Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software Security

ATMs Susceptible to Windows Viruses 403

Kernkraft400 writes "First there was Windows for Warships, now the same operating system used to power millions of home PCs is likely to be used for cash machines in the UK. I can't wait for the next Windows virus or worm to take down all the cash machines."
This discussion has been archived. No new comments can be posted.

ATMs Susceptible to Windows Viruses

Comments Filter:
  • by Anonymous Coward on Friday October 29, 2004 @12:51PM (#10665098)
    Like the actual story: ATMs in peril from computer worms? [theregister.co.uk] The Register seems to believe it's partly a scare tactic to sell antivirus software, though.
    • Like the actual story: ATMs in peril from computer worms? The Register seems to believe it's partly a scare tactic to sell antivirus software, though.

      Windows is actually just a ploy by Symantec to make money. Makes sense to me.
    • I spent 4 hours last week removing over 800 spyware files and registry settings last week on my in-laws computer.

      So yeah, I'm scared. I ought to send an invoice to Microsoft for my time...

      • This is why I go the "Linux first - Windows only if absolutely necessary" route when installing relatives' computers.

        No virus problems. No spyware problems.

        I believe the GNOME or KDE desktop is the perfect choice for absolutely computer illiterate relatives who want to surf the web, read mail and play the occasional game (my father even mentioned the best thing he liked about Linux was all the games - I didn't even knew they came with the installation! :).

        Why? Because they can't screw something up tha
    • Except that it has already happened [theregister.co.uk]. Can anyone guess who the ATM manufacturer was? (Here's a hint: They make lousy voting machines.)
      • (Here's a hint: They make lousy voting machines.)

        Diebold makes lousy everything.
      • by julesh ( 229690 ) on Friday October 29, 2004 @01:08PM (#10665376)
        I would hope that the lesson here has been learned: a mission-critical service (which ATMs are, these days) should be firewalled from everything that it reasonably can be, and should not be running unnecessary services.

        The ATMs should be running a custom application to drive the user interface which just pipes its data over an encrypted byte-stream protocol (maybe SSH, maybe something else, I don't know) to a central authorisation server. It should be able to accept a 'status query' request from a machine located in the branch that periodically checks that the ATMs are running and still have cash. These are the only services that are required. Everything else should be disabled. Everything else should be firewalled.

        As long as banks follow these security precautions (and I've worked at a UK bank before now -- they're pretty hot on security, as a rule) they should not be susceptible to virus/worm infection, except by a custom-written worm that exploits security flaws in the custom ATM software... and at this point it doesn't matter what OS you're using.
        • by theLOUDroom ( 556455 ) on Friday October 29, 2004 @04:40PM (#10667824)
          I would hope that the lesson here has been learned: a mission-critical service (which ATMs are, these days) should be firewalled from everything that it reasonably can be, and should not be running unnecessary services. The ATMs should be running a custom application to drive the user interface

          Ummmm....actually that's not the problem.
          Mission-critical apps should not be run on crappy, not-meant-for-that-purpose software. It's not a question of how many firewalls you use. ATMs should NOT run windows.

          Firewalls are not a "magic fix" for shitty design. Hell the company I work at has a good firewall and they get viruses all the time. A firewall should be a "just in case" security measure, especially for something THAT important.

          We're talking about people's money here, it should take more than one guy plugging an infected laptop into the wrong ethernet jack to take it down.

          Stuff like this demands a multi-tiered security approach. We're talking encryption of encrypted communications here (with different algorithms), and if they're going to send ANY of this across the internet they better do it right. Otherwise, guess where the next 0-day exploit is going to get tested first?

          As long as banks follow these security precautions (and I've worked at a UK bank before now -- they're pretty hot on security, as a rule) they should not be susceptible to virus/worm infection,

          Wrong. You can't turn off the ALL the OS services or your custom software can't communicate with anything else. You NEED at least some of the windows code running and that bit of code just may turn out to be the next target of the latest, greatest worm.

          except by a custom-written worm that exploits security flaws in the custom ATM software... and at this point it doesn't matter what OS you're using.

          Sure it does. A better OS is going to be harder to code an exploit for. What you're saying is that underlying system arcitecture doesn't matter. That's silly.

          If it was my call, I would have two boxes running completely different software and hardware, designed by two completely independent teams. I would keep the existence of each team seperate from the other.
          One box does the normal ATM stuff, on X86 hardware running something custom and minimalist, communication only via an RSA-encrypted data link.
          The second box contains an OS-less processing unit whos purpose is two-fold:
          • to encrypt the data again using elliptic curve crypto
          • to perform logging


          This would make it much harder of a zero-day exploit OR a funamental math breakthrough to wreck the security AND harder for any of the programmers to leave themselves a little backdoor (Office Space).

          Using a firewall in this application would be like using aluminum foil as a bullet-proof vest.
      • I [corpwatch.org] don't [slashdot.org] know [theregister.co.uk], who? [electionlawblog.org]
    • Yep, the BBC are also running a current story [bbc.co.uk] which was perhaps supposed to be included too.
  • (Very) old news (Score:5, Insightful)

    by Space cowboy ( 13680 ) * on Friday October 29, 2004 @12:52PM (#10665113) Journal

    Windows has been used on (at least) Natwest ATM's for a loooong time - several years at least. I've been in several situations where an ATM is displaying a Blue Screen Of Death. Interestingly enough, they show a trend for solidarity in these matters, when one of set is down, they're all down... Presumably the weakness is in the network layer, or some component that is attached to it.

    Not that this means too much (apart from the annoyance factor) though, I've never lost any money due to an ATM crash - I'm pretty sure the system is designed so that the central machine does all the secure stuff, with the ATM being not much more than a calculator keypad.

    Simon
    • The last time I was in the grocery store I passed one of those "Turn all your spare change in here!" machines with a BSOD displayed. I also managed to crash the self checkout scanner one time -- It gave a windows-looking dialog error.
    • A year or so ago I saw a story here on /. or at TheRegister.CO.UK that a Windows ATM had crashed and rebooted and didn't start up the ATM program. It was running a full version of Windows. Some college students (It was in a student union) loaded up Windows Media Player and opened up the Bethoven track that was on the machine and video taped it playing Bethoven and posted it on the web.
    • True, around the time Slammer was making its rounds, I actually got a windows interface on an ATM. It wasn't the new touchsceen kind, though, so there was no way of controlling it.

      I think the bigger issue here isn't that the ATM's run Windows, but that some are connected to networks that can be accessed from the Internet. Windows CAN be stable in certain situations (this ATM looked to be running NT 3.5 at a glance)... it's when you put it on a public network that it becomes a hazzard.
    • Re:(Very) old news (Score:5, Informative)

      by DogDude ( 805747 ) on Friday October 29, 2004 @01:22PM (#10665588)
      Not that this means too much (apart from the annoyance factor) though, I've never lost any money due to an ATM crash - I'm pretty sure the system is designed so that the central machine does all the secure stuff, with the ATM being not much more than a calculator keypad.

      Actually, this is why "real" databases like Oracle & DB2 are used. They have that nifty little "commit" and "rollback" functionality (part of ACID) that makes it incredibly unlikely that even in the event of a major event at the client, you're not going to be fubar'ed. That, and true fault tolerance (you can throw the power on a working Oracle database, and 9 times out of ten, it'll be just fine when it comes back).
  • by Samir Gupta ( 623651 ) on Friday October 29, 2004 @12:52PM (#10665118) Homepage
    • Crap. My bank was bought up by this bank. Not that I wasn't susceptable to viruses before... but now my naive innocence is shattered. I guess I'll have to start storing my money in my mattress. :(
  • by jdreed1024 ( 443938 ) on Friday October 29, 2004 @12:52PM (#10665127)
    Perhaps I missed something, where is the article that says ATMs are susceptible to Windows Viruses? All I see is a pointer to an article on battleships, and someone's speculation.

    Now, ATMs running Windows could very well be susceptible to viruses, but something backing that up would be nice.

    • Phht. Its not as if anyone here is going to actually read the article.
    • I don't have the relevant article, but Bank of America had a large portion of its ATM network infected earlier this year when a Diebold tech hooked his infected laptop up to one of their machines.
      I perform certification testing for a large transaction processor, so I have seen most of the ATMs that are in use in the US today. The first Windows based ATM that we saw arrived in 2000, and ran Win98. You had to reboot it every 3 days or it would lock up. Had cool videos running on it, though :D
      Since then, abo
  • Misleading Title (Score:5, Insightful)

    by jerw134 ( 409531 ) on Friday October 29, 2004 @12:53PM (#10665139)
    The title of this story is extremely misleading. It's stating something like it's a fact, although it's not even close. It's actually more of a question. But this is Slashdot, so I shouldn't expect too much.
  • Citibank (Score:2, Insightful)

    by egatenby ( 64256 )
    Citibank ATMs run NT. Lots of bank ATM machines do
  • I think you know what that means.
  • We'll see... (Score:3, Insightful)

    by danielrm26 ( 567852 ) * on Friday October 29, 2004 @12:55PM (#10665167) Homepage
    Don't forget the cars [slashdot.org] too. Oh well, trial by fire. If it goes horribly wrong, it won't stay that way for long. Either it'll get hardened or another OS'll get the job.
  • Halifax Bank ATM, Colchester, UK

    I walk up to the machine to get some cash out, only to be confronted by a Windows 9x dialogue box. The cash machine was on a desktop screen, with a dialogue up on the screen.

    It's a joke, seriously.
  • What Virus? (Score:5, Insightful)

    by Launch ( 66938 ) on Friday October 29, 2004 @12:55PM (#10665175)
    The title of this post says that Windows for ATMs are "Susceptible to Windows Viruses" but as far as I can tell this is just speculation... Is there actually any proof out there that these machines would be any more (or less?) susceptible to viruses? I'm suprised this made it through, no substance and just a lot of name calling at MS.

    • Re:What Virus? (Score:4, Informative)

      by advocate_one ( 662832 ) on Friday October 29, 2004 @01:45PM (#10665893)
      well there must be something to it as it's being reported by the BBC... [bbc.co.uk] and windows powered ATMs have already been taken out by worms...

      Already, he said, there have been four incidents in which cash machines have been unavailable for hours due to viruses affecting the network of the bank that owns them.

      In January 2003 the Slammer worm knocked out 13,000 cash machines of the Bank of America and many of those operated by the Canadian Imperial Bank of Commerce.
      In August of the same year, cash machines of two un-named banks were put out of action for hours following an infection by the Welchia worm.
  • by The I Shing ( 700142 ) * on Friday October 29, 2004 @12:57PM (#10665196) Journal
    When Hollywood gets ahold of this idea, they'll have teenagers or terrorists or someone cracking into ATMs and watching the security camera or changing the picture on the currency or some ridiculous thing.
  • What features will be included in windows for warships? My wish list includes: -Drag and drop cruise missles -Point, click, BOOM anti-aircraft guns
  • Now we can have Y2K hysteria... EVERYDAY!!!!!
    YAY
  • I don't understand (Score:2, Insightful)

    by pdx_joe ( 690372 )
    Maybe it's because I'm young and new, but why would people trust a system that has a record of failing? The blue screen of death is a big joke in the world. Why would airports, banks, the military, etc. trust Windows? I'm not trolling, this is an honest question. It's not the price. Is it because they think it is more robust, easier setup, compatibility? I was in Europe and saw the blue screen on an airport terminal and thought, wow, I hope the crucial systems on my plane or in the control tower are not ru
    • by Timesprout ( 579035 ) on Friday October 29, 2004 @01:17PM (#10665525)
      No you dont understand. While windows has has its instability problems since NT they have been pretty stable. Most of the current problems are to do with malicious twats fucking with other peoples systems.

      Banks have used various flavours of windows for years on their ATMs without any major issues. If the ATM network gets compromised it really doesnt matter what OS is running. Its never going to be the end of the world because they are little more than dumb terminals.

      And now for the even better stuff. Many aircraft run embedded NT as well in the flight control instrumentation. I suppose we had all better stop flying now. Medical devices have it so I suppose we should refuse medical treatment. Stores use it in POS so that rules out shopping. Microsoft are all over the place and you dont even know it, and strangly enough the world has not actually ground to a halt yet.
      • by westlake ( 615356 ) on Friday October 29, 2004 @04:02PM (#10667460)
        Here are some facts about ATMs:

        About 20% of ATMs world-wide run Windows. Banks are slow to migrate because of the cost. But the OS/2 systems out there are getting really, really old. Regulators want better encryption, audio support. IT wants TCP/IP. Marketing wants check recognition, targeted adds. You get the idea.

        70% of ATMS purchased by banks in 2004 will run Windows, up from 10% in 2001. Minimum specs for a new ATM, a P III or faster processor, with 256 MB RAM and an NIC. Investing in the ATM channel [atmmarketplace.com]

    • Actually, that "big joke" was already irrelevant several years ago when MS finally killed their DOS based OS's (95/98/ME). But that being said, I'm actually getting ready (today, maybe) to make a very big MS purchase because one of their products is much more reliable and robust than competing products. I'm using it for ease of use, excellent pricing, and reliability. In fact, I'm expecting this software package that I'm looking at will save me many $1,000's in 2005 alone.
    • by thpr ( 786837 ) on Friday October 29, 2004 @01:29PM (#10665687)
      Time to market. Cost. Even other concerns. There are many different decision drivers.

      In order to (1) catch up with a competitor or perhaps (2) get an "easier" development environment [easier being defined as one where the programmers are commodity and the system doesn't require buidling graphical components from scratch], 'easy' choices are made.

      In the end, the bank isn't doing the development, but purchasing a final product... there are tons of variables to an ATM beyond the underlying OS; and honestly, not all that many large vendors to choose from (and a large bank will almost never choose a small vendor, over concerns for longevity and support). Microsoft has made a major push for Windows in many places and makes it as easy as possible for people in different markets to use their OS. It is really the responsibility of the purchasing organization (in the case of an ATM, the bank or credit union) to choose a good solution. But it's a painful balancing act.

      By the way, if you really want to be disturbed by how liability for bad software isn't an issue, think about this: the US Federal Aviation Administration requires that every component put into an aircraft must not fail during the life of the aircraft. The next sentence then exempts software from this limitation.

  • by Surur ( 694693 ) on Friday October 29, 2004 @01:00PM (#10665243) Journal
    Lets be clear here, its not viruses we worry about. Nobody is going to run Kazaa on their local ATM. Its all about possible remote exploits.

    No OS is completely bug free and secure for ever. If the network the ATM's connect to is safe, the box should be safe. If they connect to the internet, I'm moving my money to another bank, no matter what OS they run!

    Surur
  • Memories (Score:5, Funny)

    by niall2 ( 192734 ) on Friday October 29, 2004 @01:00PM (#10665244) Homepage
    Ah yes I remember fondly seeing my first ATM BSOD in the SEATAC Airport. Nothing says welcome to Redmond quite like the BSOD.
  • There's lots of mentions of BSODs here, mind you that this isn't the same as a general "Windows virus". I'd rather deal with a defunct ATM than one with a Trojan installed behind the scenes.
  • by Kenja ( 541830 ) on Friday October 29, 2004 @01:02PM (#10665283)
    I seem to post this everytime this comes up, but once again. Diebold ATMs run Windows (95,NT and XP depending on how old they are). They have been known to crash to the desktop and often run unpatched. They have been hit by several worms over the years but banks keep on buying the dang things. Here of course is a link to a Diebold [coed.org] ATM running as a MP3 player after it had crashed to the XP desktop (touch screen, XP, built in speakers. Makes sense to me). I will never use a Diebold product, be it ATM or voting booth.
  • by TimmyDee ( 713324 ) on Friday October 29, 2004 @01:03PM (#10665289) Homepage Journal
    This did already happen, two years ago I believe, to Diebold ATMs. When it did, I called Wells Fargo (my bank) and asked them what brand of ATMs they use. I got the old, "Why would you want to know that?" question edged with a fair amount of suspicion. I explained that I didn't want an ATM that I used often to be compromised by a virus. I was forwarded to the manager. He ended up giving me a runaround about how Wells Fargo guarantees all transactions on their ATMs and any fraudulent use is refunded. No straight answer on whether they used Diebold ATMs with Windows.

    Of course, I went to a few of the ATMs I used and checked them out. All Diebolds. I'm not sure if they were running Windows, but I can assume so. Why would the bank give me such a hard time about who supplied their ATMs? Obviously it wasn't that difficult to just go and find out. It makes me a bit weary that they're trying to implement security through secrecy (let alone secrecy that's not that secret). Plus, being a customer I feel like I have the right to know how my money is handled and what possibilities there are for it being stolen.
  • what's next... (Score:2, Interesting)

    by alarocca ( 683961 )
    spyware for atm's?
  • A fool and his money are soon parted. Microsoft has years of experience at parting fools from their money, and now they're bringing that wealth of knowlege to a new industry, which will be much less wealthy after MS gets their hooks firmly sunk into them.

    The one thing that MS will find different here is that if they actually cost the banks money due to some stupid vulnerability, the banks are quite likely to take it seriously, and do something. Most MS customers don't.

  • National City Bank (Score:2, Interesting)

    by SpamKu ( 809119 )
    Now uses Windows for it's everyday transactions with customers. I have to say that makes me every bit as nervous as an ATM using windows. Every time a transaction is finished I hear the classic windows "donk" sound, and it just makes me twitch...

    I'd prefer a much more specific, secure system. Linux would be "OK", but actually I'd prefer something that is much more secure than that, or maybe a linux/unix flavor that aims for security above all else (inlcluding ease of use).

    We're talking about our money,
  • Banks and networks (Score:4, Insightful)

    by ucblockhead ( 63650 ) on Friday October 29, 2004 @01:08PM (#10665373) Homepage Journal
    Any bank that puts its ATMs on the internet has a moron in charge of IT.

    The best way to secure these things is to make sure that the only physical connection from the ATM is to a well secured computer under controlled by the bank.
  • I may be wrong, afterall I'm no expert on ATMs or bank networks, but since when are ATMs on the internet? I mean really, can you really get an IP address off an ATM? If this is the case then... isn't that a bad thing?
  • The fact that they run Windows and are open to attack or whether or not someone has access to your money? For me it's the latter. How they implement access to my money doesn't really concern me unless my account is not protected. If someone uses their equipment to access my acount without my authorization, then they are responsible for making restitution. If I have problems accessing my account I can vote with my money and move it to another bank.

    Me thinks that the average Slashdotter is a little to c

  • by nbvb ( 32836 ) on Friday October 29, 2004 @01:18PM (#10665539) Journal
    The reason you're seeing banks deploy new ATM's at a rapid clips this year is because IBM is dropping support for "vintage" OS/2 releases.

    Not for OS/2 Warp 4 (That's supported through 2006 at least), but for the earlier releases (3, 2.x, 1.x)...

    I believe that most ATM's were based on either OS/2 1.3 or 2.0.

    Why we're replacing them with something that is vulnerable to the virus-of-the-week, who knows?

    When was the last time you saw an OS/2 virus?
  • All I can say is that if banks are going to go the tried and true route of using Windows as their ATM operatin system despite the fact that it has been hit reapeatedly by virii through LAN/WAN/Internet access and internal mail virii, then they deserve what they end up getting as a result. Be it often crashing ATM systems or loss of money because said machines decided it was time to release some swelling belly of money thanks to some virii/worm/trojan/etc.

    There really is only one good reason why the banks w

  • Oh well. (Score:3, Funny)

    by T-Ranger ( 10520 ) <jeffwNO@SPAMchebucto.ns.ca> on Friday October 29, 2004 @01:21PM (#10665580) Homepage
    Looks like its back to frame relay and ISDN for me.
  • by nazgul000 ( 545727 ) on Friday October 29, 2004 @01:25PM (#10665631) Journal
    Windows-based ATM crashes happen [drbrad.org] all [coed.org] the [drbrad.org] time [windowscrash.com].

    Windows ATMs have been everywhere for awhile -- the days of OS/2 cash machines being the only story in town are long gone.

    Nothing to see here, move along.
  • Is this new? (Score:2, Interesting)

    by joel2600 ( 540251 )
    I've seen a number of different ATM's in all states of disrepair and it seems they have all been running some version of windows ranging from windows 3.x (even after the turn of the century) and some version of NT.

    At one point in time i was lucky enough to be in a store where someone had dialed in and you could watch them working within windows on the screen, the technician realized this at some point and clicked a button which changed the screen on the atm to a label indicating the system was being servic
  • Why any OS at all? (Score:2, Insightful)

    by mr_snarf ( 807002 )
    Can someone explain to me why they didn't make the hardware for the ATMs from scratch? An ATM doesn't seem that complicated sort of a device. Could use any sort of micro-controller and write the software in assembly. Sure, getting it to communicate with the main bank-server-thingy might be harder, but I'm sure a bank could afford this.

    OK, I guess maybe its just cheaper to use something that already exists (windows).

    A more important, but related question: Why the hell do the diebold voting machines use w
  • by someguysomewhere ( 610384 ) on Friday October 29, 2004 @01:28PM (#10665676)
    When I was in Europe this summer, I crashed several ATMs (usually of the same branch) just by inserting my card, and guess what they all run some version of windows, it looked like 95/98/2000.

    Aparently they dont like the way my card is encoded.

    It was very annoying trying to find a bank where I could withdraw money from. At one point we we're joking around to see how many ATMs we could crash in one day.

  • by chill ( 34294 ) on Friday October 29, 2004 @01:34PM (#10665748) Journal
    Well, it was briefly mentioned in the prior /. article that Brazil is home to the world's first deployed OSS ATM software.

    Maybe it is worth looking into for others.
  • by davidwr ( 791652 ) on Friday October 29, 2004 @01:40PM (#10665822) Homepage Journal
    An ATM need not be much fancier than a gas pump.

    It needs:
    A card reader.
    A cash dispenser.
    A video display.
    A keyboard input.
    A communications channel to HQ.
    A printer.

    Most run "semi-locally" rather than as completely-dumb terminals.
    Most have an "administrator mode" and keep additional local state. For example, they know how much of what kinds of bills they have left.

    Most have security cameras, but these need not be "logically" part of the ATM, they can be standalone devices.

    Banks have used full-featured ATMs for years. In the early-mid 1990s, OS/2 was the major player. These days it's MS-Windows. 10 years from now, it will probably be something else.

    The key security issues with ATMs are:
    1) physical security and local encryption of sensitive data in case physical security is compromised, e.g. someone steals the whole ATM.
    2) network security - all communications are encrypted
    3) isolated network - no direct access to or from the Internet
    4) audit trail, e.g. local encrypted recording of all transactions, preferably to write-once media.

    I'm sure I left out some things. Please feel free to add.

    So, anyone know of any in-use Linux-based ATMs? Even better, anyone know of any totally-Free-and-open-source-software ATMs?
  • No problem at all (Score:3, Informative)

    by cbx_cbx ( 787665 ) on Friday October 29, 2004 @01:49PM (#10665942)
    I worked in a brazilian bank (the bigest) for years, in the development of the ATM software, and i think i can say some facts.

    Yes, the ATMs run Windows software without the varrios patches (Most NT4.0 Sp6, but those are being upgraded to 2k), but some machines (30%) also run OS2 (NCR machines) but those are being upgraded to 2Kd too. The older machines (not few) still runs DOS6.22

    About the virus/BSOD, i know they are anoyng, but dont represent great security risks. See, the ATM network are proprietary, closed, constantly monitored and dont have access to internet.

    IF, the ATM get some virus, the virus cant do much, no virus has WOSA/XFS (CERN-MS ATM API) commands implemented to do something usefull (Money withdraw?).

    There are some banks that are migrating to linux, but the lack of standard API (WOSA/FXS-like) are a trouble. And the banks like to have someone to blame in some serious problem (MSFT!)

    Sorry for the poor engrish.

    My 0.02c
  • by Mish ( 50810 ) on Friday October 29, 2004 @02:27PM (#10666434)
    ... http://cubalan.net.nz/kiwibank/ [cubalan.net.nz]

    Confidence inspiring++
  • by jesser ( 77961 ) on Friday October 29, 2004 @04:47PM (#10667886) Homepage Journal
    If an ATM is susceptible to worms, it's susceptible to direct hacking too. I don't know about the Slashdot editors, but I'm more worried about someone stealing my money than I am about them crashing my bank's ATMs.

"Hello again, Peabody here..." -- Mister Peabody

Working...