust.

Re:Ridiculous

More like

Current situation: "Society" as a whole does not know about the vulnerability, a small portion of the population knows that there is a vulnerability (slashdotters and the like), even less know what the vulnerability, and a few criminals actually are actively exploiting it ($9 mil from 130 machines according to the summary).

Full Disclosure: Anyone with guts can try and exploit the vulnerability, some will succeed, most won't, but the ATM manufacturers like Diebold will probably be just as incompetent as they have always been. News outlets might report on the vulnerability, maybe even causing a run on 1 or 2 smaller (like neighborhood local only small) banks if the hype hits the masses the similar to the way the whole H1N1 thing did.

Re:Ridiculous

[spun]

Aside from its meat entities, a corporation has no cares, thoughts, or motivations. I could have been more clear, but by 'share price' I meant both the price of the shares, and the dividends provided to shareholders, which equate with profits. The corporation does not care about profits, it's shareholders care about profits, which they receive through dividends and increased share price. The corporation is simply a mechanism to allow the shareholders to profit without feeling personally responsible for the actions which generate the profit.

Re:Ridiculous

[Hizonner]

1. Diebold (or whoever; I don't know that it's Diebold) customers/partners are primarily banks, which are supposed to be in the business of worrying about securing money. It's negligent for a bank to buy a product without verifying its security. So, yes, they did in some sense cause the problem, or at least they bear a chunk of the blame for it.
2. If I use an ATM, I am a customer of Diebold's (or whoever's) customer, the bank, not a customer of Diebold. And what I'm paying the bank to do is to secure my transactions. I will admit that I've obviously hired an incompetent bank and am perhaps at fault for doing so, but that doesn't excuse the bank's incompetence. And I think my fault is reduced by the unavailability of banks that actually do their jobs, whereas banks would have access to decent ATMs if it they bothered to demand them.
3. Where do people get this nonsense? Diebold (or whoever) already charges as much for the ATMs as it can get away with. They don't set prices based on their costs; they set prices based on what customers willl pay, subject only to the proviso that if customers won't pay what it costs to make the product, they won't make the product at all. To a first approximation, in a properly functioning market with competition (and there is competition in ATMs), prices fall to approach marginal cost of production (for the most efficient producer). This doesn't increase marginal cost of production for anybody.
4. Maybe, except that it's NON-disclosure that actually enables the criminals, and that goes beyond this particular bug and beyond the case of ATMs. Not only does non-disclosure enable ATM manufacturers and whoever else to continue to ignore the problem while the criminals continue to exploit it, but, by ecouraging other companies in similar situations to do the same, it guarantees further problems. To prevent companies in general from ignoring problems, there needs to be a credible threat of disclosure if there isn't prompt action on reported problems. 8 months is way, way more than enough time. In order to maintain the credibility of the threat of disclosure, there needs to actually BE disclosure once in a while, so that companies know they actually have to live up to their responsibilities.

Re:Ridiculous

[thePowerOfGrayskull]

And anyone who is unfortunate enough to have a bank with a diebold machine, depending on the nature of the exploit...

Re:Ridiculous

[viruswatts]

The first time I saw a dollar and a half charge to get my own money, I never touched an ATM again.

Re:Ridiculous

[idontgno]

Maybe in some regards, but the electrocuting ATM isn't a great example.

Oh, I dunno, it's not like there hasn't been precedent for companies systematically ignoring lethal electrocution hazards in their work.

There exist numerous product safety laws that could affect the criminal culpability of decision makers in a company who refuse to address serious known safety concerns in their products.

As of 2008, with the passing of the Consumer Product Safety Improvement Act of 2008, the criminal penalty for "knowing, willful violation" is 5 years instead of only 1 year per the original 1972 Comsumer Product Safety Act. So yeah, the risk of imprisonment is something company officers have to consider, outside of a simple cost/benefit analysis. But realistically, if you play the game right, you may be able to stonewall and obfuscate well enough to make "willful, knowing" violation unprovable, taking that risk off the table. After that, consumer protection penalties are just another number in the "cost" side of the equation, with a "probability of occurrence" value that gets artificially deflated (because that stuff never happens to us).

Re:Ridiculous

[moortak]

The problem with that is that the hole is there. It may or may not be in the wild and the company has not taken action in 8 months. It may very well be that the only way to push the company to act is full public disclosure.

Re:Ridiculous

[Brian+Edwards]

The vendor in question is likely Microsoft:

"The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago."

My guess is that Microsoft is not excited about fixing bugs in CE, and would rather just extend their "security through obscurity" strategy to include censoring researchers.

Re:Ridiculous

[jellomizer]

Lets jump to a conclusion that it is an easy to fix problem.
And creating and deploying this would be cake.
They may have the fix but have to manually go to the systems to fix them.

Re:Ridiculous

[qwijibo]

You're making the assumption that it's a simple software fix. There isn't always someone who knows the software, understands the problem and can figure out how to resolve it in the code.

A lot of companies hire the cheapest people they can to implement ill-defined code which is duct taped together and released as a product. Once the product is released, all of the expensive ($10/hr) programmers are fired and the product is supported by a group of people who have a script to follow and get paid $2/hr. Once you purchased a product, what incentive does the company have to put a lot of time and money into supporting you? The only incentive is to add enough functionality to get more customers to purchase the product, which you just happen to benefit from.

I recently spent a lot of time trying to debug a problem that was being blamed on infrastructure, but turned out to be a known bug in one of the open source java components which was being used in a commercial product. There wasn't anyone employed by the vendor who understood that component, they just relied on it as a critical piece handling all communications in their product.

It's nice to work with people who actually comprehend their job, but that's clearly in the minority. The larger the company you're dealing with, the higher the probability that there are people in critical positions whose actions cannot be distinguished from random noise. Comprehension is not a measurable metric, which causes many managers to consider it unnecessary.

Re:Ridiculous

[T+Murphy]

I say he gives the companies a deadline when he'll publicize the hack. Put the ball in their court.

Re:Ridiculous

[u38cg]

With reference to number four, yes, disclosure hurts. It does not hurt as much as a live exploit that nobody fixes because it has not been publicly disclosed. Ask anybody who had their UK bank account lightened in the 1980s. Criminals are very effective consumers of security exploits, and they are very often ahead of the game.

Re:Ridiculous

Whether or not they "deserve" the time, you and your bank will take the hit. You will be temporarily put out, and the bank will have to make you whole. The bank will have a helluva time collecting damages from the ATM vendor.

Re:Ridiculous

[taoye]

Thank you.

Re:Ridiculous

[Nikker]

Your a fucking idiot. This is a computer exploit it's not like they have to be actively standing in front of the machine after each use. Once it gets hacked any person who walks up to it is giving their information to both their bank as well as the person who hacked the box. Your information may be next. The only thing that prolonging the disclosure does is keep those who do know in a captive market making money off me and you. If it does get out then banks will eventually lose more to insurance claims then it is worth doing business with Diebold, unfortunately that seems like the only way of motivating them to make a fix to a serious problem. You post like your not affected but next time you swipe your card you might be. Even though you will likely get your money back as with everything else it will likely be a hassle including being without your money for some period of time, filling out paper work and waiting for them to get back to you. Does that seem like a better plan?

Re:Ridiculous

[sam0vi]

What i think this guy should do is to publish the name of the problematic bank and/or ATM vendor, and give their users a month to withdraw all of their assets from that bank (since they clearly don't care about their customers' finances) and move to another one (of their own choosing). I'm sure as hell they would fix the problem ipso facto. My 2 cents.

Re:Ridiculous

[S7urm]

Being as the exploit is already in the fucking wild and being actively exploited, preventing the information from being presented is completely and totally pointless.

So if your house is already on fire, and will burn to the ground shortly anyway, than you certainly wouldn't mind me dumping some of my spare gas on your house, so that I can research and prove my theories on how well houses burn when adding gas to an already raging fire.

I'm sure your neighbors wouldn't mind either........

Re:Ridiculous

Your a fucking idiot.

Nice.

Re:Ridiculous

[Talderas]

Your a fucking idiot.

I'll use it right back at you. I'll say "You're a fucking idiot."

I never claimed that you have to be right there after each ATM usage. That would be ludicrous and insane. I was stating that if the hack required physical access, you gain physical access, implement the hack and reap the benefits.

As such, if people who know the hack lives in Salt Lake City, ATMs in Salt Lake City, San Francisco, and Seattle, then ATMs in those cities and nearby are only at risk. ATMs in Chicago, New York City, Boston, and many other cities across the US are at SIGNIFICANTLY lower risk of being exploited. Right now, without the exploit published, it's limited to being used by those that know it, or anyone who has the knowledge and expertise to figure it out. It's basic containment strategy limiting the number of individuals capable of causing the problem.

People like you seem to think that releasing an exploit is magically going to make a solution get implemented right then, right now. It isn't, and John Q. Public isn't likely going to care about it anyway. They're too busy stuffing their mouths while watching American Idol.

Re:Ridiculous

[Haxzaw]

Actually, they do deserve time, in jail. Just kidding, but a fine wouldn't hurt at all considering how they sat on it.

Re:Ridiculous

[Fulcrum+of+Evil]

How is this any concern to theresearchers? Perhaps after getting nailed a few times, banks will improve quality.

Re:Ridiculous

[cayenne8]

"Once the product is released, all of the expensive ($10/hr) programmers are fired..."

Geez, where it you work at where 'expensive' programmers only get paid $10/hr?!?!

Hell, there are women out there selling cosmetics at department stores making twice that!!!

Re:Ridiculous

[cmat]

Except that the researcher could open himself to a lawsuit by Diebold.

Re:Ridiculous

[liquidsin]

not patching a known vulnerability for eight months enables criminals. maybe releasing the info forces the manufacturer's hand and gets them moving on securing their product?

Re:Ridiculous

[nametaken]

Let's compromise. He should give out the names of the banks that use that ATM.

Then we can all go [call bank and bitch]|[close accounts] and the banks, in turn, can go fuck that manufacturer up.

Re:Ridiculous

[jmhoule314]

Narrator: A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
Woman on plane: Are there a lot of these kinds of accidents?
Narrator: You wouldn't believe.
Woman on plane: Which car company do you work for?
Narrator: A major one.

Re:Ridiculous

[AmiMoJo]

Not releasing the details doesn't protect any innocent people anyway. Chances are criminals know about this sort of thing, or at least now know where to start looking. Better to go public and force companies using these ATMs to take them off-line until the problem is fixed, rather than allow innocent people to be at risk of criminals stealing their money/private info.

Re:Ridiculous

[sjames]

No, they don't. The innocent customers of the banks that bought the machines do deserve a reprieve. THEN, the manufacturers and banks that were notified and took no steps for 8 months deserve a very public name and shame session.

Re:Ridiculous

[vtolturbo]

It is not the responsibility of a researcher who has discovered a vulnerability in some commercially available system to delay disclosure of the vulnerability until the system's manufacturer has had sufficient time to remedy the situation. The nature of the vulnerability is irrelevant to the question of when, where, and how to disclose. If the details are withheld, there is no public influence on the manufacturer to repair the system. If the details are disclosed, the customers will exert pressure on the manufacturer to make repairs. In the unlikely scenario that someone should use the disclosed details to exploit the vulnerability, the banks' insurance policies will cover the loss, representing a zero loss result to the bank customers. In the less likely scenario that private insurance policies do not cover the loss, the FDIC will cover the loss, up to $100k for each account. No substantial harm will be done. Disclosure benefits the banks and their customers.

Re:Ridiculous

[Snarf+You]

Your a fucking idiot.

Your coming across as an angry individual. Perhaps you should loose the attitude, and losen up a little. Their is a saying, "Pick you're battles" -- this isn't one of them. But they're will be other opportunities, just hang in their.

Re:Ridiculous

[sjames]

The one and only thing that makes them fix it is the near certain knowledge that the vulnerability will be exposed far and wide after a deadline. It is reasonable to give an extension if it's really a hard problem to solve, but they must feel nearly certain that the problem will come out in public.

I do agree that it's not a good idea to assume that only the good guys know about the vulnerability.

Re:Ridiculous

[KraftDinner]

I'll take my chances and hope that out of the 0.001% of people that get hit with this when they release it, won't be me. People getting hit with this hack will also make the banks move their collective asses in patching this. It's terrible for the people that get hit with it, but it's the only way the banks will listen.

Re:Ridiculous

[Phrogman]

Companies *deserve* nothing. After all they are morally completely neutral, and cannot be relied on to have their customer's interests at heart. All they have at heart is their share price, and responsibility to their shareholders.

The person who discovered this hack should have simply warned the company of its existence, providing all the details required to fix the problem, and if after giving them the very generous period of 8 months, nothing has been done, then the whole of the details including the company name and subsidiaries should have been published - preferably somewhere like a full page spread in the NY Times.

As long as companies can continue to shut down embarassing details concerning their irresponsible behaviour, we have a major problem.

I tend to think of corporations - and by extension all of Capitalism - as evil these days. It takes a company going a lot of extra miles to give the impression they wouldn't shoot my grandmother if they thought it would improve their profit margin. Think of all the meaningless deaths and ruined lives that could have been fixed if only some company actually gave a rats flaming ass about public safety.

Perhaps its time to get rid of the Company as a "corporate citizen" and make the CEO's of the company directly responsible and culpable for its actions. Then we might see some responsibility. Oh court costs should have to be paid out of their pockets too :P

Re:Ridiculous

[CastrTroy]

I'm not the OP, but I'm guess "expsensive" is relative to the $2/hour people who are going to support the system. In the previous sentence, he said "hire the cheapest people they can to implement ill-defined code", so I'm guessing those are the $10/hour programmers.

Re:Ridiculous

It's negligent for a bank to buy a product without verifying its security.

Firstly, you can't buy a product and know that it's secure. Vulnerabilities are found and need to be dealt with. Some systems may be more vulnerable than others, but no system is immune from vulnerabilities.

So that leaves how you respond to vulnerabilities. And there's two types of responses a bank must make to a vulnerability. First, vulnerabilities can affect your purchases going forward. If you find that the costs associated with the current solution are higher than the cost of switching to a competitor, you switch.

Second, there's the response to the vulnerability itself. The tone of your post makes it seem like it's a no-brainer to patch the vulnerability, but that's far from the case. Both the patch option and the do nothing option have associated costs. A competent bank will add up both costs and choose the one that costs less. Bank security does not have to be 100% effective. It has to strike the balance between between what's necessary to keep thieves from easily stealing money and the cost of the security. Most of the time, this probably means fixing the vulnerability. But in the times that it doesn't, banks shouldn't be forced to choose the more expensive option.

This makes the responsible disclosure issue a bit more hazy, IMHO. Vendors have a legitimate obligation to fix vulnerabilities in software run by users because the software vendor is not the one that would bear the burden of being exploited. A user that would bear that burden has every right to expect that the vulnerability would be fixed. But ATMs are run by businesses that can absorb the losses associated with an unpublicized vulnerability when that amount is less than it would cost to fix the flaw. And a bank is a much more informed user that's capable of evaluating the trade offs that can exist when making that decision. Banks are able to tell Diebold what should be a priority and what shouldn't. When a researcher goes public with a vulnerability, they can change the calculation of the cost of not fixing it and make the option to fix it the less costly option when it may not have been otherwise. So a security researcher who makes a vulnerability public may force the hand of the bank and not allow them to choose the cheaper option. As others have said, no matter what choice is made, the costs will be passed on to customers. So by disclosing the vulnerability, the researchers can end up making banking services more expensive for everyone.

Re:Ridiculous

if their ATMs were electrocuting people at random, they would do a cost benefit analysis to figure out the likely damages awarded at trials, and compare that to the cost of fixing the problem. If fixing the problem were more expensive, the company would happily go on killing people.

You've been watching Fight Club again, haven't you?!?!?

Re:Ridiculous

[j-turkey]

No, they don't... but it depends on the hack.

If it gives out free money, only harming the company which didn't seem to care, then no, don't give them any more time.

If the hack gives them access to innocent people's account details, and they'd be out money, and/or time fighting the bogus withdrawals, then yes, give them time to fix it.

I'm not trying to be pedantic or attack you, but I see this kind of response pretty regularly and have a slightly different opinion.

I believe that stealing from a corporation isn't necessarily any more OK than stealing from an otherwise innocent person. Just because a bank is a corporation, does that mean that the people working for the corporation aren't innocent people? What if a rash of these hacks causes sufficient losses the corporation that is must lay off otherwise innocent employees who had nothing to do with the negligence? What if the fed has to bail them out? Those tax revenues have to come from people (and businesses), right? Even if an insurance company indemnifies the bank, the bank's insurance premiums are likely to increase, and the bank doesn't eat that. Those costs will be passed onto their customers one way or the other.

Of course, if the ATM manufacturer indemnifies the bank from any losses due to hacking, then it's on that company...they've done nothing about an issue that they were aware of. It may be a slightly different story, but somewhere along the line, an innocent person will have to pay in some capacity. In any case, my point is that just because a person steals from a company, it's not automatically OK. Someone is still likely to get hurt.

Also, even in negligence, nobody deserves to be hurt. I know that you didn't say that; but I wanted to throw that out there too.

Anyway, like I said; I'm not trying to be pedantic, insulting, or otherwise start a flame war with you. I just have a slightly different opinion.

Re:Ridiculous

[j-turkey]

You've made the classic mistake of assuming corporations have any motivation to do the right thing, as opposed to the profitable thing. They don't give a rat's ass who is using this hack. All they care about is the price of their shares. If keeping a dangerous vulnerability semi-secret for a few more months will help their share price, they don't really care how many people get screwed over. Think of it this way: if their ATMs were electrocuting people at random, they would do a cost benefit analysis to figure out the likely damages awarded at trials, and compare that to the cost of fixing the problem. If fixing the problem were more expensive, the company would happily go on killing people. You think they care about your freaking finances?

I believe that you're making a mistake of assuming that all corporations are run this way. Check out the service-profit chain. Some companies care about keeping their customers happy (I think that not electrocuting/killing them falls under this category) and realize that a happy customer affects their bottom line in a positive way. Not all companies are run well, but even with plenty of evidence that some companies are poorly run, I still believe that there are plenty of companies out there who want to do the right thing.

Re:Ridiculous

Your a fucking idiot...

What a douche. If you're going to talk like that, go post on Slashdot or something. Oh, wait; this is Slashdot. In that case, let me fix that for you:

You're a fucking idiot.

Re:Ridiculous

[spun]

Corporations don't want to do the right thing. They want to make money. Some happen to espouse the view that appearing to do the right thing will make them more money, the operative word being appearing. For every moral and decent idea in the world of business, there are a hundred slimy leaches ready to pretend they are doing it while lifting your wallet. Image management is almost always cheaper than real morality.

Heck, for every smart moneymaking idea in the world of business, there are a hundred pointy haired bosses willing to pay it lip service while ignoring the gist of it. The world of business is one gigantic, amoral circle jerk where everyone pretends to be fine, upstanding citizens while screwing each other over. Even folks who start out decent turn bad when exposed to the corrupting atmosphere of treachery and deceit that is modern business. It's screw or be screwed.

I don't assume all companies are evil, amoral, or stupid, just the vast majority of them.

Re:Ridiculous

[sjames]

If something comes of this, don't be surprised to see the banks pull every trick in the book (and a few more) to try to stick their customers for the losses individually. If that doesn't work, they'll just spread the pain around to all of their customers.

Re:Ridiculous

[Nikker]

I would like to apologize for being an asshole, I did go over the top. The reason I feel concerned is the element of scale. The only difficult part is figuring out the vulnerability once that is done they can out source because the money is there. There may not be a planet of computer elites with the ability to take advantage of this or any exploit for that matter but if the money is there to be made especially in the millions of dollars there is incentive to perfect the process. With that kind of money you could engineer something as simple as a 'mod chip' and with a hand full of people distribute your process, likely not even having to explain really what they are doing. As long as there is ROI people will do it without asking questions so they might not even know who is behind all of this.

I do agree that publicizing this is not the ideal solution, the sad thing is that Diebold / Sequoia was aware of the issue almost a year now and coming from a company with security minded products why is it I as the person the situation affects cannot do anything to avoid this situation? Is there a visual appearance of these particular machines I can use to determine if I want to take the risk or not? Maybe a visual screen layout? If so then I'm happy to let them do what they please but now that I am informed I want to make a decision based on that. The chance to do so is all I'm asking.

Re:Ridiculous

[j-turkey]

Point taken.

However, I don't think that corporations want anything. It's people who run (and work for) corporations who want or don't want things. People want to do the right thing, and corporate culture is usually generated from the executives down. Some people don't care about doing the right thing, some people do. I've worked for good companies with great management. I've worked for not-so-good companies with not-so-good management. I do know that my experience isn't necessarily indicative of the real ratio of good:terrible companies (or management), or even if bad management runs across the vast majority of businesses. I do, however, understand your point, and I respect where you're coming from. I guess that I've just worked for enough good companies that I'm not quite as cynical about business.

Re:Ridiculous

[Hizonner]

Your first point is very good. It's true that you can't know that something is secure, and maybe it's better to say that nothing is secure, period. I was reacting to my (informed but not demonstrated in this discussion) belief that banks, in general, don't really try very much to audit the quality assurance procedures for software in devices they buy. Although you can't ever be sure something doesn't have problems, you can often be pretty sure it DOES have a bunch of problems, and they don't seem to do a very good job of trying to get that information.

But that's really prejudice on my part. I have no actual knowledge of what any banks have done in this particular case, or of whether the practices I would consider appropriate would have caught this problem. So your point stands, and I'm wrong.

I don't buy your other point, about the bank deciding it's cheaper to not patch the thing and to eat any losses. Or at least I don't buy the idea that disclosure should change the bank's calculation in an important way.

Any disclosure that happens is not under the bank's control. More importantly, the bank can't predict when or if disclosure might happen from some random source, possibly unrelated to this case. The bank also doesn't know who might be inspired to poke around just by the news that this vulnerability exists, and re-find this or another problem. The bank doesn't even know who already knows. All it really knows is that there's a problem, and some unknown and monotonically increasing number of unknown people know what that problem is.

There's just no intellectually respectable way to estimate the probability a vulnerability becoming public to any particular degree within any particular length of time. There isn't even a good measure of "how public" something is in the first place.

I know it's trendy to try to do statistics on that sort of thing, but public disclosure events are so uncommon, in the light of how different they are from one another along so many axes, that it's really not sane to try to guess.

So the conservative position is to always assume that a disclosure is going to happen pretty soon. Given that disclosure is assumed, you may in fact be able to make some valid guesses about how much you can lose, and it may indeed make sense to leave it unpatched.

BUT, the thing is that that second part of the calculus isn't changed by the public disclosure, because disclosure is assumed.

Banks are supposed to be conservative, not so much in that they're not supposed to take risks as in that they're not supposed to take unknown risks. They're supposed to worry about black swans as much as sanely possible. It's not OK to rely on something staying secret, precisely because it's so hard to figure out how likely that is.

Re:Ridiculous

[poetmatt]

whats 50 or 100 or 200 grand to a 10 or 20 million dollar loss? Seems like return on investments here are pretty easy to guess.

Re:Ridiculous

[DigiShaman]

From TFA. "The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including *some* ATMs."

Sounds like the problem here doesn't lay at the hands of the ATM company, but rather Microsoft. Granted, they had 8 months to do something about it. Given the vast amounts of resources at Microsoft, they should have provided a patch or a recompiled version of WinCE in less than a week time frame if it was that damned serious.

The real question here is this: who's been dragging their feet all this time? What is the ATM company for not reporting the issue, or Microsoft pushing back and sweeping the issue under the rug?

Re:Ridiculous

Clearly you work for a fortune 500 Company. From one brother to another, good job on explaining this to everyone else...

jb

Re:Ridiculous

[ticktickboom]

diebold customers didnt cause this. but tehy enable diebold. they know bout most of the holes. they just dont care.

now, if i did business with someone who, i know lies cheats and steals, i don't think id get too upset when they get stolen from.

we all know they don't know how to count, but we trust their holey atms?

tehy should burn jsut like a buncha the other evil corps out there

Re:Ridiculous

[hesaigo999ca]

I agree, especially when it comes to public info that is personal...they should be made also to reimburse all the banks with losses, due to the fact they knew about this, but still applied no fix. That might entice them to move their
greedy asses. I am always impressed by how long it takes the normal average person to fix something up until they get that challenge to their livelihood.

Re:Ridiculous

No, they don't... but it depends on the hack.

If it gives out free money, only harming the company which didn't seem to care, then no, don't give them any more time.

If the hack gives them access to innocent people's account details, and they'd be out money, and/or time fighting the bogus withdrawals, then yes, give them time to fix it.

"Free money" - really? Get ethical much? Or hasn't the last 10 months convinced you that financial systems can't be separated from economies and commerce and ultimately you/me/us?

Presumably said free money would go to criminals who would be encouraged and funded in their next big project, and who are presumably not as astute or scrupulous as you are when it comes to fine distinctions between who is a victim and who isn't.

Re:Ridiculous

[poetmatt]

Answer: Whether at MS's behest or not, the ATM company can still take any form of action of their choice. Their hands are not tied. They could switch, find something free, find something that costs them less, make modifications to WinCE and discuss them with MS, etc.

Likewise, whether at the ATM companies behest or not, MS could still take any form of action of their choice and their hands are not tied, either.

Instead, everyone goes "well, lets not acknowledge it" and writes off the cost of silencing a critic/legal fees as cheaper than fixing it in the longterm. This is what we call "idiotic accounting". Companies are supposed to look longterm.

What I don't get

[For+a+Free+Internet]

Is why everyone cares so much about Money. It's just pieces of paper and little bits of metal. What really matters is Love! If people stopped worrying about money then maybe there wouldn't be so much poverty and swine flues. Also, I read that Linuxes are free, so, again, we don't need money anymore, since our computers are free! Look at the big picture, people.

Re:What I don't get

[4D6963]

Is why everyone cares so much about Money. It's just pieces of paper and little bits of metal. What really matters is Love!

Well, with money anyone can get some temporary love! And permanent herpes.

Re:What I don't get

We're slashdotters, who would love us...? :'(

They say you can't buy love, but it can be hired.

Re:What I don't get

[sopssa]

And some more long-term loving aswell. That is, until she has spend all your money.

Re:What I don't get

If people stopped worrying about money then maybe there wouldn't be so much poverty and swine flues.

I don't worry about money cause I just steal yours, you dumb moonbat

Re:What I don't get

[commodoresloat]

Is why everyone cares so much about Money. It's just pieces of paper and little bits of metal. What really matters is Love.

This vulnerability affects only automated teller machines today, but how long before it affects ALMs? (Automatic Love Machines)

WinCE when you say that

[mspohr]

I can't believe that people use WinCE for a real world application that requires security and reliability. The morons who built these systems are reaping the reward for their ignorance.

Re:WinCE when you say that

[aristotle-dude]

I can't believe that people use WinCE for a real world application that requires security and reliability. The morons who built these systems are reaping the reward for their ignorance.

A lot of ATM's were previously running IBM OS/2 and were pretty stable. Not only are these ATMs now exploitable but they are also much slower than before they were "upgraded" to WinCE.

Upgrades are supposed to improve functionality or improve performance but the text UI actually got about 2X slower to respond.

Re:WinCE when you say that

[ArhcAngel]

I agree, they should have kept using OS/2.

Re:WinCE when you say that

[Afty0r]

Upgrades are supposed to improve functionality or improve performance but the text UI actually got about 2X slower to respond.

A large number of upgrades/changes in infrastructure & platform are actually driven with the primary goal of decreasing cost base.

This is especially true in a poor economy, such as right now.

Re:WinCE when you say that

[Ray]

Uh, no. Now WE'RE reaping the reward for their ignorance.

Re:WinCE when you say that

[jonwil]

One big reason to update from OS/2 to Windows is that its a lot easier to add new functionality to the Windows version of the ATM software than it is to add new functionality to the older OS/2 ATM software.

Examples of new functionality ATM operators may want or need to add:
1.Advertising (for loans, credit cards etc) whilst the ATM talks to all the computers and you wait for your money to come out
2.Prepaid credit vouchers of various kinds (e.g. for prepaid mobile phones)
3.Changes in the law (this last one happened recently here in Australia where there is now a new rule where if you use an ATM that doesn't belong to your bank, the owner of the ATM charges you the fee and not the bank where your account is. Also, the ATM is required to display the cost of this new "direct charge")
4.Better accessibility for disabled people (e.g. deaf or blind)

Re:WinCE when you say that

[younata]

1.Advertising (for loans, credit cards etc) whilst the ATM talks to all the computers and you wait for your money to come out

A windows based computer can handle that? How much extra processing power will it need to do that AND talk to all the computers to get you your money?
Secondly, why would any customer support advertising in an atm when they already pay to use it?

Re:WinCE when you say that

[NotBornYesterday]

Secondly, why would any customer support advertising in an atm when they already pay to use it?

The same reason you watch commercials on cable TV you already pay to use. They ram it down your throat because a) your eyeballs are temporarily being held captive, and b) they love additional revenue streams.

Re:WinCE when you say that

[aaarrrgggh]

Wince was done for branding/advertising, not for functionality.

Re:WinCE when you say that

[hyc]

Agreed. This was from last December in Kazakhstan, by the way:

http://www.flickr.com/photos/27159137@N08/3186737368/

About the same time frame as those researchers and their discovery. Seems to me that this type of hacking has been going on all over, for a long time already.

And yes, I'd say it's criminally negligent to use any Windows OS on ATMs or anything else where security matters...

Re:WinCE when you say that

Er, I'm deaf, if it's on the screen, it's pretty accessible as it is (and OS/2 had sound capability, the issue is mostly hardware upgrades, deafblind people are yet another issue as they would need braille/screen reader support).

Release it anyway

[Hatta]

You don't need a conference to publicize a security problem. Post it on the internet, and the vendor will have plenty of incentive to implement a fix immediately.

Re:Release it anyway

[netruner]

Isn't this what Wikileaks was made for?

Re:Release it anyway

[furby076]

Step 1) Develop fix...duration days to months
Step 2) Test fix in test environment to make sure it doesn't cause other problems....duration days to months
Step 3) Implement fix in all ATM's....duration weeks to months

In the meantime criminals are stealing billions of dollars over the course of that time. It's easy to say "boo who sucks to be you" but allowing criminals to steal is abhorant. Even if the money stolen does not affect the consumer pocket-book in the end the cost of this will trickle down to the consumer.

Re:Release it anyway

[Tony+Stark]

That's right. IMHO, the reason some companies, such as in this case, suddenly decide to fix something after 8 months is because they are about to lose face. I think it must be a vulnerability that allows the hacker to obtain sensitive information about innocent people, as opposed to the company losing money directly. If the company was losing money, it would've been fixed 8 months ago. However, once it comes out that the company knew about it for 8 months and hasn't fixed it, the company will lose face and lose contracts because of that. That would explain the company's lackadaisical attitude in all of this. I miss the old days. This would've been posted on a BBS 7 months and 29 days ago.

Re:Release it anyway

[Avenger546]

Totally agreed. However, they've now had 8 months since Juniper notified them about the issue. If they aren't in step 3 right now, they totally deserve the public shaming (and loss of stock share value) they would receive.

Re:Release it anyway

[AndersOSU]

You don't think these ATMs will stay up if an exploit is published do you?

The sequence of events goes something like this:
Bank buys shitty ATMs
Exploits are developed
People start stealing from ATMs
Someone gives the ATM manufacturer the exploit and tells them to fix their problem
People continue to steal from ATMs
Someone (publicly) threatens to publish
ATM company says, "hold on give us a minute to fix it"
People continue stealing from ATMs

scenario A
ATM company fixes the problem
Banks and consumers never know their assets were exposed

scenario b
ATM company stalls
people continue to steal from ATMs
someone publishes
a whole lot of money is suddenly stolen in a very short time period
Banks shut down all vulnerable ATMs
Customers notice their ATMs don't work - maybe ask questions
Banks sue ATM manufacturer, become a little more careful about who they do business with in the future

Re:Release it anyway

[Hatta]

They've had 8 months to fix their ATMs. For all we know now criminals have been stealing billions of dollars over that time. The responsible thing for this company to do is to shut down every affected ATM now until a fix is applied. They haven't done so, and clearly need a greater incentive.

Re:Release it anyway

[bill_mcgonigle]

The responsible thing for this company to do is to shut down every affected ATM now until a fix is applied.

Which company is that? Do banks allow ATM vendors remote access to shut down the ATM's they've sold the bank?

Each bank should do a cost/benefit analysis as to whether to shut down their ATM's. And not have the Feds bail them out for an incorrect choice.

Re:Release it anyway

You forgot Scenario C:

ATM company stalls (optional)
people continue to steal from ATMs (optional)
someone publishes (optional)
a whole lot of money is suddenly stolen in a very short time period
banks don't give a damn because most customers can't prove it wasn't them who withdrew the money.

(as demonstrated by: MasterCard SecureCode / Verified by Visa)

Too much pr0n

[mandark1967]

Everytime I see "ATM" these days I think "Anal to Mouth".

I need to stop surfing the Diabolic site....

Re:Too much pr0n

EEeeeeewww....

Re:Too much pr0n

[AnalPerfume]

Actually ATM (Ass To Mouth) kinda sums up the capitalist system quite well; you have to be fucked in the ass by the corporations to earn money to put food in your mouth. Only the few at the top do the actual fucking. Perhaps naming the machine that you rely on to give you your reward for being an obedient gimp an ATM is another way of giving them a chuckle. Who cares if the ATM's are hacked? The rules they paid their politicians to introduce will ensure the little guy always pays, and the rich never use ATM's. Even when they're working fine, many ATM's charge you for access to YOUR money. You already took a shot in the ass to earn it in the first place.

In the UK. the banking industry pulled a fast one with chip & pin (something I refuse to use), is it any wonder they pull this shit?

Re:Too much pr0n

[coolsnowmen]

And everytime someone says "ATM machine" I think "Ass to mouth machine" and think about one might look like.

Re:Too much pr0n

Link to this "diabolic" site?

Re:Too much pr0n

Usually, that's spelled A2M, possibly for this reason....

Is this an overstated problem?

[tjstork]

If we estimate that world wide, only 8 million dollars was stolen out of ALL of the ATMs that are out there, I would think that that's actually a success, more than a liability.

I mean, people steal more than that in cars, in what, every few hours?

Re:Is this an overstated problem?

[maxume]

I'm pretty sure the proper /. unit for theft/time is the Madoff. Guessing that he stole about 25 billion dollars over 30 years (this is just an off the cuff estimate, the actual value of the Madoff may vary), 9 million dollars per month (I think that's what the summary says) is a rate of about 0.13 Madoffs.

Re:Is this an overstated problem?

[coolsnowmen]

But that cost is distributed amongst the the car owners who don't band together for any sort of power as compared with Banks. If, instead, people stole that much in cars straight from dealerships...

No surprise here...

[Svartalf]

It is quite unsurprising, really. We see the same thing going on in the SCADA security space. The book, Hacking Scada: Industrial Network Security From the Mind of the Attacker , has been held up for at least a year past it's original planned publication date for similar thinking.

Windows on ATMs?

What? They put Windows on ATMs? ...and they're still surprised people are hacking them?

vote of confidence?

[moskrin]

so diebold's ATMs are as good as their voting machines!

Whenever I hear about ATM hacking....

[Bicx]

... I know in my heart that John Conner is to blame. Or at least his mom, for teaching him how to hack ATMs. What I don't understand is this: why did John Conner only withdraw 3 dollars?

Re:Whenever I hear about ATM hacking....

that is what you call banking fees. It's not hacking, it's not stolen, it's just plain wrong

They got the ability to talk though

[Sycraft-fu]

They are now much easier for the disabled to use. While it was possible for someone who was blind to use an OS/2 ATM, it relied more or less on memorizing what to do. The buttons had braille on them but there wasn't really any feed back other than beeps. So it was a situation of memorize the key presses to do what you want. New ATMs have headphone jacks and can give audio feedback, allowing those with vision problems to use them much easier.

Re:They got the ability to talk though

[just_another_sean]

Seems to me that that type of functionality could have been added to the OS/2 versions. Was it really necessary to completely replace the OS to get that type of functionality? I know that IBM gave up on supporting OS/2 but couldn't an experienced programmer do this without IBM's help?

Re:They got the ability to talk though

[Jaysyn]

Headphone jacks are hardware, not software. You don't really think that OS/2 is incapable of sound, do you?

Re:They got the ability to talk though

[Nimey]

New post-OS/2 ATMs have the headphone jacks. To put OS/2 on new hardware would be non-trivial.

Re:They got the ability to talk though

[FishWithAHammer]

That's not what he means.

To get the headphone jack upgrades, they needed new ATMs. Retrofitting old ones would have been very costly in terms of manpower.

OS/2 does not run on those new ATMs.

Re:They got the ability to talk though

[Sycraft-fu]

OS/2 v 1.1? Ya, might well be. It was incapable of graphics, I don't know that it would be capable of sound either. This wasn't even a new OS/2 they were running, it was an extremely old version, even by OS/2 standards.

Re:They got the ability to talk though

[Lockblade]

Ok, if the goal was to make them easier for blind people to use, why did they replace the drive through tellers? I can see them replacing worn out ones, but still, why replace the ones that are working well?

Re:They got the ability to talk though

[PainKilleR-CE]

Usually banks will lease the ATMs or otherwise contract them out, so some other company owns, installs, and maintains the machine (including filling it with cash and receipt rolls). If they wanted to upgrade one machine they'd most likely upgrade all of them at once, or the company that owns the machines would upgrade all of the machines in a particular bank at once so they wouldn't have to keep going back to the same building to replace ATMs (or work with multiple types of machines in the same location).

As for what I normally think of as drive-through tellers, that just depends on the bank. Some banks still have people working the drive-through, though the obvious reason for a drive-through ATM to have braille on the keypad is a combination of state and national laws and the fact that no one wants to produce more types of ATMs than they have to.

Re:They got the ability to talk though

[StuffMaster]

I wonder if I'm the only one that thought the old ones were easier to use (I'm not disabled). I liked the buttons, text, and snappiness. I find the touchscreens to be slightly annoying.

Re:They got the ability to talk though

[FranTaylor]

Was it necessary for them to break OS/2 compatibility when they added the headphone jack?

Re:They got the ability to talk though

[brufar]

The company I work for manufactures ATMs. Our machines do NOT run Windows or any other Commercial OS. They are fully compliant with PCI and ADA requirements. They include the headphone jack and audio prompts you mention among other requirements.

So what was the requirement that necessitated the use of Windows ? It's only a platform and is not needed to accomplish those goals. The OS used is irrelevant to ease-of-use by the disabled. The ADA guidelines state that ALL new machines manufactured after a certain date must include those features. Older machines of course are grandfathered in, due to the excessive cost of upgrading or overhauling them. f you take ANY machine out of service to replace it, it must be replaced with a terminal that meets the current guidelines.

You might be surprised to find out there were still terminals through the end of last year using only single DES encryption. At the end of the year we shut down all of the terminals we handle processing for that were not upgraded. I can't say the same for other processors or sponsor banks. It wouldn't surprise me in the least to find out people were still operating those insecure out of compliance terminals.

Funny the ATMs installed in the banks cost around $50k While ours are in the range of $1500.00 - $2000.00. We have manufactured to date around 6000 machines and handle processing for over 12,000 terminals (ours and other manufacturers). to date none of our machines have been subject to fraud via tampering in any fashion. that includes denomination fraud, code insertion, skimming devices.

Quite frankly the process we have to go through for certification of any hardware or software change, I don't understand how the big guys keep ending up so vulnerable. They attempt to freeze, drill, Shock, inject foreign substances, pry apart, cut open, and whatever else they can come up with to assault our terminals to ensure they are not able to be physically or electronically compromised. Do the big guys get an automatic pass on the certification process, just because of who they are ? We sure as heck don't..

Re:They got the ability to talk though

[the_mushroom_king]

The buttons had braille on them but there wasn't really any feed back other than beeps.

Can anyone tell me why drive up ATMs have braille labels?

Re:They got the ability to talk though

[Nethead]

So those driving blind drunk can get cash for hookers.

Re:They got the ability to talk though

[FishWithAHammer]

The underlying ATM hardware is not built by the same companies. The new ones don't market OS/2. So you're kind of screwed.

Re:They got the ability to talk though

OS/2 (eComStation) is running on newer machines. To make it run with all the drivers on ATMs machines will be trivial. I don't know under which premises you say this. Or did you belive all the MS FUD about OS/2 ?

Re:They got the ability to talk though

[bhiestand]

They are now much easier for the disabled to use. While it was possible for someone who was blind to use an OS/2 ATM, it relied more or less on memorizing what to do. The buttons had braille on them but there wasn't really any feed back other than beeps. So it was a situation of memorize the key presses to do what you want. New ATMs have headphone jacks and can give audio feedback, allowing those with vision problems to use them much easier.

So what? It's not like they can tell whether the ATMs gave them $1 bills or $100s.

Improve functionality?

[Peter+Simpson]

It's an ATM.

It reads a card, checks your balance and pokes money out a slot.

What increased functionality is there?

(well, yes, it takes in deposits, too, but...)

Really, why aren't these things running the most limited OS possible?
Running WinXP on them is just silly. I would have thought WinCE would
be more locked down, but apparently not.

The comment about OS/2 machines being more secure is interesting.
I'd rather have IBM running my cash machines than Microsoft.

Re:Improve functionality?

[Lumpy]

New from microsoft.

Windows 7 ATM edition. now with richer multimedia and features! giveyour customers access to a media center while they wait for their money!

Dont laugh, Somewhere a manager in microsoft though of this and pitched it.

Re:Improve functionality?

[Amphetam1ne]

What increased functionality is there?

Bill payments & Pre-pay phone top-ups. Although in theory all they would need to be is additional UI options, because the actual processing would be taken care of at the server.

Re:Improve functionality?

Tons of new functionality, including:
- scanning images of check deposits
- OCR to determine deposit amount
- accessibility features

Eventually the cost of adding these features (and drivers for new hardware) to OS/2 would be prohibitive. OTOH, using windows seems asinine.

Re:Improve functionality?

[CastrTroy]

Personally I agree with you. The ATM shouldn't be running any kind of consumer level OS. At the very least they should be using a stripped down version of Linux, if not a completely customized system. These machines only need to run 1 application. I don't see any reason why they should run a commodity OS. Not to say this would be guaranteed cut down on vulnerabilities, but if you reduce the amount of code down to manageable levels, then you won't have so many problems.

Security holes need to be public

[192939495969798999]

Hiding security holes doesn't mean they aren't there. Everyone knows that a bank has a fairly obvious security hole - most people would rather hand the money over vs. getting shot, so bank robbers tend to burst in guns blazing and then make off with tons of cash. Since that's public knowledge, it's easier to defend against such tactics. Hiding that would make both the bank and its customers more susceptible to gun-toting robber attacks, since they would be unprepared for the unknown.

Another odd device running Windows CE

[RyoShin]

It's unfortunately not too odd to hear that ATMs run Windows (especially with some of the error messages I've seen). But there are even odder devices running Windows.

I work at a somewhat-hated international retailing chain that will go unnamed, and while working there the other night my merchandise scanner, one of the portable hand-held ones used on the floor, froze. Not uncommon, but when I reset it it booted into Windows CE. A normal windows desktop. I tried starting Windows Media Player, but it wouldn't do anything. The funny thing is that when it works properly, it uses minimal ASCII art and no graphics at all.

Why these kind of things need to use Windows is beyond me. Windows, security issues aside, is alright for general purpose machines, but not highly-specialized machines like a scanner or ATM.

Re:Another odd device running Windows CE

[TheRealMindChild]

Why these kind of things need to use Windows is beyond me. Windows, security issues aside, is alright for general purpose machines, but not highly-specialized machines like a scanner or ATM.

Sir, you are confusing Desktop Windows with Embedded Windows. While the source base is starting to be shared, their targets and goals are substantially different. Windows CE IS meant to be highly-specialized for highly-specialized machines. You don't even have to build in graphical output. I've seen usable CE images take up ~2MB of memory total.

Re:Another odd device running Windows CE

[RyoShin]

Thanks for the info. I thought Windows CE was something like a streamlined Windows Mobile OS. :)

Re:Another odd device running Windows CE

[PPH]

Why these kind of things need to use Windows is beyond me. Windows, security issues aside, is alright for general purpose machines, but not highly-specialized machines like a scanner or ATM.

Because Microsoft makes it very easy to build apps on a Windows desktop, using Microsoft tools and then move the executable onto another Windows platform. Sure, its possible to develop in a Windows environment for some other target O/S. But it takes extra steps.

Many s/w shops look at app development from the programmers point of view rather than the end user. If the tools and development processes have kewl features ad are cheap, great. If the user or admins have to suffer, well that's not their problem (and might be an opportunity for additional revenue to fix it).

*I've formulated this idea after having worked on applications in which the s/w developers, the administrators and the users were all part of the same organization. Nothing will make one run away from Windows any faster.

Re:Another odd device running Windows CE

Why these kind of things need to use Windows is beyond me. Windows, security issues aside, is alright for general purpose machines, but not highly-specialized machines like a scanner or ATM.

Prior to Windows CE, it was common for each make/model scanner to run its own operating system, which meant that writing software for handheld scanners involved considerable portability overhead. The hardware abstraction layer in Connect's API* made things considerably easier, but putting CE on them made it easier to write GUI applications.

From the standpoint of a developer writing application software for handhelds (such as an inventory system), it makes sense *not* to tie your codebase to the hardware, so you can sell it to as many customers as possible.

*disclaimer: My current employer has a vested interest in AirLinc, which is built upon this API

Re:Another odd device running Windows CE

[wiredlogic]

WinCE is the revamped continuation of the embedded Windows product line which as the GP stated doesn't require you to include anything beyond the base kernel.

Re:Another odd device running Windows CE

[PCM2]

Thanks for the info. I thought Windows CE was something like a streamlined Windows Mobile OS.

Errr, it sort of is, but that's saying it backwards. Windows Mobile is an OS that takes a Windows CE kernel and adds on a bunch of stuff, like a graphical shell and an application suite for smartphones. But there is also Windows CE itself, which can be built for a variety of purposes, like the earlier poster said. You specify the bits that you want and build your own custom kernel (not from source, but with tools from Microsoft). In fact, Windows XP Embedded lets you do something similar, only using the XP kernel. I'm pretty sure you could build an XP Embedded device that didn't offer the full Windows desktop. They may have left that capability on your device for debugging or diagnostic purposes.

MS doesn't recommend WinCE either . . .

[PolygamousRanchKid+]

. . . from TFA:

The operating system used in the affected system, Windows CE, poses hurdles to a quick fix. Microsoft recommends that Windows CE is used for "low-end cash-dispensing ATMs," while Windows XP Embedded and Windows XP Professional are used on more full-featured ATMs, according to a white paper on kiosk and ATM operating-system platforms issued by the software maker. Windows XP Embedded, the latest version of which is Windows Embedded Standard 2009, and Windows XP Professional are more secure because they are easier to update, the software giant says.

Re:MS doesn't recommend WinCE either . . .

Microsoft recommends that Windows CE is used for "low-end cash-dispensing ATMs

So, it's just the low end non-enterprisey ones that just dispense money that are vulnerable. That's alright then.

Re:MS doesn't recommend WinCE either . . .

[Gabbermatt]

Windows XP Embedded, the latest version of which is Windows Embedded Standard 2009, and Windows XP Professional are more secure because they are easier to update, the software giant says.

Emphasis Mine.

This is the reasoning that has allowed Microsoft to shovel out shitty OS after shitty OS. Once they fix this flawed logic, they can begin actually creating a secure OS.

Never fear, BH presentation likely

[2gravey]

For those of you who aren't aware, the Black Hat tradition for vulnerability presentations which have been similarly blocked due to court orders, etc. is to offer BH a replacement safe/bland presentation and then deliver the banned exploit demonstration regardless. This action typically results in a large lawsuit against the researcher's employer, subsequent termination of the researcher, and a short-lived rock star notoriety for the researcher making the afore mentioned termination totally worth it.

Re:Never fear, BH presentation likely

[CannonballHead]

Termination of the researcher? That sounds kinda violent.

Re:Never fear, BH presentation likely

It's been renamed. Now it's "liberated". Got it? Now on to blinding techniques.

Re:Never fear, BH presentation likely

[blueZ3]

Listen. Understand. That Terminator is out there. It can't be reasoned with, it can't be bargained with...it doesn't feel pity of remorse or fear... and it absolutely will not stop. Ever. Until the researcher is dead.

Not forced!

[Sockatume]

The article is transparent in saying that he chose to cancel his own presentation on his own volition, because it hadn't been fixed yet.

Re:Not forced!

[RoboRay]

Sensationalist yet completely false headlines? What else do you expect from kdawson?

8 Months Is Not Enough Time

[brunes69]

Do you have any idea what the QA procedure would be for a release of baking software?

The QA cycle on it alone would be 6-12 months. Then you would need 6-12 months to roll it out to all the ATMs globally.

Re:8 Months Is Not Enough Time

[ColdWetDog]

Baking software? Really? For cookies? Or pizza?

Man, I didn't think that setting a temperature and a time was that hard.

Re:8 Months Is Not Enough Time

[zippyspringboard]

Well yes, but when you are dealing with baking software peoples very health and welfare are at stake. Great scott man, raw eggs can kill! Banking software is not nearly as stringent.

Re:8 Months Is Not Enough Time

[sumnerp]

Do you have any idea what the QA procedure would be for a release of baking software?

The QA cycle on it alone would be 6-12 months. Then you would need 6-12 months to roll it out to all the ATMs globally.

Better not longer QA is needed.

Oh I dunno

[AnalPerfume]

I reckon time is exactly what they deserve, I'm sure we could make room next door to Mahdof. Perhaps they will discover the alternate meaning of ATM first hand while there, as taught by the ever present Big Bubba and colleagues.

Oh, wait....you meant time to fix the problem. My bad ;)

Total Cost of Ownership

So, did anybody factor this into those Total Cost of Ownership (TCO) figures?

1. Cost to find security flaws
2. Cost to fix security flaws
3. Cost to deploy fix
4. Losses due to security flaw exploits
5. Cost to suppress black hat who's going to tell the world how to #4 with style
6. ???
N. PROFIT!!!11!1!elevenone!

I'm not blind, but...

[wilder_card]

Pretty much the only reason I trust an ATM is that I can visually verify that it gave me the right quantity and denominations of cash, and/or it printed out a deposit receipt. If I was blind I wouldn't want to use the fracking things, I'd go to a teller I trusted.

How it works.

[mbarkhau]

I only read this on another forum so take with a grain of salt.

The hack is based on the assumption that if you make a withdrawal from an ATM and don't take the money you forgot to take it, so the machine takes the money back and refunds the amount to your account.

The thing is that the machine doesn't have a way to count how much bills it takes back, so you can just take the bills from the middle and you will get a full refund.

Supposedly this also works if you take the money right before the ATM pulls back in the money.

Re:How it works.

[atomic-penguin]

Got a link?

Re:How it works.

[drrck]

Seems pretty traceable then. Look for a specific account being queried or debited and credited in rapid succession.

Re:How it works.

[bill_mcgonigle]

or check the onboard video.

I'm assuming the ATM's go in to a hold mode if it detects obscured video... oh, hell, nevermind.

Re:How it works.

[St.Creed]

Congratulations, you've cought out everyone that day who forgot to take out his or her cash :)

As long as people don't do this every day for weeks on end, they won't get caught.

Although I find it unlikely that there is no counting mechanism in an ATM - they need to be able to count the bills to give out. Could be done by a distribution mechanism though, and returned bills just go into a stack? Input from experts would be appreciated :)

Re:How it works.

[Fnord666]

The thing is that the machine doesn't have a way to count how much bills it takes back, so you can just take the bills from the middle and you will get a full refund.

Except that the bills taken back go into s separate hopper, the transaction is marked questionable, and a hold is likely placed on the funds until the transaction can be settled manually. The misdispense may also cause the ATM to be taken out of service until it can be checked. Certainly that will happen if more than one misdispense occurs. Fraud monitoring software may detect a pattern of unusual misdispenses on a particular card and flag that for investigation as well.

Even if this did work, I don't see how it would be related to the particular operating system used on the ATM.

Re:How it works.

[not-my-real-name]

I remember hearing something like that a long time ago. This is certainly not a new idea. I'm pretty sure that it was fixed too.

Re:How it works.

[brufar]

ATMs keep track of how much cash is in the dispenser (entered into the system when the cash is loaded) It keeps track of all transactions, successful or failed.

The inexpensive retail ATM's we manufacture can track how much cash was dispensed if the dispense was not complete, of if there was an issue and cash was diverted from being dispensed into the reject tray. The terminal will automatically reverse a transaction if it failed to fully or partially dispense the requested cash during a transaction, and will credit the difference back to your account.

I have a hard time believing a machine that costs $1500.00 can do all that yet a $50k ATM on the side of a bank cannot. Banks also reconcile their machines nightly, comparing the cash in the Dispenser cassettes, the reject tray, and the transaction journal reports. It had better all balance. I own and operate several ATMs and I can assure you I check to ensure everything balances..

So if there was One transaction where the machine pulled back the '$300.00 you failed to remove from the machine' and everything doesn't balance, when they reconcile the machine, how hard do you really think it would be for them to figure out ? I say it would take them less than 5 minutes to find where the money went.

If what you mention was actively being exploited the banks would be loosing money and they would not sit idly by, I am positive they would be going after the manufacturer of the machine with a vengeance, and the issue wouldn't be hanging out there for 8 months..

Re:How it works.

So unless you can open up a bank account, deposit $100 of seed money into it, and get an ATM card for it anonymously, it won't work for long before you wind up in jail. Why is it that these sorts of things always sound so promising at first, but then as soon as you find out how they actually work, you're all like "Aw crap, another stupid scam with flaws in it that can't quite beat having to drag myself out of bed to go to work every day in the long run." They're always like the lottery. $100 million would be so righteous, but then you do the math and it's like "Sheeeeeit man... If I had $70 million for enough tickets to have a decent shot at this, I wouldn't need the $100 million."

BSOD on ATM

Obligatory

ATMBSOD

http://www.chrisb.com.br/blog/wp-content/uploads/2009/03/blue-screen-of-death-atm.jpg

Wrong!

[goombah99]

Not sure where you see that. As far as I know Diebold, Wincor, and NCR only put out drivers for Win XP for their ATMs. This is a Win CE bug, it's probably a white-label machine.

no Diebold CHose to use WinCE as a cheap platofrm. Prior to that they had another platform that was not windows based. they chose Wince and its cause multiple problems precisely because they willing delegated the security.

Only a few? Not for long.

[PCM2]

Despite the exploit being out there, there is likely only a few malicious people that know about it.

And if those people wanted to get rich off it, which would be easier and safer: to hack a bunch of ATMs themselves, or to sell the secret to organized crime?

Re:Only a few? Not for long.

[Talderas]

Hacking the machines themselves then selling the private information would likely be the best risk/profit ratio.

Oblig. Fight Club

[DeadCatX2]

"A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one."

Re:Oblig. Fight Club

[mspohr]

This was essentially the calculation Ford made with the Pinto and the exploding gas tanks.

They figured out that it would be more expensive to fix the tanks than to pay off the people who were burned when the tanks ruptured and burned.

They got tripped up, however, when they were sued and they jury learned of this calculation... que the punitive damages which they designed to tip the calculation in favor of the plaintiff. Ford lost big time (and still had to fix the gas tanks).

Re:Juniper is unscrupulous.

[MinistryOfTruthiness]

(a. k. a. "Binging") on the Web.

Why would I "binge" on the web? Do I then need to "purge" my cache?

Sorry, Steve. Your attempt to verb your new search engine will be thwarted by literate people.

Expect the exploit to pop up on BitTorrent,

[Hurricane78]

and Russian cracker ring sites very soon. :)

If not already. Wait, I'll go look. I could use some money! I like money! Maybe I could buy a latte with it. With extra cream! Cuz I like sex too!

Inconceivable!

You've made the classic mistake ...

Starting a land war in Asia or going up against a Sicilian when death is on the line?

(Inconceivable!)

Why wait?

[despeaux]

Hackers won't wait.

8 months might not be enough time

[quietwalker]

Working in the banking software industry myself, I can tell you that anything associated with ATMs is incredibly slow to change. Unlike, say, computerized voting, ATM software generally has to go through scads of certification and changes. Usually 2-3 companies must actively collude to provide the entire system, if not more, and all of them have to have their systems certified in turn.

To make matters less urgent, everything is traceable. For a bank, culpability (accountability if you pardon the pun) is more important than theft prevention. I don't mean that the actual thief is found, but rather, that there's a log of every transaction and operation.

No urgency and a huge barrier to change, coupled with a very low rate of occurence - not really a 'real' problem.

Any financial institution dumb enough to depend on

WinCE deserves whatever comes their way. There is NO reason that an ATM can't run the FREE embedded Linux kernel and a custom banking app.

Hahaha! some folks dream job there...

" director of corporate social media relations for Juniper" so.. you get paid to F off all day and talk to your friends on Twitter and MySpace all day... And get paid for it? Juniper needs to get their act in gear and pay some people to WORK.

Please no consumer Operating Systems

A consumer operating system does NOT belong on an ATM nor any other critical systems for that matter.

Putting windows on an ATM is just inviting bad guys to the table.

ATM Running Windows CE

[Phoghat]

What idiots let them run on windows CE in the first place? With my CE device I do the soft reset dance 3 times a day, at least.

They couldn't find something more stable and secure?????

Re:ATMs? I know a little about that!

[gmhowell]

Boy, there's a uid that's a blast from the past.