Forgot your password?
typodupeerror
Security It's funny.  Laugh. Your Rights Online Hardware

Can Your ATM Play Beethoven? 657

Posted by timothy
from the you-have-nothing-to-fear dept.
bpiltz writes "A funk band in Harrisonburg, VA, called Midnight Spaghetti, has posted a story with photos about a newly installed Diebold Opteva 520 ATM at Carnegie Mellon University that crashed, then rebooted. The Windows XP operating system initialized without the actual ATM software. The result was a public desktop computer, with only a touch screen interface, left wide open for the amusement of the students at the most wired university in the U.S. Interestingly, Diebold is one of the leading manufacturers of e-voting machines."
This discussion has been archived. No new comments can be posted.

Can Your ATM Play Beethoven?

Comments Filter:
  • "Progress"? (Score:5, Insightful)

    by FyRE666 (263011) * on Sunday March 21, 2004 @07:39AM (#8626563) Homepage
    You know, I've been thinking for a few years now that ATMs (in the UK at least)
    seem to be getting slower and slower to use. 10 years back, you'd insert your
    card, be able to key in your pin number straight away and be straight into the
    menu. Now, you insert the card, stand about while it thinks about checking it,
    then you eventually enter a pin and wait around a bit more before using the
    sluggish interface. Now I know that these machines have media player, web browser and
    all sorts of other redundant crap installed on a full version of XP, I understand the
    reason the queues are growing!

    I don't need 24 million colours, animations and other crap just to take money out
    of my account, dammit! It's staggering to think that the software has become so
    bloated and slow that machines produced 10 years ago, with only a fraction of the
    computing power of today were actually far more responsive to use.

    I remember seeing an ATM reboot a few years back (brief power outage). It briefly
    showed the OS2 logo before resuming normal operation ;-)
    • Re:"Progress"? (Score:5, Interesting)

      by tormentae agent (763372) on Sunday March 21, 2004 @08:15AM (#8626646)
      I remember the same, when I actually trusted ATMs and banks...

      After a brief five-year stint in North-Dakota, where time stood still in happy-land, I ended up in Dublin. I read an article about how Windows had made its way into the ATM-business, thinking "uh-oh-mf-cs-sob"...given my past experiences with this OS-king-of-userfriendliness.

      Yesterday, I put my Norwegian super-VISA-bank-card into an Ulster Bank ATM and it stole it! It just swallowed the card, proceeding to say something like: "System down, please use another cashpoint."

      So, I call Norway, to ensure there isn't a problem with the actual card. It takes me quite a bit of time before I actually managed to call Ulster bank's customer service line. When I get through, I explain the situation (I had to rephrase 'the ATM stole my card' into 'swallowed it' before I could be assisted).

      So the customer service rep states that he can't help me. I ask if there's anyone with any authority that can help me get the card back (it takes me a while to get a new one from Norway). He says: "Sorry, Sir. The ATM in question not being directly attached physically to a bank, a contractor does that job for us. Your card will be destroyed when the ATM is serviced."

      I state something to the extent of Ulster bank being poorly organized. The little turd on the other end of the line proceeds to tell me: "I'm sorry, but we took the network down for a few minutes. You must have inserted the card just at that moment."

      If I find out this particular ATM is Windows-operated, I will hunt down Mr. Gates, roll him in tar and feathers and chase him out of town with a stick. In the meantime I will file a complaint with Ulster Bank for taking away my sole source of cash until next pay-day.
      • For once... (Score:5, Insightful)

        by Kjella (173770) on Sunday March 21, 2004 @08:40AM (#8626706) Homepage
        If I find out this particular ATM is Windows-operated, I will hunt down Mr. Gates, roll him in tar and feathers and chase him out of town with a stick. In the meantime I will file a complaint with Ulster Bank for taking away my sole source of cash until next pay-day.

        I'd rather find the execs of the bank, and roll them in tar and feathers and chase them out of town with a stick. Any one can make an offer... I can offer to run their ATM network on Linux 2.6.4-alpha1-test4-pre2 too. If they're willing to buy it, that's their stupidity, not mine.

        Kjella
      • Re:"Progress"? (Score:5, Interesting)

        by zakezuke (229119) on Sunday March 21, 2004 @08:59AM (#8626755)
        So the customer service rep states that he can't help me. I ask if there's anyone with any authority that can help me get the card back (it takes me a while to get a new one from Norway). He says: "Sorry, Sir. The ATM in question not being directly attached physically to a bank, a contractor does that job for us. Your card will be destroyed when the ATM is serviced."

        The hardest thing in the world is returning an ATM / Credit card. I found one next to a machine from an Alaskian credit union, and I being in washington. I thought to my self, "Hey, I will do the honest thing and try to get this card back to the owner".

        Well, the 800 number on the back was unwilling to co-operate... they told me to cut up the card. This was on a saturday and may have not been offical bank help. So I tracked down the bank in Alaska, or near as I could find too it, and tried to talk to them about the issue basicly, "I have this card, i'd like to return it to the owner".

        They refused to do the following
        1. Provide me with any contact information as to where to send the card too (totally understand)
        2. Take down my contact information so in the event the owner called to get a new one, they could say just use the old one, this guy will give it to you.
        3. To actually take back the fucking card so they could return it to the owner in a timely fasion.

        In the end, after getting frustrated trying to do the right thing, I used it to apply puddy to my automobile, and it probally is still encased in a lump of pudddy.

        The point is, banks will assume the worst when it comes to you no longer physicaly having your card. They are not equiped to handle an honest person who actually didn't charge up anything on the card dispite the fact they could verify this fact who's trying to return the card. They will try to convience you they are doing you a favor when in reality they would rather let someone else do the paperwork, which always falls on the person giving you a new damn card.

        • RE: Mr. Naive (Score:5, Informative)

          by Organized Konfusion (700770) on Sunday March 21, 2004 @09:42AM (#8626872) Journal
          They refused to do the following 1. Provide me with any contact information as to where to send the card too (totally understand) 2. Take down my contact information so in the event the owner called to get a new one, they could say just use the old one, this guy will give it to you. 3. To actually take back the fucking card so they could return it to the owner in a timely fasion.
          1. With his contact info and where to send his card you could have gone on an internet spending spree.
          2. You could have cloned the card, if he continues using it you could at sometime in the future go on a fraudulent spending spree.
          3. You could have cloned it in this situation too.
        • As they should! (Score:5, Insightful)

          by Chemisor (97276) on Sunday March 21, 2004 @10:38AM (#8627064)
          > The point is, banks will assume the worst when it
          > comes to you no longer physicaly having your card.

          As they should. Really, it is much simpler for the bank to just issue a replacement card than to bother returning the old one. Think about it: should they print a piece of embossed plastic that costs a few cents, or have the kindhearted finder send the old card in (37 cents) and remail it to the owner (another 37 cents + 15 minutes of somebody's time [or more, if Windows crashes]) all the while ensuring that no fraudulent transactions take place in the meantime (priceless)?
          • Re:As they should! (Score:4, Interesting)

            by EmagGeek (574360) <gterich@ao[ ]om ['l.c' in gap]> on Sunday March 21, 2004 @03:22PM (#8628573) Journal
            I dont necessarily agree... One night I went to the local K-Mart to buy an air conditioner... while loading it into my car, I placed my wallet on the roof since my soccer shorts didn't have a pocket (this was a midnight trip made because it was SO FSKCING HOT that night)... anyway, my wallet had flown off the roof right in front of a bar on the way home. The next morning, I got a call from my credit card company saying that the local police department had my wallet. When I went to retrieve it, all of my cards, AND MY CASH, were still in my wallet. No charges were made and everything was fine. The police said that a bar patron turned the wallet in to an officer he saw stopped at the red light in front of the bar.

            I treated the guy and his family to a steak dinner at a local steakhouse to show my gratitude. I've rambled on forever, but the moral of the story is that honesty should be encouraged and rewarded.
      • Re:"Progress"? (Score:3, Informative)

        by mpe (36238)
        So the customer service rep states that he can't help me. I ask if there's anyone with any authority that can help me get the card back (it takes me a while to get a new one from Norway). He says: "Sorry, Sir. The ATM in question not being directly attached physically to a bank, a contractor does that job for us. Your card will be destroyed when the ATM is serviced."

        Even though your card most likely has instructions to return it to the issuer if found.

        I state something to the extent of Ulster bank being
      • Re:"Progress"? (Score:5, Interesting)

        by SmackCrackandPot (641205) on Sunday March 21, 2004 @09:45AM (#8626876)
        The same happened to me in central England.

        I just received my new card and had memorised the PIN number, and went to withdraw money. Three times I tried to enter my PIN and the amount of money I want to withdraw. Each time the machine refused to accept the transaction. After the third time, the machine swallowed my card, telling me to contact the bank. So I call them up, and am told "our machine automatically shreds any card after three unsuccessful attempts and sends an electronic notification to your bank", we can't do anything. So I call up my bank, and they tell me I can't get a new card until they written notification from the machine owners. Neither would talk to the other. In the end, I had to pretend that I had lost my card in order to get a replacement.

        It seems to me to be more of dodgy protocol implementations rather than anything else.
      • Re:"Progress"? (Score:3, Interesting)

        by Walt Dismal (534799)
        The same thing happened to me on a Bank of America ATM. It crashed and rebooted, refused to return my card. The bank told me they had to issue a new ATM card and account number on the card. I ended up having to change every single damned service where I had auto debiting of fees to that number, including PayPal.
      • Re:"Progress"? (Score:3, Interesting)

        by MADCOWbeserk (515545)
        I've had my bank's ATM machine suck up my card twice now. By the way it is Wachovia, (pronounced Wack-Off-Ya), everytime it happened I walked in the branch the next day and cheerfully gave me back my card. Of course they have standard Green screen atm, running OS-2, not windows.
    • Re:"Progress"? (Score:5, Interesting)

      by CGP314 (672613) <CGP AT ColinGregoryPalmer DOT net> on Sunday March 21, 2004 @08:31AM (#8626686) Homepage
      A conversation I had with a friend:

      ``Alright, lets go to the bar.''

      ``Sure, but first I need to go to the bank on high street.''

      ``Why? That one is two block in the opposite direction, there's a bank the way we are going that's on the same system so it won't charge you any fees.''

      ``I know, but that one has one of those old black-and-green displays. You can't trust something like that. The other bank has an ATM with color and animation.''

      It really upsets me to know that things like that actually matter to people.


      -Colin [colingregorypalmer.net]
    • Re:"Progress"? (Score:5, Informative)

      by fcw (17221) * on Sunday March 21, 2004 @08:48AM (#8626728)
      You know, I've been thinking for a few years now that ATMs (in the UK at least) seem to be getting slower and slower to use.

      Indeed. In the 1980s, Clydesdale Bank (in Scotland) actually used to feature the speed of their cash dispensers (a.k.a. ATMs) in their advertising, claiming that you could get money out of theirs faster than their competitors' machines. I don't recall any bank making claims like that for a long time.

      Also, it's not just cash dispensers that are slow: railway ticket machines and car park payment machines are just two of the types of kit that I bemoan the speed of every time I use them. You can tell that they've been programmed in a very serial fashion, with no attempt to optimise the speed of the transaction for the user. Most machines could be programmed to pre-load blanks into printers, or pre-print static header information on receipts, or otherwise get started on time-consuming tasks, but they never seem to. You can practially follow the progress of the transaction through the machine's guts as it plods away at it.

      And the receipt printers on point-of-sale equipment always seem to have the slowest possible mechanisms, making shop assistants who care feel that they have to apologise for keeping the customer waiting. (I bet if the banks could have used the old ZX80 scorched-black-on-silver-paper printer mechanism and saved a buck, they would have.)

      • Re:"Progress"? (Score:4, Interesting)

        by FyRE666 (263011) * on Sunday March 21, 2004 @10:27AM (#8627015) Homepage
        Also, it's not just cash dispensers that are slow: railway ticket machines and car park payment machines are just two of the types of kit that I bemoan the speed of every time I use them.

        F*cking railway ticket printers are one of my "buttons". You turn up with 20 minutes to spare for your train, join a huge queue, vying for the attention of 2 ticket clerks working in a mostly empty 12 booth office (at the busiest time of the morning, you'd think they'd have the most staff on, but nope). You reach the desk with 2 minutes to spare and ask for your return tickets for the week (to save having to queue the other 4 days). The clerk then has to enter the exact same information 5 times?! I have asked about this before and apparently "that's how it works". After this typing marathon, the ticket printer grinds into life, spitting out a ticket every 5 seconds or so with a "kerchunk" noise, by which time your train has left, then... I think I'll just leave this subject now; I'm getting angry just thinking about it...

        As an aside, I've been cleaning up some of the cruft old shell scripts and stuff on our commercial systems where I work. We've always had a problem with the slow printing on label printers in our warehouse loading bays (every box loaded onto a truck has a sticker attached). A lot of the time, several hundred (or thousands) of these stickers could be identical. Looking at the script used to format the data and send it to a printer, I noticed that for each label to be printed (a single file would hold thousands of lines of data - one per label), the script would query the Oracle database for additional data, parse the response through AWK, and send the result to the printer. The printer would print this, then the whole process would start again for line 2, and so on until the input file had no more lines.

        The upshot of this was a very obvious increase in load on our Oracle server, which is already busy, when the loading bays were working (remember there's one printer per bay, and they are all doing this). The labels (even if all were identical) would come out at a rate of one every 3-4 seconds on a good day, which was clearly unacceptable.

        I altered the script to group identical lines and send an additional parameter to the printer to repeat the last job x times. Funnily enough, a run of 1000 identical labels now takes around 10 seconds with next to no server load ;-)
    • Re:"Progress"? (Score:3, Interesting)

      by mattbee (17533)
      Snap, my bank's ATM machines have these uncomfortable delays: like when I put my card in for the first time, I have to wait for whatever Flash animation advertising the bank's newest product has finished before it will acknowledge me and ask for a PIN. My record wait is about 25 seconds. It wouldn't surprise me if the whole damn interface was built in Macromedia Director :-)
    • Re:"Progress"? (Score:5, Interesting)

      by dattaway (3088) on Sunday March 21, 2004 @09:19AM (#8626807) Homepage Journal
      The sad thing is, you can't make a better ATM and sell it in the market. Patents and regulations force competition out. That is the classic sign of poor quality dominating our market.
    • Re:"Progress"? (Score:3, Insightful)

      by SatanicPuppy (611928)
      I remember writing about this months ago. Why in God's name would they use windows for an ATM? Are you going to NEED to use it as a personal computer? Aside from all the security issues, it's just completely pointless. An ATM doesn't need to do that much!

      By adding all that extra code, you make snafu's like this possible, and you get nothing in return.
  • Clippy! (Score:5, Funny)

    by Black Parrot (19622) on Sunday March 21, 2004 @07:42AM (#8626568)


    I see you're trying to extract free cash from a bolloxored ATM cum jukebox. May I help you?

  • by Polybius (743489) on Sunday March 21, 2004 @07:42AM (#8626569)
    So who got the fastest ATM minesweeper times?
  • by Stopmotioncleaverman (628352) on Sunday March 21, 2004 @07:43AM (#8626571)
    Start --> Programs --> ATM --> Configure --> Flush Cash (sic)
  • by OverlordQ (264228) on Sunday March 21, 2004 @07:43AM (#8626573) Journal
    how? I mean given,

    A) It's based off of Windows
    B) It was made by Diebold.

    Adding A + B != C where C equals something that works correctly.
  • by myownkidney (761203) on Sunday March 21, 2004 @07:48AM (#8626582) Homepage
    The geek Jim [mithuro.com] goes to the election booth. Jim touches the opening screen. Jim watches while the screen BSoDs. Computer reboots. Jim is presented with the XP interface. Jim, finds the voting system back end. Jim "adjusts" the result:
    Bush 15%
    Kerry 15%
    Nader 70%
    Jim set's all Bush and Kerry votes to go to Nader.
    Jim runs the voting system front end. Sets it to full screen.
    Jim leaves.
    Nader wins
    • Re:Election Day... (Score:5, Insightful)

      by s20451 (410424) on Sunday March 21, 2004 @10:17AM (#8626971) Journal
      Here's the problem with any argument that electronic voting can lead to truly massive voter fraud, of the kind that you suggest. All the news organizations take exit polls, and in fact they usually have a good idea as to the winner even before the polls close. If the exit polls massively disagreed with the result, there would be no question that fraud had occurred, especially if there was no paper trail to back up the votes.

      Fraud can still occur. It's just that those conducting the fraud have to be extremely careful to avoid detection: only chaning a few dozen votes in areas where the vote is close to begin with, and so on. They always have to stay within statistical margins of error.

    • The interesting thing about this story is that it really happened to multiple voting machines too!. Its documented here .

      ALL Diebold machines in florida booted BY DEFAULT to the windows screen not to the voting system software. You have to hold F10 to force them to boot in kiosk mode. Thus You could get back to the windows screen simply by forcing a reboot, no special passwords needed.

      To top it off the central database that is used is not protected by an obligatory password. That is the data base has

  • by oiron (697563) on Sunday March 21, 2004 @07:48AM (#8626583) Homepage
    COME ON!!!!!!!!!! Why in the world would someone waste a computer that's capable of running Windows XP (which probably means at least a Pentium with 64 MB RAM?) on an ATM? I mean, the thing is supposed to check your card, pin and then give you a load of cash... Last time I checked, that's a job for something less than an 8080, which could do the job faster, more securely, and cheaper. The right tool for the right job, people! /me rolls eyes
    • by eggstasy (458692) on Sunday March 21, 2004 @07:58AM (#8626604) Journal
      Thing is, its easier to code up a quick ATM script in Flash or something, than it is to design a whole "lean and mean" super customized secure embedded system from scratch, then code up some basic OS and development tools for it, and THEN do the interface in some obscure language with crappy libs.
      People are lazy, and costs have to be kept down. What's usually important in a company, is to make their business process "lean and mean", not their software or PCs.
    • It comes down to making the best of commercially available hardware and OS'es. And the available stuff is PIII or better, so you might as well run XP if you are an MS shop. DOS is more stable, but when it comes to Microsoft, the developer skill sets are weighted towards Windows. I myself haven't written an app for DOS in 10 years.

      But you are on to something. Can we invent something that is the opposite of Moore's law? Something like: "Software will become nn% harder to write every two years due to ste
    • by tkrotchko (124118) * on Sunday March 21, 2004 @09:03AM (#8626761) Homepage
      This machine is indeed massive overkill, but the economics are that a desktop PC is about the cheapest computer out there.

      An 8080 computer set up in a config with USB ports, serial, parallel, video, etc etc will probably run you something close to $3,000 US, and spares will be difficult as they'll have to be single supplier.

      Also, the drivers for things like printers and card readers are only going to be available for Windows (and increasingly Linux), so if you have an embedded device, the integration costs are going to be high.

      On the other hand, you can get a robust PC from a major manufacturer for something under $1,000 US and it can be replaced by any manufacturer. There are drivers for everything, and software development will be cheaper because windows programmers are more available than embedded programmers.
    • by LinuxHam (52232) on Sunday March 21, 2004 @09:33AM (#8626852) Homepage Journal
      Because business drives technology more than anything else. Just like all things tech, ATMs replaced humans because they can do a human's job 24x7x365 without taking coffee breaks or sick days. And if coded correctly, they can do it without errors. In the old days when you would sit down with a bank representative, they would ask you, "is there anything else I may help you with? Would you like to hear about our low mortgage rates? a new low-rate credit card?"

      Once you replace the person with a machine, you lose the revenue stream generated by the "cold selling" tactics. So, as technology advances and the machines can handle more tasks, why not? If a company is paying to own or lease IT 24 hours a day, that IT should be earning you money 24 hours a day. Just spitting out greenbacks without advertising more products is just not taking full advantage of the technology. Business doesn't care that that's all YOU want out of the machine.
  • ATM OS diversity (Score:5, Interesting)

    by igrp (732252) on Sunday March 21, 2004 @07:51AM (#8626588)
    Around here, quite a few ATMs are still running OS/2 [mit.edu] For some weird reason, they - just like the ATM the article talks about - have a tendency to crash, reboot and not load the ATM interfacing software.

    I got a chance to talk to one of my bank's IT people about this a few months ago, and basically, they don't know what's causing the crashes because analyzing the log files would just be too much trouble. So their SOP is to have some guy with a key come out, literally pull the plug on the machine and wait till it reboots.

    He also told me that they were slowly migrating over to a "custom XP version", whatever that's supposed to mean. I probably should have told him that Windows machines can be prone to virus infections [windowsfordevices.com] (cough cought [securityfocus.com]).

    • Re:ATM OS diversity (Score:5, Informative)

      by zeitgeist77 (107700) on Sunday March 21, 2004 @08:11AM (#8626636)
      I work at a credit union, and we use OS/2 ATMs. They tried to foist a windows ATM on us, but couldnt get it to work because the tech was too dumb to tell the difference between a D911 (BiSync) and a D912 (LAN). Quite humorous, I played dumb till after he decided to install the OS2 version and then i pointed out to him it was a D912.

      Funny side note though, on all our ATMs, the terminal driver (computer) has its own display on the backside of the unit along with a mouse and keyboard. Of course, we arent using the graphics capabilities because our terminal processor is hmm...slightly older than time.

      So useful facts to be noted from experience:

      1) Diebold techs do not know their rectums from a serial card. (Ive had to carefully hold their hands through IP setup and assigning the correct host:port combo to attach to the terminal processor)

      2) Ive never seen an OS2 atm crash, nor have I ever seen it fail to boot the TCS (Terminal control software).

      3) Windows driven ATMs have to the stupidist idea ive ever heard of, but cant really use linux...(see point one about said sub-sentient techs.)

      4) I fear a world with diebold designed and serviced windows based voting devices. the havoc...the horror....
      • Re:ATM OS diversity (Score:5, Interesting)

        by cowwie (85496) on Sunday March 21, 2004 @10:41AM (#8627076)
        I would disagree. I work for a small community bank with two branches and a third under construction. We recently moved our ATM off of Star to another processor, and in the process switched from straight Frame Relay to a LAN hookup.... thus going from 911 to 912 software in the process.

        The Diebold tech came out, I let him into the ATM room, gave him the IP, gateway, and the host IP and port... and he had the system converted in no time flat. Unfortunately, the problem was NOT with Diebold.

        Once he had the system up and online, we had to get the software with the screens the public sees downloaded to the ATM. We spent about 5 hours on the phone off and on with a programmer from our processor and with a programmer from Diebold. They argued back and forth about whose fault it was, and finally the guy from Diebold convined them to email him the load they were sending us and the load from a working bank so he could compare. The next day I come in to work, the Diebold tech shows up about 20 minutes later (10 minutes earlier than he had told me he would)... and he immediately starts telling me what's going on. Apparently our processor is sending us an imcomplete load for some reason, less than half the size it should be. All that arguing yesterday, and they never actually took the time to check that they were sending us the right thing.

        So we have to sit and wait for them to get into THEIR offices and send the correct and working load to our ATM. When they finally do, the Diebold guy finishes up the install by loading the admin card onto the HD, showing the CSR that will handle it how to balance both from the front of the ATM and from the rear screen, and he was done.

        I lay absolutely NONE of the blame on Diebold for the incident. He even said that he wouldn't bill us for the hours that he sat around waiting on someone at the processor to fix the problem. Other than a few frame relay outages (not Diebold's fault) and this little conversion incident (again not Diebold's fault)... this ATM has been rock solid. Unfortunately, we can't get one like that anymore, so the ATM going into our new branch is going to be an Opteva running Windows TCS+.

        Long story short, Diebold is a large company that sells everything; the cabinets, the actual vault and vault door, our security system and cameras, the ATM, and even the modular frame for the teller line. To dismiss the whole company because of issues that they have with e-voting is unfair and unfortunate. Yeah, I'm the IT guy.... but I've also helped oversee every aspect of both of our new branches, and have yet to find a complaint about Diebold.
  • by Anonymous Coward on Sunday March 21, 2004 @07:58AM (#8626605)
    Would it be possible to load data on
    a swipe card so that the software reading the card
    suffered some kind of buffer overrun ? (Depending
    of course on how carefuly the software checked for
    them).
  • Win XP ? (Score:3, Interesting)

    by BorgDrone (64343) on Sunday March 21, 2004 @08:03AM (#8626616) Homepage
    Why are these things running WinXP and not something a little more secure ?

    Aren't there any regulations about cash machine security ?
    • Re:Win XP ? (Score:4, Informative)

      by igrp (732252) on Sunday March 21, 2004 @08:15AM (#8626644)
      To my knowledge, there are no specific regulations pertaining to what software an ATM must or must not run. After all, it's the financial institution's business and they're mostly liable for what their machines do (and, if their ATMs fail to perform the most basic safety checks, resulting in the ATM being robbed blind, then that's their problem, too).

      Their have however been attempts to introduce legislation pertaining to ATM safety in general, both on the federal [theorator.com] and on the state level (the only example that I'm personally familiar with being NY (see here [state.ny.us] and here [state.ny.us]) .

  • Dupe.... (Score:4, Informative)

    by heytal (173090) <hetal@rach.gmail@com> on Sunday March 21, 2004 @08:06AM (#8626627) Homepage
    I had read it recently, and I found it on /. But it seems that this is not a dupe :-). This link was posted in the comments section very recently.
    Here's the link. [slashdot.org]

    It's good to look at comments, and submit stories. It gets you karma. Also, it's good to look around that comment, and then post comments in this story. That would gain karma too :-)

    Posting a comment about the comment on which the current /. story is based, gains you karma too :-)
  • Not that unusual (Score:5, Interesting)

    by Saint Stephen (19450) on Sunday March 21, 2004 @08:06AM (#8626628) Homepage Journal
    I see "ordinary" ATMs stuck at a Phoenix BIOS boot prompt all the time. While I've never gotten to the Windows part of an ATM, it happens at information kiosks a lot.

    They should have used the "On-Screen Keyboard" under Accessibility. It is a little scary that this was connected to cash.

    If you want a good read for the database schemas an ATM uses, read "Principles of Transaction Processing." One interesting bit of knowledge is that the entire table of valid account names and their card hashes is replicated to each ATM! (Obviously for your bank only.) It sends out a ping that records "Joe took $50" to the main bank but it's only sort of a summary, the "full details" is kept at the ATM and sync'd at night.

    One crazy thing that happened to me was I tried to withdraw $1100 from Bank A at Bank B's ATM. I got into a "Distributed Transaction Rollback" -- it got all the way through, printed out out my receipt that said I got the money, and -- never gave me my money. When I checked at a Bank A ATM, it showed the "hit" on my account. In about 15 minutes the Transaction Processor rolled back the transaction.
  • by heironymouscoward (683461) <heironymouscowar ... 14159om minus pi> on Sunday March 21, 2004 @08:07AM (#8626629) Journal
    It's not immediately evident how Windows XP opens a security risk on an ATM, nor how this means that Diebold voting machines are somehow hackable.

    ATMs not connected to the Internet and without keyboard are pretty much unhackable unless you can pry open the case and attach a keyboard and/or wireless connection. And if you could do that, I suspect pretty much any ATM would be hackable. There is a reason why ATMs are built from heavy steel and anchored in concrete.

    Diebold systems raise paranoiac hackles for another reason: control and oversight. You don't need to invoke security flaws and Windows XP to realize that ballot boxes represent power and money. Whoever controls the counting process controls billions, trillions of $, and this is a temptation that few, if any, people can resist.

    The argument against paperless touch-screen voting systems comes from the fact that such systems open the way to serious internal fraud, rather than hacking through any hardware or software weakness. Election fraud is done by incumbent politicians, not by hackers exploiting BSoDs.

    The nightmare scenario for future US elections is where after a largely electronic and unverifiable poll, the governing party gets 55% of the vote despite exit polls showing that it got 45%. What would happen after such an event is anyone's guess, but it would not be pleasant.
    • WRONG! (Score:3, Informative)

      by Anonymous Coward
      "ATMs not connected to the Internet and without keyboard are pretty much unhackable unless you can pry open the case and attach a keyboard and/or wireless connection."

      If you read the article you would find out that they managed to input text - but with charmap instead of a keyboard.. So having no keyboard is no insurance that noone will be able to input character data.

      • Re:WRONG! (Score:3, Interesting)

        Hmmm, I did read the article (I'm new to Slashdot, sorry!). The charmap was clearly so painful to work with that they could do nothing except play some existing sound samples and speak one message.
        You would need a lot better control than that to hack a machine in realtime. And if it's not in realtime, then the machine must have a network connection, or be able to save state in some way. ATMs seem designed without either of these, and so I'd regard them as "pretty unhackable" in the traditional sense. At
        • Re:WRONG! (Score:3, Interesting)

          As someone stated above (they beat me to it), if the students were smart they would've used the On-Screen Keyboard (osk.exe) that comes with XP, which is made for use with touchscreens. Hardly "painful to work with". If someone with a little more technical knowledge and malicious attitude had come upon this first, the ATM might have been easily emptied.
    • "I Wrote this without a keyboard"
      Cut and past it really does work although a bit slow. say you use the integrated web browser and you can get a hand on most if not all the characters you need. Plus there is the character picker. but you probably have enough letters to choose from cutting and pasting to give you access to install a virtual keyboard or something. Now someone has access to a computer that dispenses money. I don't know about you but that seems like a security risk to me. Heck install a spy-w
  • by myownkidney (761203) on Sunday March 21, 2004 @08:09AM (#8626631) Homepage

    Welcome to the 2004 Presidential Elections
    Brought to you by DIEBOLD

    Please select your new president:

    George W. Bush [x] (recomended)
    John Kerry [ ]
    Ralph Nader [ ]

    Submit [mithuro.com] Reset [mithuro.com]

    If you are an official, and if you would like to adjust the vote manually, click here [mithuro.com]


  • by Anonymous Coward on Sunday March 21, 2004 @08:09AM (#8626632)
    http://yogi.pdl.cmu.edu/~cgeisser/photos/

    Video with audio of ATM in action
  • by Rogerborg (306625) on Sunday March 21, 2004 @08:17AM (#8626651) Homepage

    >Finally, an annoyed faculty member in an adjacent office unplugged the machine and dispersed the crowd.

    I remember back in the day, when faculty in a technical university would stop two wars before breakfast, and still have time to help with a hack before the toast popped.

    Kind of sad to see the spirit of exploration being so ruthlessly crushed. Attention US Educators: creativity and free thinking is our only advantage over India and China. Ponder on who's going to be paying for your Medicare before you decide to quell your inquisitive students.

  • by Caligari (180276) on Sunday March 21, 2004 @08:26AM (#8626669) Homepage
    I took pictures of Diebold ATM machines doing something similar in Paris.

    Take a look here [unworkable.org]

  • Imagine a Beo... (Score:5, Informative)

    by frenchs (42465) on Sunday March 21, 2004 @08:28AM (#8626677) Homepage
    Here is the Diebold specificaion PDF for the 520. It says the thing has a P4 in it, and I would assume this is because they designed some sort of software framework for the Optiva to be expandable in the future to do things like sell concert tickets.

    Imagine if that CDR drive was usable to load programs onto it. Furthermore, I'm really hoping these things don't have bluetooth in them.

    520 Spec PDF [diebold.com]

    -Steve
  • by ShadowRage (678728) on Sunday March 21, 2004 @08:30AM (#8626684) Homepage Journal
    no, dont think so...

    but I hear it can play metallica and pong.
  • by pandrijeczko (588093) on Sunday March 21, 2004 @08:41AM (#8626708)
    Windows, Windows, every where,
    Why's getting out money so hard?
    Windows, Windows, every where,
    It's eaten up my card.

    The spirit deep within: O Gates!
    That ever this should be!
    Yea, buggy things did crawl with legs
    Within Windows XP.

    About, about, it must reboot
    My card's still held within!
    No beer to quench my thirst tonight,
    Blue screen, and wallet thin.

    And some in dreams assured were
    Of the spirit that plagued me so:
    The demon Gates had followed me
    From Redmond's deepest flows.

    And my poor tongue, through beerish drought,
    Was withered at the root;
    I could not speak, no more unless
    This teller would reboot.

    Ah! well a-day! what evil looks
    Had I from old and young!
    Instead of the cross, this penguin fine
    About my neck was hung.

  • by dargaud (518470) <slashdot2@gOOOda ... inus threevowels> on Sunday March 21, 2004 @08:44AM (#8626711) Homepage
    I got a retrospective scare at an airport in souther Italy last month. While waiting for my luggage, all the screens suddenly showed an error Windows popup in the middle. I wanted to click the [OK] button so bad...
  • by zakezuke (229119) on Sunday March 21, 2004 @08:47AM (#8626718)
    Bank Fraud! Something that debits let's say a penny per transation is actually a moderatly simple program to design provided you actually have access to bank accounts and a bank network. It's difficult for your average joe to do without access to machines on the bank network. Well... a cash machine is indeed on a bank network, and has the ability to withdrawl sums of money, log bank cards / pin numbers, the lot! These things rebooting in a way that can actually be used like normal windows scares the hell out of me.

  • Character map? (Score:3, Insightful)

    by vrt3 (62368) on Sunday March 21, 2004 @08:56AM (#8626747) Homepage
    Why didn't they use the on-screen keyboard instead of the character map for entering text?
  • by nlt (677934) on Sunday March 21, 2004 @08:59AM (#8626754)
    So if the money dispenser is connected via a serial port, maybe you could "echo tray1-4>COM1" and get 4 hundred dollar bills? obviously you'd need to know their system, but hey, if you knew someone who did know it, well then wikkid.
  • by sh0rtie (455432) on Sunday March 21, 2004 @09:05AM (#8626769)

    too honest

    they had a machine that would give them money and all they did was use media player ? Diebold got off lightly!.

    they [evil student] could of written a keylogger/pin reader/card cloner/data capture using the on-board vbscript/wscript language, (full access to filesystem and shell), build in a network check so as soon as the machine detects a network connection (as the students said it wasnt connected to anything presume at some point it will be connected to a network by an engineer or repairman) it trys to post the captured data to some.random.location.com, install it as a system service so it runs automatically in the background , even schedule it to run at specific times and you have one totally compromised machine

    would of taken an hour max of programming time, maybe 15min if all you had to do was type it in and not compose it.

    scary that not only is the software Windows but it has its own built in programming enviroment with access to every program on that machine including network access, and the only tool you need is notepad.

    • by degauss (88443) on Sunday March 21, 2004 @03:25PM (#8628583) Homepage
      Actually.. I am one of the students that was messing with this machine..

      The reason why I'm sure we didn't empty the machine of all its cash (asside from that whole breaking the law thing), is that there was no way to access the money-dispensing mechanism from the controls we had access to (read: only from the touchscreen)

      The numberpad was totally useless, as windows didn't recognize it, and the character map is pretty slow for trying to actually do anything useful..

      But we had a ton of fun with it anyway.
  • by XNormal (8617) on Sunday March 21, 2004 @09:06AM (#8626773) Homepage
    If they insist on using a Microsoft OS at least the could use Windows XP Embedded. [microsoft.com]

    It's a componentized version of Windows XP with a set of tools to customize it, remove any unnecessary components and prepare system images. It also has tricks like running from read-only media and intercepting message boxes that end users should not see.

    It's even cheaper (for a moderate number of licenses).
    • intercepting message boxes that end users should not see.

      No, that's the wrong answer. In a well-designed ATM, there should not be any message boxes that users shouldn't see. If any unexpected error happens, the ATM code should immediately say "Sorry, I could not complete your transaction, please try later" and return the card. Having an error orccur and be hidden from the user is very much the wrong answer.

  • by linoleo (718385) on Sunday March 21, 2004 @09:15AM (#8626793) Journal
    Reminds me of a couple of years back when by wiggling their god-awful pointer device too fast I managed to crash the in-flight seat-back entertainment system. BSOD, reboot, turns out it's a 90MHz Pentium running Win NT 4.0 Server Edition - no wonder the response was so sluggish (on the order of seconds).

    I got to the desktop for about 5 seconds before their entertainment app autostarted again. I then spent a fun hour or two re-crashing the blasted thing and trying to defeat the autostart. Never managed it though - that's the only time I recall that I wished I knew more about Windows. :-)

    Eventually I had to stop because it turned out that poor old Pentium wasn't my in-seat client but actually the server for the entire cabin, and a lynch mob was starting to form... 8-O
  • by pridkett (2666) <slashdot.wagstrom@net> on Sunday March 21, 2004 @10:08AM (#8626942) Homepage Journal
    As a grad student who has their office in this building, I got more than a little kick when I saw the tech fumbling aimlessly to try and fix the thing later. He was there literally all day long and each time I walked by he was on the phone trying to get more info. Where is a good ole OS/2 ATM when you need one?

    Anyway, some people on misc.market also posted some movies [cmu.edu] that you might find interesting.
  • I go to CMU... (Score:5, Interesting)

    by RainbowSix (105550) on Sunday March 21, 2004 @10:12AM (#8626955) Homepage
    About a month ago, all of the National City ATMs in Pittsburgh (where CMU is) got switched from ancient working machines to snazzy new Diebold touch screens. Aside from the one playing Beethoven, there has been at least another one that BSOD'd.

    The one on this article was funny and everything until that night when I remembered that I have my life savings in National City.

    I stopped at some competing banks in the area on Thursday to get some pamphlets and I will be switching banks on Monday.
  • by jd142 (129673) on Sunday March 21, 2004 @10:33AM (#8627041) Homepage
    But does any one know why atm's here in the states have a decimal in the amount? So if I want to take out an amount (say $15) that isn't listed, I have to type:

    1-5-0-0

    to let the machine know I want 15 dollars instead of 15 cents. No atm that I've seen (granted, limited experience) will dispense change. I don't think I've seen any that even dispense dollar bills, so getting $17 is impossible. So why the decimals?
    • by Wohali (57372) on Sunday March 21, 2004 @12:40PM (#8627665) Homepage
      Actually, in Pittsburgh, my old PNCBank branch (just across the busway from Shadyside, I can't remember the street address) had both a single-dollar dispenser, as well as a change cup. It was fed in the same way that I believe those automated change dispensers you sometimes see in banks and at ticket booths get fed - a single slide down which coins fall. I think the manufacturer was NCR, but I'm not sure.

      It didn't ever seem to be filled up, but at least one ATM has been designed that could dispense change! I used to withdraw $19, just because I could put the 4 $1 and the $5 into the change machine for the washer and dryers.

      The machine also could accept deposited checks WITHOUT AN ENVELOPE. It would scan the front of the check, show you an image and ask you if the scan was valid. If you deposited a check this way, it got into your account a full day faster than if it was in an envelope. I think it must have OCRed the text, as well as read the magnetic information from the bottom. Plus I imagine the workflow for the ATM operator was speedier. Of course, this all ran under OS/2 1.3, as I confirmed later.
      Ahh, Pittsburgh, land of the oddball ATMs.

Neckties strangle clear thinking. -- Lin Yutang

Working...