Hardware, software and expert advice for digital signage and kiosks
 Home Products Solutions Blog Support Company News Contact
Customer Login 
Digital Signage Insider SignageWire
Latest Articles Full Article List

The Digital Signage Insider
WireSpring's blog featuring tips and analysis from a team of industry experts

Web-Enabled ATMs: What Could Possibly go Wrong?

Author: Bill Gerba on 2005-03-09 12:43:18

 According to this article in Computerworld, Wells Fargo has recently web-enabled about 6,200 ATMs across the United States.  That’s 6,200 ATMs that are connected to the Internet and running Microsoft Windows.  And not even the almost moderately-secure Windows XP Service Pack 2.  This upgrade has taken 5 years to complete, so some number of the machines are almost certainly running Windows 2000 or some variant thereof.  Now, I'm not sure if these devices are hooked up to the Internet (or a TCP/IP network that's somehow connected to the network) or a legacy SNA network or something like that, but needless to say there are serious security implications here.

Back in August-November of 2003, about 3,000 Bank of America ATMs running the (supposedly more reliable/secure/etc) Windows XP Embedded were hit by the Nachi worm.  The worm managed to take down the vast majority of the machines, and took weeks to clean up.  These ATMs weren't connected to the Internet directly, but were hooked up to the bank's own internal network which allowed the virus to spread from some corporate user or departmental server (they never said where it came from, but that's my guess), to each of the ATMs.  And of course, the ATMs were able to pass the virus between each other as well.  Oh, and that Nachi worm outbreak came after a number of banks had just finished cleaning up a Slammer outbreak that also caused havoc on their networks.

Somewhat ironically, the main reason for deploying the Windows-based systems was to be able to deliver remote software updates, like security patches, feature upgrades, and virus definitions.  But there are other planned features, including day-parted on-screen advertisements, (a nod to digital signage networks) though these are in an early stage of development.  So at this point, I'm not sure if I'm more concerned that the systems are using Windows, or if they're running software that has been re-invented because the designers failed to note the existance of the hundreds of software products that can do day-part ad scheduling already (let alone something with security in mind, like our FireCast Linux-based kiosk software).

Here's the Reuters story about the original Bank of America outbreak, and here are a few other security-oriented articles about ATMs running Windows, from SecurityFocus and Microsoft watchdog Bink.

With major vendors like Wells Fargo and Diebold being affected (and you already know what I think about Diebold in general), one has to wonder if it really is a good idea to bring more functionality to the ATM without giving it the proper security considerations.  I can understand the draw of writing simple web services to instantly deliver expanded services to customers across the country, however networking such sensitive devices together is both a blessing and a curse.  And of course running Windows is just a curse.  With more and more banks putting the two together, I think it's safe to say that we'll be seeing more outages like the 2003 one in the future.  And that's the best-case scenario, since we're now talking about machines that read your ATM card, accept your PIN number, and have access to your bank account.

Comments (0)

rss Subscribe to comments for this article | Trackback


Leave a Comment

Name:
Email Address:
(required but won't be shown)
Website:
Comment:
(max 2000 characters)
Are you a human? If so, uncheck this box:



Previous Article: BT Showcases Kiosk and Digital Sign Technology in Store of the Future Concept
Next Article: Calculating Digital Signage ROI: The Ground Rules

Front page of Digital Signage Insider Blog

LEGAL STUFF: The Digital Signage Insider is written by multiple authors. The author of each article is clearly identified at the start of the article. The opinions expressed in each article are solely those of the author, and do not reflect the official opinions of WireSpring Technologies, Inc. All articles are copyright © 2004-2012 by their respective author. All content besides the actual article text, e.g. surrounding branding and informational content, is copyright © 2000-2012 WireSpring Technologies, Inc. All rights reserved. Except as provided in WireSpring's Republishing and Syndication Policy, no articles may be reproduced, in whole or in part, without WireSpring's express written consent.

rss

About this blog
WireSpring provides hardware, software and services for digital signage and kiosk projects. But this blog is a labor of love. Our posts cover everything from case studies to creative briefs, and we post new articles about once a week.

Editorial policy:

Article topics are selected by our writers and editors, with the goal of providing objective and useful information to the entire digital signage industry. This means covering a lot of projects that have nothing to do with WireSpring's products, and we're fine with that. Whenever we mention a project that WireSpring is directly involved in, we'll be sure to provide appropriate disclosure in the text. If you'd like to suggest a topic for a future article, feel free to leave a comment or contact us. We don't take very kindly to PR spam, so please review our past articles before contacting us to verify that what you're planning to send is a good fit for our audience.

Questions?  Start a live chat • Call us at (800) 989-9269 or +1 (954) 548-3300 • Get pricing and trial info
Copyright © 2000-2012 WireSpring Technologies, Inc. All rights reserved. Except as provided in our Republishing and Syndication Policy, no content on this website may be reproduced, in whole or in part, without our express written consent. View our privacy and legal info.