I used to install/upgrade ATMs and was horrified that we were replacing the extremely solid OS/2 machines with Windows XP based computing cages (circa 2011). There was no method to update the machines other than sending a technician out monthly to take the machine offline and manually load the patches from a CD, and ATM technicians are expensive so most simply didn't.
Most NCR ATMs use one of three keys that are easily available on the internet. Most banks don't check ID or even know that they have a technician coming to service their ATM, especially if you're dressed nicely or carrying a clipboard. Most of the Windows XP based NCR ATMs have multiple PS/2 ports and USB ports to plug in a keyboard and they all tend to have the same admin password.
but then all of the pumps would stop working and people would die every time there was an update. General purpose operating systems are just a bad idea for running these hardware appliances.
I agree we need stripped down OSes to run this stuff, but the core problem is thinking "we'll just air gap it and never update it" not that the OS is general purpose.
Look at QNX: Millions of components run it in safety critical situations and none of it is patchable. After QNX got owned in 2017 what are we supposed to do? Open up every tank, car, and nuclear power plant? We need reliable update schedules. Trying to air gap things doesn't work. There is always a way to access the interface and bridgeware is only getting better.
Airgapping is a very useful layer of defence in a lot of applications. Never pushing updates is usually a bad idea, but automatic updates pushed by the OS or equipment vendor can be equally problematic. Regressions are irritating on consumer devices, but they can be catastrophic in critical embedded systems.
If there's anything that can be called a "solution", it looks very much like good engineering. No technology or methodology can stop you from shipping broken systems. If you're shipping ATMs that run Windows XP in 2011, your problems almost certainly run much deeper than a bad choice of platform.
As long as you don't connect them to any networks and only let authorized people access them physically, updating things could be more dangerous than living with the security flaws.
> There was no method to update the machines other than sending a technician out monthly to take the machine offline and manually load the patches from a CD, and ATM technicians are expensive so most simply didn't.
but it was so cheap to buy the machine since the software was written for windows xp
I have had a terrible experience when dealing with banks in India. To open accounts for non resident customers(NRE), one has to scan and send ID proofs and Account Opening Forms over email. And they ask for all your details SSN, DoB, Address you name it. In a few instances the emails being sent were not even encrypted by the end server. The attack surface is so large that one cannot begin to imagine what exact audits they are running.
With sophisticated phishing attacks that are now hosted on HTTPs servers, this practice is just lunacy and it happens in every bank. Big small, private, public all engage in this nonsensical practice. Among the biggest names: SBI, YesBank, Central Bank are the ones that do this. I know this because I have inquired how to open accounts at these places.
I actually have a dedicated personal relationship manager who filled out all the forms! And even now for certain operations like booking currency forwards(FCNRs) they ask you to fill forms and send it over the email. Not to mention its inefficient as well.
Its a testament to two things:
1. There are so many people in India that banks just find it cheaper to hire a person and let him interface with you instead of designing a web application.
2. No one gives a shit about privacy.
3. The system is wide open for people to Man in the Middle and Phish.
In Allegheny County (Pittsburgh), Pennsylvania, in order to apply for a marriage license you have to go to a government website where you enter your social security number into a form served over HTTP. When I saw that, I refused to use the online service and instead drove downtown, where it said I could apply in person.
I was put in front of a computer with the same form pulled up, served over the public internet.
Thanks to Equifax, it probably doesn't matter anymore ¯\_(ツ)_/¯
Would blockchain be a good solution to the authentication problem?
For example never disclose any PII to the Bank, but tell them that this is the person who he claims to be and is authorized to do X(i.e. a True/False answer for everything)?
You don't need a blockchain if you have a trusted third-party (such as the government, or a bank that has checked photo ID). In places like Sweden and Estonia there are digital ID systems that are run by banks or the government that could fulfill the role.
Isn't the trusted third party the problem in this case? The original comment was about banks not properly securing PII.
Not seeing how a public database fixes this, but the banks and big business disdain for security of other people's data is certainly a problem no matter the country.
I tried opening an NRE account to redeem some bonds a family member bought in my name. (Never managed it.) Their banker asked me for my SSN over WhatsApp. Forwarded to my New York State regulator, who promptly fined their New York office.
I’ve had similar experiences where Indian bankers have said their mailbox has a size limit or is full so the document needed to be emailed to their gmail or yahoo account. No thanks...
How do you secure SSN is US? I have to regularly enter SSN at random locations - department stores, USCIS applications, internet companies, office forms, outsourced office HR firms. I am pretty sure that sending SSN over HTTP makes no difference. The attack surface is already infinite.
You don't. You collect wages for the time you'd otherwise spend with your hobby but had to spend telling the bank they were dumb in small claims court. You just need to structure it suitably to not go over the limit for small claims court. I think the bank(s) would learn and communicate a flag among them to be particularly wary about ID proof when they think you are opening an account.
You might need to also make sure to have something sufficiently easy to prove where you "lost" money each time they opened an account in your name.
Alternatively, move somewhere where at least that is not a problem.
Look, I understand how frustrating that whole experience is. But would you rather have a shitty decentralized system that is almost good, or a centralized system that’s always good, except if you’re deemed undesirable by that system? Any sane, rational person will choose the former.
I recall MS heavily pushing companies to update but unless these ATM's are running retail XP they should be getting (at least bare minimum) security updates.
Not saying they shouldn't be upgrading to a newer OS but I feel using the retail EOL date when talking about the embedded version might be a little misleading.
ATM's need a network connection to query the bank. The updates can be sent via their internal network. If they are "small in shop ATM's" using a phone line to query the banks back end then they could dial in and maintain the call during the store downtime and download the patches. Looking at Windows update catalog the updates are not large files anyway. Sure they might take an hour or two over a simple 56k modem link but the updates and imo an update path are available.
From the articles 3rd paragraph:-
> Microsoft first released Windows XP in 2001, seventeen years ago, and stopped supporting the operating system in 2014. This meant that it stopped developing new security patches for Windows XP, which would protect it from software exploits developed by hackers.
Which gives the impression that the updates are simply just not available not that they don't have a network connection to fetch the updates from.
Even if they were running the latest version of Windows security patches should still be applied.
>> ATM's need a network connection to query the bank. The updates can be sent via their internal network.
Some of these are on satellite connections. They don't need much data. Lots of banking transactions can be squeezed into a single megabyte. Sending multi-gig windows updates to all the ATMs would be a serious headache.
But Windows XP Embedded month to month security updates are not multi-gig updates. The last batch of security updates totalled <15MB and updates for the month of May totalled ~36MB.
EDIT: Even if the network connect back to the banks was SMS then my point was that it’s not that there are no updates for Windows XP embedded which the article give the impression of, the point would then be that the manufacturer, integrater, banks, who ever didn’t have the foresight of needing some bandwidth for updates. The updates are available just that who ever is in charge of these ATMs failed to keep them updated.
I remember that the last time I read about an ATM hack in India, the M.O was that the attackers were simply putting a matchstick under the "*" key which made the ATM stuck so that the victim left the ATM without collecting the money which the attackers retrieved afterwards. The whole MO is explained here (1). It could be because of outdated systems.
Being able to install any of the full-desktop-version of Firefox plugins in the android version of Firefox is immensely useful. Highly recommend ublock origin on firefox.
More seriously, I've had similar problems on iOS with unclosable tabs where even force quitting didn't work because it'd restore to the same page. The workaround ended up being "Click a link in Mail and that tab will be frontmost, then you can go in the tab switcher and kill it."
Hasn't happened in a while, IIRC the problem was javascript popups forcing focus off the rest of the UI. Maybe it's been fixed on the iOS side.
Of course the other side of the problem is webpages letting insecure ad networks run arbitrary javascript in all of our browsers. It's not great.
I work in India, where my we service ATM's for a nationalised bank. While these run on XP, we are advised to install all security updates. I read in the thread somewhere that they use satellite network so windows updates cannot be sent. That is incorrect. Most of them are connected via LAN and most are updated remotely. RBI recently passed a regulation to upgrade the OS by 2019. I guess windows 7 would be used.
I'm surprised of banks putting the ATMs into the same network as the computers of the banks' employees. I mean: is there any(!) need for the normal banker to have network access to the ATM? And if a separate network is too expensive, one could at least put them in vlans / vpns.
Humor me here: we should decriminalize hacking. It's the only way to force companies to take security seriously. If they can't rely on government to track down and punish hackers, financial companies especially will have to step up their game and take proactive steps to prevent issues like this.
That would be a mistake because it also incentivizes hackers, making the problem bigger on that side. What I would like is something that punishes companies that get hacked as well, like set fines for leaking personal information instead of settlement. People same to take GDPR seriously, a similarly stringent regulation on security practices would be effective.
Perhaps only remote hacking where you are not physically in the same location as what you are hacking (or have not caused any physical alterations). This kind of "hacking" should be entirely stoppable and entirely non-violent. Since it is stoppable, companies can stop all hacking. It will incentivise hacking, and thus incentivise companies to actually take security seriously.
This is different to decriminalising robberies because you cannot actually stop all robberies unlike remote hacking. Or at least there is a real possibility of harm during the cause of a stopped robbery. Stopping a remote hacking attempt won't cause physical harm, though perhaps it could cause financial harm. I'm not including attacks like denial of service when I say "hacking".
That's like saying we should decriminalize robberies so that it forces companies to take stricter security measures. You'll end up incentivizing robberies much more.
I'm all for decriminalizing nonviolent robberies. If the person is caught they can be sued for damages like anyone else, and maybe fined instead of sent to prison.
Uh, that's not robbing, that is breaking and entering combined with, most often, plain theft. It might be that US law includes this in the definition of robbery, but German law seems to distinguish clearly.
Thanks for adding weight to my assessment that different people might have been thinking about very different things despite reading the same sentence.
i suppose what surprises me the most is that someone would use windows in an atm. i would've thought it would've been an rtos or maybe a locked down bsd or selinux.
An ATM doesn't need an RTOS. An ATM is a single user, single application system. It needs to respond to the user input more than to hardware connected to the system. What else are you doing that needs real time hardware? What's wrong with waiting for cards to be scanned, envelopes to be inserted, etc.? All that financial transaction stuff is important and time sensitive, but the ATM itself is just a relay for that. It's one step removed from a dumb terminal.
With BSD or SELinux, you've have to pay for Linux/BSD development, pay for Linux/BSD supported hardware and replacement hardware, pay for Linux/BSD support staff, etc. You're giving up commodity staff and commodity hardware. All of that is more expensive initially, and harder to maintain and replace generally, especially if 10 years from now the industry shifts to a new communication standard.
With Windows, you also know the OS itself has already been vetted by the US government (FIPS) and US banks (PCI) and almost certainly by your own government and pretty much everybody else's government. At least, if a vulnerability is found, it's going to affect everybody else, too. Your bank is unlikely to be sued for following industry common practice. So, yeah, running CentOS on Raspberry Pi on the one hand makes a lot of sense, but it's never going to fly past existing regulations. Doing something new is incredibly risky.
Remember, all those blue screens and program crashes that people complain about are almost always because the software or drivers or hardware is faulty, not Windows. The Windows kernel and Windows model might be designed in a way that you personally dislike, but it's not broken or non-functional. You'll experience the same issues on any OS.
I agree with not needing an RTOS and the undesirability of rolling it yourself.
However Red Hat Linux has passed just as many government and banking standards (FIPS, PCI, etc) as almost any other vendor (MS, legacy UNIX), combined with a 7-10 year maintenance cycle (with additional being able to be negotiated, if your the scale of a large bank / ATM vendor). SUSE, Oracle and other vendors could provide the same guarentees and other then having developers understand Linux / Unix.
Why when with Windows you can leverage all your banks existing technology and security (including update) policies? CE was(is?) on an enormous amount of systems that you might expect to be an rtos. Windows might not be my first choice now, but in the context of "industrial computer" 15 years ago I would hardly call it a poor choice. Also who is doing the long term maintenance/security auditing on a bunch of custom hardware and os in a bunch of atms all over the world.
Windows embedded/CE was (and still is to some extent) very popular for embedded systems with a GUI, such as ATMs, POS systems, PLCs, graphical medical devices, etc. Microsoft even sold an SKU called Windows Embedded POS/POSReady
For headless non-GUI systems windows is/was much less of a contender, RTOS is more likely
Good thing it's not typically a consumer version! If you watch one reboot (or other applications like store POS systems) you can see that it is Windows XP embedded, or nowadays sometimes Windows 7 embedded, which is decidedly NOT a "consumer" oriented OS
It really depends on the vendor. Big names are at least careful enough to do that. The bottom of the barrel white-label vendors often don't care. I wouldn't be the least bit surprised if some of those Windows installations are using pirated keys.
It's perpetually concerning how bad the state of systems like this is. A grocery store near me recently deployed a brand new set of self check-out counters...running Windows XP.
Amusingly the credit card/debit card reader is running Linux and shows the old-school penguin image on boot.
I enjoyed seeing Tux on the boot screen of a seat-back in-flight entertainment system recently. And was also amused to see startup sequences for things like MySQL and postfix scroll by.
I remember when ATMs ran basically plain text terminal software and you had to drive to a bank to get one. It was a real blessing when ATMs started to show up in shopping malls.
An ATM needs a network connection, no? Remote exploits may be possible, or remote exploit combined with a local actor to pick up cash under guise of a legitimate withdrawal.
ATM's weren't always networked. The transactions were reconciled daily or weekly by the local bank, and the network (NYCE, Star, etc...) transactions sent out weekly or monthly.
A friend of mine used to leverage this all the time. He would have $200 in his account at his home bank, but withdrawal $500 from a different bank. By the time the transactions got back to his home back, his parents would have already deposited his monthly allowance into his account.
It worked... most of the time. But I remember once his parents were out of town and didn't make the deposit as expected, and he ended up massively overdrawn. But back then, the banks just cut you off. They didn't ding you for an overdraft fee, then another overdraft fee a day later because you couldn't pay the first overdraft fee, etc...
ATMs are often cited as an example for the utility of eventual consistency. If it's off the network, it can still offer withdrawals to be reconciled later.
Banking in general has been on the eventual consistency model for centuries.
It's probably not a good idea to share here what I saw at a national (very well known) gas station when it crashed. Given that there's gasoline involved and everything.
Unfortunately this is very true. For medical devices, you need to mostly use certified parts. Need a touchscreen? It needs to withstand very strong disinfectants and maybe you have hard requirements for leakage currents. There are 3 possible vendors left. None of them has drivers for systems that would be far better than windows xy.
Vendors probably think that all their customers use windows anyway for non-discernible reasons.
Most NCR ATMs use one of three keys that are easily available on the internet. Most banks don't check ID or even know that they have a technician coming to service their ATM, especially if you're dressed nicely or carrying a clipboard. Most of the Windows XP based NCR ATMs have multiple PS/2 ports and USB ports to plug in a keyboard and they all tend to have the same admin password.