According to this article in Computerworld, Wells Fargo has recently web-enabled about 6,200 ATMs across the United States. That's 6,200 ATMs that are connected to the Internet and running Microsoft Windows. And not even the almost moderately-secure Windows XP Service Pack 2. This upgrade has taken 5 years to complete, so some number of the machines are almost certainly running Windows 2000 or some variant thereof. Now, I'm not sure if these devices are hooked up to the Internet (or a TCP/IP network that's somehow connected to the network) or a legacy SNA network or something like that, but needless to say there are serious security implications here.
August-November of 2003, about 3,000 Bank of America ATMs running the
(supposedly more reliable/secure/etc) Windows XP Embedded were hit by
the Nachi worm. The worm managed to take down the vast majority of the machines,
and took weeks to clean up. These ATMs weren't connected to the
Internet directly, but were hooked up to the bank's own internal
network which allowed the virus to spread from some corporate user or
departmental server (they never said where it came from, but that's my
guess), to each of the ATMs. And of course, the ATMs were able to
pass the virus between each other as well. Oh, and that Nachi
worm outbreak came after a number of banks had just finished cleaning
up a Slammer outbreak that also caused havoc on their networks.
ironically, the main reason for deploying the Windows-based systems was
to be able to deliver remote software updates, like security patches,
feature upgrades, and virus definitions. But there are other
planned features, including day-parted on-screen advertisements,
(a nod to digital signage networks) though these are in an early stage
of development. So at this point, I'm not sure if I'm more
concerned that the systems are using Windows, or if they're running
software that has been re-invented because the designers failed to note
the existance of the hundreds of software products that can do day-part
ad scheduling already (let alone something with security in mind, like
our FireCast Linux-based kiosk software).
Here's the Reuters story
about the original Bank of America outbreak, and here are a few other
security-oriented articles about ATMs running Windows, from SecurityFocus and Microsoft watchdog Bink.
With major vendors like Wells Fargo and Diebold being affected (and you already know what I think about Diebold
in general), one has to wonder if it really is a good idea to bring
more functionality to the ATM without giving it the proper security
considerations. I can understand the draw of writing simple web
services to instantly deliver expanded services to customers across the
country, however networking such sensitive devices together is both a
blessing and a curse. And of course running Windows is just a
curse. With more and more banks putting the two together, I think
it's safe to say that we'll be seeing more outages like the 2003 one in
the future. And that's the best-case scenario, since we're now
talking about machines that read your ATM card, accept your PIN number,
and have access to your bank account.