Web-Enabled ATMs: What Could Possibly go Wrong?

Author: Bill Gerba on 2005-03-09 12:43:18

According to this article in Computerworld, Wells Fargo has recently web-enabled about 6,200 ATMs across the United States. That�s 6,200 ATMs that are connected to the Internet and running Microsoft Windows. And not even the almost moderately-secure Windows XP Service Pack 2. This upgrade has taken 5 years to complete, so some number of the machines are almost certainly running Windows 2000 or some variant thereof. Now, I'm not sure if these devices are hooked up to the Internet (or a TCP/IP network that's somehow connected to the network) or a legacy SNA network or something like that, but needless to say there are serious security implications here.

Back in August-November of 2003, about 3,000 Bank of America ATMs running the (supposedly more reliable/secure/etc) Windows XP Embedded were hit by the Nachi worm. The worm managed to take down the vast majority of the machines, and took weeks to clean up. These ATMs weren't connected to the Internet directly, but were hooked up to the bank's own internal network which allowed the virus to spread from some corporate user or departmental server (they never said where it came from, but that's my guess), to each of the ATMs. And of course, the ATMs were able to pass the virus between each other as well. Oh, and that Nachi worm outbreak came after a number of banks had just finished cleaning up a Slammer outbreak that also caused havoc on their networks.

Somewhat ironically, the main reason for deploying the Windows-based systems was to be able to deliver remote software updates, like security patches, feature upgrades, and virus definitions. But there are other planned features, including day-parted on-screen advertisements, (a nod to digital signage networks) though these are in an early stage of development. So at this point, I'm not sure if I'm more concerned that the systems are using Windows, or if they're running software that has been re-invented because the designers failed to note the existance of the hundreds of software products that can do day-part ad scheduling already (let alone something with security in mind, like our FireCast Linux-based kiosk software).

Here's the Reuters story about the original Bank of America outbreak, and here are a few other security-oriented articles about ATMs running Windows, from SecurityFocus and Microsoft watchdog Bink.

With major vendors like Wells Fargo and Diebold being affected (and you already know what I think about Diebold in general), one has to wonder if it really is a good idea to bring more functionality to the ATM without giving it the proper security considerations. I can understand the draw of writing simple web services to instantly deliver expanded services to customers across the country, however networking such sensitive devices together is both a blessing and a curse. And of course running Windows is just a curse. With more and more banks putting the two together, I think it's safe to say that we'll be seeing more outages like the 2003 one in the future. And that's the best-case scenario, since we're now talking about machines that read your ATM card, accept your PIN number, and have access to your bank account.