Windows to Power ATMs in 2005

manadren_it · Post by **manadren_it** » Fri Sep 19, 2003 10:51 am

Avast! I don't like the looks of this! I don't trust those scurvy dogs at Microsoft to handle me loot!

Wired LInk

Windows to Power ATMs in 2005
By Elisa Batista

Story location: http://www.wired.com/news/technology/0,128...2,60497,00.html

02:00 AM Sep. 19, 2003 PT

Within three years, most bank machines that dispense cash will run on the Windows operating system, according to a study published last week.

By 2005, 65 percent of bank ATMs (not including free-standing machines in places like convenience stores and casinos) in the United States will use a stripped-down version of Windows. About 12 percent of the machines will use the operating system by the end of this year, according to Gwenn Bezard, an analyst at market researcher Celent.

Bezard asked 20 of the top 60 banks in the country about their plans to upgrade ATMs. He also interviewed the top 10 ATM manufacturers and software vendors.

He concluded the banking industry is ready to scrap IBM's OS/2 operating system, which powers most ATMs today. They would prefer Windows, a platform they consider "open" in that it is compatible with their internal corporate networks. Also, it's so ubiquitous that they can add features to all their ATMs without having to write multiple pieces of code for different machines.

"Because we are seeing so many mergers and acquisitions in the last few years, you have large banks running a fleet of ATM hardware," Bezard said. "With open technologies it is easier to run different types of hardware on the same software."

While the infamous blue screen of death may haunt many desktop computer users, the banking industry and security experts dismiss the fear that someone will break into Windows-powered ATMs to empty bank accounts. For one, the ATMs will use a stripped-down version of Windows NT that is quite different from the software on desktop computers.

"What Microsoft actually sells to the banks for ATM use is a cut-down version of Windows that doesn't contain things like Web servers," said Ross Anderson, a researcher in Cambridge, England, and author of Security Engineering. "They have tried to cut out the unnecessary rubbish that clutters up the typical PC. How good a job they've done, I just don't know.... So we definitely can't rule out the possibility that someone in the future writes a Slammer-style worm that causes thousands of ATMs to start spewing out cash."

But one of Anderson's colleagues, Bruce Schneier, chief technology officer at security monitoring and consulting company Counterpane Internet Security, dismissed this scenario. He pointed out that the machines would not operate online and therefore would not become vulnerable to a malicious Internet attack or to some virus passed around in an e-mail attachment. Because the machines have no peripherals like floppy disks, it would be difficult for a cracker to install code or steal information.

Indeed, the reason bank robbers still tend not to focus on ATMs to do their dirty work is that ATMs have almost never fallen prey to malicious hacking. Roughly $1 trillion of ATM withdrawals will take place this year, with losses of only $15 million. The losses are largely attributed to fraud -- stolen ATM cards or greedy bank insiders in charge of restocking the machines with cash, according to Dove Consulting.

"When you think about an ATM machine, it is basically a vault," Schneier said. "There is inherent security there."

ATMs running on Windows can be customized to become moneymakers for banks, which can program them for advertisements or to vend services like tickets. Even though Celent's Bezard said most banks would not offer advanced features on their revamped ATMs, machine manufacturers such as NCR envision a future in which the machines not only dispense cash, but also lottery tickets and soft drinks.

"Financial institutions will experiment with those functions," said Steve Risto, a director at NCR. "Some will win."

And all those features, of course, will run on Windows.

"Obviously we understood the limitations of Windows in regard to ... security and addressed these issues during the ... implementation," said Karl Felsen, spokesman for Fleet Bank, the seventh-largest U.S. bank.

"A Windows platform will give us more flexibility and opportunity for future enhancements," said Julie Davis, spokeswoman for Bank of America, the biggest U.S. bank. "The Windows platform allows us to put even better protections in place. However, we won't discuss the details of our security procedures."

Archived topic from Iceteks, old topic ID:1334, old post ID:11678

Red Squirrel · Post by **Red Squirrel** » Fri Sep 19, 2003 3:25 pm

*withdraws all money from account and stores in home safe powered by Linux*

This is scarry. But I assume since it's not on the net, it's safer, but it's still on a datapac network, and someone simply needs to find a telecom box somewhere on the street, and if he knows what he's doing, can easly insert a virus on the network.

Not only that, but half the time when you go to use it, it will freeze or crash!

But if it's a slimmed down version of windows (what it should have been from the start of it) it might be less pronoe to crashing.

Archived topic from Iceteks, old topic ID:1334, old post ID:11681

rovingcowboy · Post by **rovingcowboy** » Fri Sep 19, 2003 5:13 pm

as if that is an omin??

Archived topic from Iceteks, old topic ID:1334, old post ID:11688

Tim53819 · Post by **Tim53819** » Fri Oct 03, 2003 9:10 pm

AHHHHHHH!!!!!

Archived topic from Iceteks, old topic ID:1334, old post ID:12123

Chris Vogel · Post by **Chris Vogel** » Fri Oct 03, 2003 10:06 pm

I don't like this at all... Windows? I don't understand!

Archived topic from Iceteks, old topic ID:1334, old post ID:12128

fishyfool · Post by **fishyfool** » Tue Oct 07, 2003 12:57 am

But one of Anderson's colleagues, Bruce Schneier, chief technology officer at security monitoring and consulting company Counterpane Internet Security, dismissed this scenario. He pointed out that the machines would not operate online and therefore would not become vulnerable to a malicious Internet attack or to some virus passed around in an e-mail attachment. Because the machines have no peripherals like floppy disks, it would be difficult for a cracker to install code or steal information.

correct me if i'm wrong, but isn't the slot for card itself an input device?
i don't know how much code you can put on a magnetic strip, but with banks switching over to chip based cards, there may be a problem.

Archived topic from Iceteks, old topic ID:1334, old post ID:12211

Red Squirrel · Post by **Red Squirrel** » Tue Oct 07, 2003 9:41 am

fishyfool wrote:
But one of Anderson's colleagues, Bruce Schneier, chief technology officer at security monitoring and consulting company Counterpane Internet Security, dismissed this scenario. He pointed out that the machines would not operate online and therefore would not become vulnerable to a malicious Internet attack or to some virus passed around in an e-mail attachment. Because the machines have no peripherals like floppy disks, it would be difficult for a cracker to install code or steal information.
correct me if i'm wrong, but isn't the slot for card itself an input device?
i don't know how much code you can put on a magnetic strip, but with banks switching over to chip based cards, there may be a problem.

Hmm never thought of that. You can get card readers for a computer, I'm sure it's easy to make it write data to the card... such as virus data.

Archived topic from Iceteks, old topic ID:1334, old post ID:12213

wldkos · Post by **wldkos** » Tue Oct 07, 2003 9:09 pm

Ive never heard MS referred to as open. Goes to show you that the people doing this don't know crap and have never heard about linux.

Archived topic from Iceteks, old topic ID:1334, old post ID:12229

manadren_it · Post by **manadren_it** » Tue Oct 07, 2003 11:19 pm

fishyfool wrote:
But one of Anderson's colleagues, Bruce Schneier, chief technology officer at security monitoring and consulting company Counterpane Internet Security, dismissed this scenario. He pointed out that the machines would not operate online and therefore would not become vulnerable to a malicious Internet attack or to some virus passed around in an e-mail attachment. Because the machines have no peripherals like floppy disks, it would be difficult for a cracker to install code or steal information.
correct me if i'm wrong, but isn't the slot for card itself an input device?
i don't know how much code you can put on a magnetic strip, but with banks switching over to chip based cards, there may be a problem.

Indeed, all you need is some kind of programable memory device and a buffer overflow exploit. And like there isn't a new buffer overflow exploit discovered every other week...

Archived topic from Iceteks, old topic ID:1334, old post ID:12238