Can Your ATM Play Beethoven? 657
bpiltz writes "A funk band in Harrisonburg, VA, called Midnight Spaghetti, has posted a story with photos about a newly installed Diebold Opteva 520 ATM at Carnegie Mellon University that crashed, then rebooted. The Windows XP operating system initialized without the actual ATM software. The result was a public desktop computer, with only a touch screen interface, left wide open for the amusement of the students at the most wired university in the U.S. Interestingly, Diebold is one of the leading manufacturers of e-voting machines."
"Progress"? (Score:5, Insightful)
seem to be getting slower and slower to use. 10 years back, you'd insert your
card, be able to key in your pin number straight away and be straight into the
menu. Now, you insert the card, stand about while it thinks about checking it,
then you eventually enter a pin and wait around a bit more before using the
sluggish interface. Now I know that these machines have media player, web browser and
all sorts of other redundant crap installed on a full version of XP, I understand the
reason the queues are growing!
I don't need 24 million colours, animations and other crap just to take money out
of my account, dammit! It's staggering to think that the software has become so
bloated and slow that machines produced 10 years ago, with only a fraction of the
computing power of today were actually far more responsive to use.
I remember seeing an ATM reboot a few years back (brief power outage). It briefly
showed the OS2 logo before resuming normal operation
I just don't know whether to laugh or cry! (Score:5, Insightful)
Re:I just don't know whether to laugh or cry! (Score:5, Insightful)
People are lazy, and costs have to be kept down. What's usually important in a company, is to make their business process "lean and mean", not their software or PCs.
Re:"Progress"? (Score:2, Insightful)
Re:I just don't know whether to laugh or cry! (Score:4, Insightful)
The old ones work.
And that's legal? (Score:1, Insightful)
This reminds me of the case a few years back where people ran a network of fake atm machines. They would do the actual atm transaction, but then store your card info and pin, and since they had modified the actual atm, nobody was the wiser. It wasn't until millions of dollars started disappearing from accounts that people caught on.
I could never trust a financial network that's designed in a way that such a thing is even possible.
For once... (Score:5, Insightful)
I'd rather find the execs of the bank, and roll them in tar and feathers and chase them out of town with a stick. Any one can make an offer... I can offer to run their ATM network on Linux 2.6.4-alpha1-test4-pre2 too. If they're willing to buy it, that's their stupidity, not mine.
Kjella
Here's what to do... (Score:0, Insightful)
And for large purchases use a credit card.
Now, I agree with your rant, but I'm tired of people who get so dependant on cash cards and their cell phone that they forget how to actually live.
You strike me as a person who is 72 hours of electricity away from being a cave-man.
Re:I just don't know whether to laugh or cry! (Score:5, Insightful)
Re:I just don't know whether to laugh or cry! (Score:3, Insightful)
"One's?" What the fuck is wrong with me!
I thought I knew the difference between plural and possessive.
Character map? (Score:3, Insightful)
Economics, that's why (Score:5, Insightful)
An 8080 computer set up in a config with USB ports, serial, parallel, video, etc etc will probably run you something close to $3,000 US, and spares will be difficult as they'll have to be single supplier.
Also, the drivers for things like printers and card readers are only going to be available for Windows (and increasingly Linux), so if you have an embedded device, the integration costs are going to be high.
On the other hand, you can get a robust PC from a major manufacturer for something under $1,000 US and it can be replaced by any manufacturer. There are drivers for everything, and software development will be cheaper because windows programmers are more available than embedded programmers.
Stupid Student's or maybe.. (Score:5, Insightful)
too honest
they had a machine that would give them money and all they did was use media player ? Diebold got off lightly!.
they [evil student] could of written a keylogger/pin reader/card cloner/data capture using the on-board vbscript/wscript language, (full access to filesystem and shell), build in a network check so as soon as the machine detects a network connection (as the students said it wasnt connected to anything presume at some point it will be connected to a network by an engineer or repairman) it trys to post the captured data to some.random.location.com, install it as a system service so it runs automatically in the background , even schedule it to run at specific times and you have one totally compromised machine
would of taken an hour max of programming time, maybe 15min if all you had to do was type it in and not compose it.
scary that not only is the software Windows but it has its own built in programming enviroment with access to every program on that machine including network access, and the only tool you need is notepad.
Windows XP Embedded (Score:5, Insightful)
It's a componentized version of Windows XP with a set of tools to customize it, remove any unnecessary components and prepare system images. It also has tricks like running from read-only media and intercepting message boxes that end users should not see.
It's even cheaper (for a moderate number of licenses).
Re:Insecurity and Paranoia (Score:3, Insightful)
Cut and past it really does work although a bit slow. say you use the integrated web browser and you can get a hand on most if not all the characters you need. Plus there is the character picker. but you probably have enough letters to choose from cutting and pasting to give you access to install a virtual keyboard or something. Now someone has access to a computer that dispenses money. I don't know about you but that seems like a security risk to me. Heck install a spy-ware program on it to record peoples ID and the next time it reboots you can use it to dispense some cash yourself. Using an OS Designed for home users (Including Standard Linux/Unix distributions) is a bad idea. For an ATM the computer OS needs to just run that ATM and thats it (well perhaps some diag software for the service people). Heck you can make a more secure system with MSDOS 3.0 after you delete all the extra files you dont need. And put the software in line 2 on of the autoexec file. Line one will need to install the touch-screen TSR.
Re:I've seen OS/2 on ATM screens many times (Score:3, Insightful)
If those machines were locked down embedded Windows or something similar, then I wouldn't be so worried. But these things appear to be more like a normal Windows installation with an ATM program on top. That *is* scary.
Think of it, if so much care was taken on the design of the ATM, how do you know that your credit card number and PIN aren't in a text file that can be read directly if you manage to get to the Windows interface?
And what will happen when the virus of the week hits it because nobody bothered closing unneeded ports?
Re:I just don't know whether to laugh or cry! (Score:3, Insightful)
Re:"Progress"? (Score:5, Insightful)
Platform? One of the nice things about vintage cash machines was the fact that the software was written in assembly. Let's face it, all a bank machine is is just a glorified terminal. It has no need to store information, no need to access disks, mount devices, nor access a network outside of it's banking protocal. There is no need for it to accept new software other then perhaps firmware update from time to time, nor the ability to run background processes. Doesn't need to do cron events or anything above and beyond take card, peform action on account, say thank you.
Re:I just don't know whether to laugh or cry! (Score:5, Insightful)
Once you replace the person with a machine, you lose the revenue stream generated by the "cold selling" tactics. So, as technology advances and the machines can handle more tasks, why not? If a company is paying to own or lease IT 24 hours a day, that IT should be earning you money 24 hours a day. Just spitting out greenbacks without advertising more products is just not taking full advantage of the technology. Business doesn't care that that's all YOU want out of the machine.
Re:Insecurity and Paranoia (Score:1, Insightful)
It's not immediately evident how Windows XP opens a security risk on an ATM
Wheither XP is a bigger problem then other opertating systems isn`t the real point, the system booting into a full user interface on a powerfull OS is. Provided the cash dispensing mechanics trust the computer anyone knowing how these mechanics are hooked up to the computer (serial, isa?) could ask the os to ask the dispenser to, well dispense ;-)
ATMs not connected to the Internet and without keyboard are pretty much unhackable unless you can pry open the case and attach a keyboard and/or wireless connection.
The article mentions that cutting and pasting and using the special character app worked just fine. Slashdot readers of all people should understand that not having a keyboard is not a security feature but a chalenge to real "hackers" love (can you cut and paste together a touch screen keyboard emulator in any of the available scripting languages that come with xp before someone comes around to do a reboot, how is that for a ego boosting challenge?). The machine is connected to the banks network, wheither that is better or worse then the internet would be an interesting debate, it mostly depends on wheter this bank that buys windows xp based atm`s has a network and servers that do not trust machines just becouse they are on the right network/ip-range... They may just do this part securely and decide not to. If these machines keep crashing into explorer.exe we will find out soon enough if any bank didn`t though.
There is a reason why ATMs are built from heavy steel and anchored in concrete.
I could see many reason to build an atm computer with a bit simpler hard and software, mostly reliability and "fixability" and even, dare I say it, security. If people choose for concrete over cardboard they do so becouse of reliability and security I guess, why not with the computer? How could it be that the hardware and software price didn`t mean choosing anything else, there are a million cheaper and more reliable ways to drive a gui then XP on a pc.
The argument against paperless touch-screen voting systems comes from the fact that such systems open the way to serious internal fraud, rather than hacking through any hardware or software weakness.
Well since these argument don`t seem to be exluding each other I guess you could say the no acountability point is the "best" argument against diebold style touch screen voting, but personally I would disagree. I think:
Re:Insecurity and Paranoia (Score:2, Insightful)
Ah, security through lack-of-keyboard.
Lack of a keyboard is a nuisance, but doesn't prevent people from operating the machine or breaking in. For example, Windows has an on-screen keyboard. Even if it doesn't, you can cut-and-paste text (a character at a time) from some other application. And there is probably special ATM maintenance software installed on those machines as well, which can likely be operated through the touch screen (since it is intended to be used by technicians).
Thank you for illustrating again how naive many people are about security.
Re:Election Day... (Score:5, Insightful)
Fraud can still occur. It's just that those conducting the fraud have to be extremely careful to avoid detection: only chaning a few dozen votes in areas where the vote is close to begin with, and so on. They always have to stay within statistical margins of error.
Re:Insecurity and Paranoia (Score:2, Insightful)
It doesn't matter if they're connected to the Internet. Having worked on ATM banking systems in the past, they are connected to a WAN that likely has Windows workstations connected as well. Since Windows Update is probably never run on the ATMs I would think that it would be trivial for a Windows workstation to infect a Windows ATM.
Reciprocal effects (Score:2, Insightful)
Re:Here's what to do... (Score:1, Insightful)
As they should! (Score:5, Insightful)
> comes to you no longer physicaly having your card.
As they should. Really, it is much simpler for the bank to just issue a replacement card than to bother returning the old one. Think about it: should they print a piece of embossed plastic that costs a few cents, or have the kindhearted finder send the old card in (37 cents) and remail it to the owner (another 37 cents + 15 minutes of somebody's time [or more, if Windows crashes]) all the while ensuring that no fraudulent transactions take place in the meantime (priceless)?
Hack da Planet! (Score:2, Insightful)
Something makes me think a next RPC vulnerability will do just that
XeeRz,
Jason
Criminal Negligence (Score:2, Insightful)
Re:"Progress"? (Score:3, Insightful)
It is for the banks. Your needs don't matter; you're just a sheep to fleeced.
Re:"Progress"? (Score:3, Insightful)
By adding all that extra code, you make snafu's like this possible, and you get nothing in return.
Re:"Progress"? (Score:5, Insightful)
True, except that modern ATMs will have biometrics (finger scanners and whatnot), plus that printer thingy that gives your receipt, then there's the monitor, maybe some sort of check scanner for inputting money, a dispenser for giving cash, and viola, you have attached devices which need drivers.
Re:Moderators: +5 Insightful!!! (Score:3, Insightful)
Re:Why use Win32 on a ATM? (Score:3, Insightful)
An ATM has only afew simple requirements
The GUI
Dont even start about "windows gui" all ATMs use a custom designed GUI! theres no need for a graphical OS behind it!
Network Connection
This aint rocket science, you dont need a big OS to send an encrypted message.
Reliability
The ideal machine would simply have a ROM for the software and a small ammount of RAM, no hard-drive is required. You should be able to do a full reset and have the machine running in seconds. Does this idea fit well with a large windows installation? no.
Infact i would go as far as to say an ATM doesnt even need multitasking! think about it, you do your stuff, it says please wait, that stays in the video buffer while it does its transaction. All this over complexity is very bad KISS.
Re:"Progress"? (Score:2, Insightful)
Re:"Progress"? (Score:3, Insightful)
Wouldn't it be cheaper to use a general purpose free OS then to pay for Windows XP licenses? Not that they (or any other company) would pass this savings on to the customer but think of how much more they could pad the bottom line without paying for XP licenses (and the tools you need to develop software for it).
Re:Here's what to do... (Score:3, Insightful)
Perhaps if banks would open usefull hours, say evenings and weekends, like supermarkets do.. it would be more practical to go to the counter, however the banks wont do that.. since theyre trying to force people into using the machines.
Re:"Progress"? (Score:1, Insightful)
Re:"Progress"? (Score:2, Insightful)
Actually, I tried that. I once found a wallet on a public toilet with 1,000 DKKR (~US$150) in it, and nothing else! Hornest as I am, I took it to the local police dept. and gave them it along with my name/adress just in case the owner would contact me. A week later I recived a letter containing 500 DKKR from the owner