Wells Fargo Web-Enables ATMs 576
smooth wombat writes "Wells Fargo has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. Now the ATMS will be Windows based rather than OS/2 based. Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this.""
was a change required? (Score:5, Interesting)
Re:was a change required? (Score:4, Funny)
Re:was a change required? (Score:5, Informative)
Re:was a change required? (Score:3, Interesting)
In addition, they couldn't go to another OS because?
I've been contemplating changing banks for some time now (from Wells Fargo), but haven't for several reasons. This could be the straw that breaks this camel's back.
(FYI, a few years ago I walked up to a WF ATM, started to put my card in, and noticed a M$ Dev. Studio GPF dialog asking if I wanted to debug the application or cancel!!)
PGA
ServiceOntario Kiosks (Score:3, Informative)
Included digital audio and 30fps video. Special hardware was engineered to dispense license plate stickers. Not sure what the kiosks are running today, but in 1992 Windows couldn't cut it. The kiosks (advanced ATMS really) have won awards and have since been deployed into malls around the province.
Read more a
Re:was a change required? (Score:3, Funny)
Pressing "cancel" 10+ times to stop spyware installs: 2 minutes of user frustration
Entering pin number after someone else already pressed "ok" on spyware install: priceless
Re:was a change required? (Score:5, Funny)
Re:was a change required? (Score:5, Interesting)
If the BOFH had done this job, he would have had Wells-Fargo purchase a super-deluxe QNX licensing contract, then he would have installed BSD on the machines and pocketed the change.
Ahh, OS/2, I miss it. The last time I whipped out my OS/2 Warp disks and tried to install it, it didn't seem to like my 10 years newer hardware and couldn't find a HDD driver. Bummer. I can only imagine how fast it would have run on my 2GHz box.
I think that Wells-Fargo should have used QNX, and now whoever made the decision is probably going to pay. Windows on an ATM connected to the internet is pretty damn frightening. Time to withdraw all my zorkmids out of the bank and stuff it under the mattress.
Re:was a change required? (Score:3, Informative)
Try the Danis506 drivers, et even has got some SATA support. eComStation runs rather nice om my 1.8Ghz Athlon XP - Barton box, especially with the new kernel.
Re:was a change required? (Score:4, Insightful)
I would imagine that Diebold was the one who made the decision to go to Windows.
Re:was a change required? (Score:3, Funny)
Probably he is being payed an undisclosed sum by a Redmond based software vendor.
That's what I guess.
I thinks this guy is clever, because he has no accounts at Wells Fargo!
They weren't deemed helpful enough (Score:5, Funny)
They weren't helpful enough, Well Fargo ATM customers can now look forward to the ATM Assistant(TM)!
"Hi, I'm Clippy, would you like help:
Depositing Funds?
Withdrawing Funds?
Transfer your entire balance to r00m4n14n d00d?
Selecting the proper brick to smash my keyboard with?
And for those trying to pry the computer box... (Score:5, Funny)
Re:They weren't deemed helpful enough (Score:3, Funny)
(Imi cer scuze pentru cazul in care tu nu te ocupi cu chestii de astea. Insa e frustrant sa vezi cat suntem de desconsiderati pe internet din cauza unor pungasi)
Re:was a change required? (Score:5, Informative)
Given than Wells Fargo, is a substatial entity, it would be interesting and credible to know how/why they decided to go the windows route since it is possible to maintain a large number networked Linux nodes for remote updates/admin as is cited in the article about windows.
Are windows embedded ATMs really the only game in town?
Re:was a change required? (Score:3, Interesting)
Something akin to WINE but for OS/2 with IBM's endorsement would be a useful thing. They could open source headers, specifications, internal docs and other unencumbered things to set things off.
Re:was a change required? (Score:4, Interesting)
The collaboration between IBM and Microsoft unravelled in 1990, between the releases of Windows 3.0 and OS/2 1.3. The increasing popularity of Windows prompted Microsoft to shift its development focus from OS/2, and IBM grew concerned about delays in development of OS/2 2.0. Initially, the companies agreed that IBM would take over maintenance of OS/2 1.0 and development of OS/2 2.0, while Microsoft would continue development of OS/2 3.0, then known as "NT OS/2". However, Microsoft decided to recast NT OS/2 as Windows NT, leaving all future OS/2 development to IBM. Windows NT's OS/2 heritage can be seen in its initial support for the HPFS filesystem (although write support was dropped in Windows NT 4.0 and read support was dropped in Windows 2000) and text mode OS/2 1.x applications (support dropped in Windows XP).
So they basically upgraded to a newer version of OS/2 in a weird twisted Microsoft sort of way.
Re:was a change required? (Score:5, Informative)
Now, it's true that you don't have to TCP/IP-connect a Windows-based ATM, you can operate it solely over SNA or SDLC or whatever you have -- but if you do you don't get all the features of the ATM, and not just the annoying things like HTML-based UI -- you don't get the handy stuff like remote management which means that you spend $$ sending humans out to the site rather than just doing task 'x' from your network.
Re:was a change required? (Score:4, Insightful)
They're from Diebold, and up until very recently, they ran OS/2. Why'd we switch?
They're from Diebold. Enough reason to switch right there.
Re:was a change required? (Score:3, Funny)
I think that's the problem that everyone is worried about... that all of the sudden all the machines will be "remote managed" by someone and they'll start spitting out free money. Or logging card numbers/PINs.
Re:was a change required? (Score:3, Interesting)
Re:was a change required? (Score:5, Funny)
In today's climate of non-stop worms, trojans and viruses, deploying an ATM with no virus removal software would be irresponsible on the part of Wells Fargo.
(With apologies to divisiontwo.com.
Re:was a change required? (Score:5, Informative)
Why are untrained tellers doing that? (Score:5, Insightful)
I wouldn't trust a bank that had an untrained teller doing that.
Particularly one who is taking instructions from someone over the phone. Yeah, I really trust that system.
What bank do you work for? I want to be sure that I don't have any accounts with it.
Part of security is being correctly trained. An untrained person (problem #1) taking instructions over the phone (problem #2) to service a machine that is "web enabled" (problem #3) is a script for disaster.
Re:Why are untrained tellers doing that? (Score:5, Funny)
No?
Thank you all for coming, the next "Corporations 101" lecture will be monday. Bring your notebooks.
Re:was a change required? (Score:5, Interesting)
Yeah but do you REALLY want a feature that allows unqualified individuals modify the interface of ATM machines? Isn't that something you want the bar set a little higher on?
Re:was a change required? (Score:3, Insightful)
It's "based", not "bassed" and "procedure", not "proceedure". "Acutally" I can only assume was actually supposed to be "actually". Oh, and "stand point" is one word, "standpoint". "It uses regular Windows" should be "They use regular Windows"; plurality matters. I won't even get into the structure of that
Just what I want.... (Score:5, Funny)
However, come to think of it, a lot of those things would look better with that Aquarium Screensaver. I think I'll click on the ok download button next time.
Re:Just what I want.... (Score:3, Funny)
"Open a new account to take advantage of our new patented savings-encouragement-system."
Re:Just what I want.... (Score:5, Funny)
Re:Just what I want.... (Score:5, Funny)
Yes, but... (Score:3, Informative)
Just because one has security issues does not mean the other will too.
Re:Yes, but... (Score:5, Funny)
That would certainly be a first.
Re:Yes, but... (Score:2)
Re:Yes, but... (Score:5, Interesting)
Either way, I wouldn't be the house on the kernel and networking components of XP being free from holes and possible exploits, Embedded or otherwise...
Re:Yes, but... (Score:5, Interesting)
I wouldn't trust Firefox in an ATM, let alone Internet Explorer. If my bank of choice starts deploying these in large quantities (they're around, but less prevalent than the old kind), I will run, not walk, to the competition.
Re:Yes, but... (Score:3, Informative)
Re:Yes, but... (Score:5, Interesting)
The greatest possibility for one of these to get hacked is that the one admin is not really familiar with the system and makes a mistake on setup that leaves things functional but insecure. With HTML and TCP/IP the admin is more likely to be familiar and less like to make a mistake with the system.
"I don't know what my bank's ATMs run as their operating system, and that's a good thing because it means the bad guys may not, either."
The bad guys know in detail how the circuit processes the image of a dollar bill in a change machine so they can fool it. Do you? Of course not, they know because they have no scrupples and they want to know.
Microsoft spends hundreds of billions of dollars writing custom and obscure protocols, deliberately designing every aspect of systems far more complex than these to be difficult to reverse engineer. It is the ultimate example of security through obscurity. And with MS it is what, 3-4yrs tops for their interfaces to be reverse engineered by hackers?
You trust obscurity. I'll take a system that is easy to setup properly; is built on tried, true, tested, and stable technology (windows meets none of these critera embedded or not); and requires a bad guy to get past someone with a gun to get to the wire. If the bank wants to remote admin that is fine, they better use fiber links with quantum encryption, otherwise the cost is needed.
I was once the technician at a small consulting firm trying to explain to a bank manager that he shouldn't have the network the bank terminals are on connected to the web and that a bank really should get something a tad more secure than norton internet security on their internet connection. In the end the bank just wanted something that said intrusion detection on the label to get the bank inspector off their back.
Re:Yes, but... (Score:5, Insightful)
Re:Yes, but... (Score:5, Informative)
Re:Yes, but... (Score:3, Insightful)
Hell, at this point I don't care whether or not it runs windows, its the "web enabled" part that scares me.
Yet somehow, it does. (Score:5, Informative)
I mean, it's just an awfully funny coincidence that the sudden emergence of the term "cyber-crime" in connection with ATMs [securityfocus.com] just happens, after all these years of computer ATMs, to coincide with the introduction of Windows based ATMs.
And I somehow suspect that in five years, when WinXPEmbedded ATMs are everywhere, if anyone observes it as odd that how ATMs suddenly have a security track record now, we'll have people saying "oh that's just part of the technology, there's nothing you can do about it, it would be the same with any other vendor"...
Re:Yet somehow, it does. (Score:3, Interesting)
The implication here are grave, and important, Additionally it should be questioned is:
For how many years have ATM terminals been exposed to the entire internet? The 2003 nachi worm exposed the fact that important financial networks have been susceptible to exploitation for a long time.
It's the more embarrassing to realize that none of the so called Analysts, Gartner Analysts (a $9 billion advice giving outfit), or so called security experts, who now have the gall to pontificate (http://www.securityfocu [securityfocus.com]
Re:Yet somehow, it does. (Score:5, Insightful)
Well, they weren't exposed to the entire internet. They were on a VPN. Such ATMs are always put on a VPN. But that's the fun part, because the VPN apparently had holes in it.
In other words-- at least this was the theory discussed at the time-- the ATMs had been put on a VPN so that they were inaccessible to the outside world. But other bank computers were apparently allowed in the same VPN. And somehow the Nachi worm got inside the VPN, at which point it was free to infect the ATMs...
Re:Yes, but... (Score:3, Insightful)
Putting ATMs on the Web (Score:5, Funny)
Why! (Score:4, Interesting)
Re:Why! (Score:3, Insightful)
Re:Why! (Score:2)
Diebold (the #1 maker of ATM's) doesn't sell an OS/2 based ATM anymore, which means if you want new ones, you're stuck with Windows.
Hello, I am Govermet Minster (Score:5, Funny)
mod insightful (Score:5, Funny)
choice quote (Score:5, Insightful)
I do that regularly anyway. An ATM doesn't have to be on "the net" to do that. It has to communicate to the central handling server regardless of it's OS.
Re:choice quote (Score:4, Informative)
But why? (Score:2)
Then again, it could just be for ads.
Re:But why? (Score:2)
Re: (Score:2)
Not a good thing for bank users .... (Score:4, Insightful)
Search on Windows security exploits and display the results and oh
Re:Not a good thing for bank users .... (Score:5, Informative)
This was informative? (Score:3, Insightful)
It's a big deal. If it's going to be web-based on it's controls, etc., it will have exposed ports.
Simply put, Windows really, really isn't suitable to task for th
Well Fargo Drive in Movies! (Score:5, Funny)
It's good too, because I needed a place to see MSNBC tickers and movie trailers and also get money at the same time.
Now that this has rolled out on all Wells Fargo ATM's, they will allow you to watch full movies on them and will be opening concession stands. If you pull up to an ATM, and the car in front of you has the windows all fogged up
Local AMC theater self serve ticket machines Win98 (Score:2)
Security does not seem to be a big issue on closed networks. At least I hope it is a closed network.
rofl... bwahahahahah... (Score:5, Funny)
"Wells-Fargo reportedly went bankrupt yesterday. Company spokesman: 'The money... it just disappeared...'
In other news, the EFF is reporting record donations!"
Netscape (Score:5, Interesting)
Surely enough, it was made by the same manufacturer who f***ed up US voting machines. I do have some pictures if anyone is interested.
Re:Netscape (Score:4, Funny)
http://midnightspaghetti.com/newsDiebold.php [midnightspaghetti.com]
Re:Netscape (Score:3, Informative)
Of course, their old ATMs were relatively reliable although they couldn't run Windows Media Player.
Re:Netscape (Score:3, Insightful)
Second, it proves that there's no kind of high-availability, hardware watchdog, or other automagic restart system. These are minimal boxes, not solidly-built ones.
Third, it proves that the interest is in producing the most ATMs at the lowest initial cost, not in producing the best AT
Re:Netscape (Score:3, Insightful)
Generally, what you want is a known state - fully running or fully shut down. The most trivial way to do this is to have a hardware system that keeps a timer running. If the time to the next crash exceeds some pre-defined mark, you assume it is a software bug and reboot. If it happens before that mark, it is likely a hardware problem and you shut down
Re:Crashed ATM (Score:3, Informative)
At several banks here in town, you get a ticket that says "Amount error #13", your card pops out, (thankfully!) and "TEMPORARILY OUT OF SERVICE" pops up on the display.
Whoopsie!
s-l-o-w ATM keypad (Score:5, Interesting)
After I enter my pin, the beep sound and the asterisk that's displayed take so long that I think i've miskeyed, so press again getting a double entry which i have to cancel and slowly and carefully retry.
Is it because of being Windowized, or just bad programming? The old OS/2 ATMs responded instantly.
Re:s-l-o-w ATM keypad (Score:2)
Like you I have noticed that the time required to log-in to the ATM has increased. It sucks, but I don't think it's something we can get changed.
Re:s-l-o-w ATM keypad (Score:3, Interesting)
I dunno the make of the new ATMs around here, but you are not alone.
It is incredibly annoying to have the "beep" of a pressed key come as I'm one or two keypresses further along. I have to stop and wait for all the beeps to catch up, look closely at the screen, make sure it's all ok. Very, very annoying. I'm thinking of changing banks just to save me the frustration.
Re:s-l-o-w ATM keypad (Score:5, Insightful)
In 2005, you should not have a perceptible delay between keypress and a simple ack. response like putting up an asterisk.
The problem, of course, is not technology. It's this god-damned "save every fraction of a penny at all costs, and fuck the customer/user!" mentality. A couple of cents more per terminal is probably all it would take to eliminate the delay, but, well, like I said, fuck the user.
I can't use Comcast digital cable boxes because of the multi-second delay before button presses react. (That one boggles the mind, I think they had to work to make it suck that bad.) It pisses me off that in the time it takes to navigate to one On Demand movie, the value of my time for the time it took to do the navigation would have been sufficient to make a snappy, responsive system. You could quite literally rack up hours spent just waiting for their interface to update in a year if you actually tried to use it (from what I gather from the way they keep dropping the price on On-Demand things, nobody does), and that says they care so little about my time that they'd rather save 5 cents.
Normally, I don't much care about "bloat" in desktop computers, I think most people bitching about it don't really understand what that "bloat" is buying them. But in the embedded space, fire away with your "bloat" accusations. The work it takes to make a machine in 2005 react more slowly than a machine from 1970, no exaggeration, boggles the mind.
Fuckers.
What could possibly go wrong? (Score:4, Funny)
"Wells Fargo Web-Enables ATMs. Hilarity ensues."
My ATM had crashed - UK (Score:5, Interesting)
I remember a
Was I ever laughing.
I wonder if my atm card has a virus by now.
PS It was Bank of Scotland
Well I guess an OS and their money are easyily restarted.
Re:My ATM had crashed - UK (Score:3, Interesting)
Slow a**holes in line (Score:5, Funny)
Great. As if waiting for some jerk to
- Check his balance
- transfer funds
- buy stamps
wasn't bad enough, now I have to wait for him toArticle's leading text (Score:3, Insightful)
os/2 everywhere (Score:5, Interesting)
Re:os/2 everywhere (Score:5, Informative)
For the curious, they're needed to tell each zSeries processor what it is. This isn't as dumb as it sounds, because each of the 16 processors can do one of 4 tasks depending on the microcode you load into it.
You need a fairly dependable OS for this job, and when I last asked them they didn't trust Windows or Linux to do it right.
It's the mainframe attitude... (Score:3, Interesting)
These laptops run Communications Manager which in some of its abilities can emulate a 3270 terminal.. (yeah tn3270 does the same thing...)
New services (Score:3, Interesting)
Umm... Wouldn't envelope-free deposits require an on-site hardware shift anyway? That is, unless Windows Embedded now runs rapid prototype machinery.
Sounds like they're running WtFXML.
This was already tried... (Score:2, Funny)
We put Windows on them and gave them all high speed net access... it wasn't the most successful experiment, and they weren't stuffed full of cash.
BSOD (Score:5, Funny)
Accounting (Score:5, Funny)
That can't mean they have more than 3000 in total, as that's only around half of 6046. Even in marketing-land where the margins are bigger, you'd need at least 5000 out of 6000 to claim "nearly all". Logically, this means they must have more than 3000 online stations in each of their 6046 branches. That's over 18 million Windows licenses. Some sales guy at MS just got a new yacht.
Hacker takes 3 minutes to get your cash (Score:5, Informative)
And in a not unrelated story: Hacker takes 3 minutes to get your cash [stuff.co.nz]
--
Linux VPS Hosting you can Bank On [rimuhosting.com]
well.. (Score:3, Interesting)
Somebody set us up the ATM (Score:3, Funny)
Clippy says..... (Score:5, Funny)
Does not dispense more then $640 (Score:3, Funny)
My bank is doing the same thing... (Score:5, Informative)
The patch management of these things is really becoming a nightmare, and we haven't even rolled them out yet!
And then the ATM ate my card.... (Score:4, Interesting)
The real question is how secure are the VPN boxes? (Score:3, Interesting)
ATM -- VPN -- Internet -- VPN -- Wells Fargo
So the real question is how secure are THOSE boxes...
It has to be Diebold machines (Score:3, Insightful)
So, this is what we have come to. (Score:3, Interesting)
This just in... (Score:3, Funny)
Re:RTFA, no sense (Score:2)
Re:tested (Score:3, Insightful)
Re:tested (Score:3, Funny)
Re:Network Security? (Score:2)
Re:I think the rhetoric is a bit overheated. (Score:3, Informative)
I think their excitement is the new communications infrastructure: the fact that updates via a teller can immediately be checked on the ATM. They're really happy over their new SOAP/J2EE bits. Of course, all the user sees is the ATM, so it's the only drum they have to bang. They might as well bang it for all they're worth.