There’s danger in standards – or is there?

ATM networks are secure. That’s a fact, isn’t it?. Well, about 10 years ago, most of these networks ran over banks own wires and protocols. Then everybody began with a run for standards, i.e. TCP/IP and standard operating systems. Still, these are not connected to the internet (at least they definitely shouldn’t be!).
So, how can the NACHI worm infect ATMs? Simon Willison is puzzled by that as well. There are a few possibilities: a service technician may have connected an infected laptop to update or maintain an ATM, or the update CD itself was not properly checked for virii or worms.Though the transactional network may run seperately from everything else, the branch manager may like to monitor the ATM status from his PC, so there’s got to be some kind of connection, which may be enought for wide open Windows OS to get infected.
The Article from The Register mentions another funny idea: install a personal firewall on the ATM to make it more secure. I can’t wait to see an “intrusion alert” warning on the screen next time I go out to get some money. Only last week I had the pleasure to watch an OS/2 boot sequence on ,y bank’s ATM for about 5 minutes. I worked for a company doing ATM software for 5 years, so this was a bit of a sentimental moment. Still, I don’t understand why the customer screen wasn’t switched off during this sequence. While I was doing QA this wouldn’t have sneaked past me :)
The Register also says this: “Despite the allure of hard cash, don’t expect to see a rash of made-for-Hollywood ATM hacks — machines around the country suddenly spitting out wads of 20s at random, said Marc Maiffret, Windows expert and “chief hacking officer” at California-based eEye Digital Security.”The actual point of service terminal itself getting infected– that’s pretty crazy,” said Maiffret. “But worms are always going to be able to infect a lot more interesting machines than individual intruders are.” Moreover, before reaching an ATM network, a human attacker would likely encounter more alluring high-finance targets along the way. “They’re going to have to go through a lot of juicer networks first.” ”
Well, I’m not so sure. Most of these worms are not written with the intent to prosper by their outcome, so why not sneak some WOSA/XFS or J/XFS commands in next time, just in case they manage to make it onto an ATM? I still don’t understand – to back up Simon’s point – how banks dare using Windows on ATMs. Linux has been available at the time Windows programming for ATMs started, and has gotten better ever since. Tweaking it to run on a non-dialogue oriented system like an ATM is a lot easier, and don’t let me start about security. Code inspection is also possible, which should appeal to banks (though using Windows suggests they’re not keen on doing that anyway). So, does anyone know about ATMs running Linux? I’ve been out of that industry for a few years, so I haven’t seen any.

3 thoughts on “There’s danger in standards – or is there?

Comments are closed.