Windows ATMs raise security concerns

Last week's revelation by Diebold that its automated teller machines (ATMs) operated by two financial services customers were struck by the W32/Nachi worm raises the specter of even wider disruptions from virus and worm outbreaks and highlights a growing security concern that cash machines running Windows XP and interacting with other Windows systems are vulnerable to attack.

The outbreak of Nachi, also known as "Welchia," occurred in August and required the two customers to take down and patch infected ATMs before they could be safely brought back online, said Jim Merrell, director of global product marketing at Diebold, a leading ATM manufacturer, of North Canton, Ohio.

The two financial institutions whose ATMs were affected have not been identified.

The security problems on ATM networks come as many banks worldwide are migrating off of an older generation of machines using IBM's OS/2 operating system to new systems running Windows.

The mass migration to Windows is spurred by a number of factors, said Ann All, editor of ATMmarketplace.com, an online publication covering the ATM market. They include IBM's decision to stop supporting OS/2 by 2006, market pressure from creditors such as Mastercard International and Visa International to introduce stronger Triple DES (Data Encryption Standard) encryption, and pressure from U.S. regulators to introduce new features for disabled users, All said.

Pressure from ATM vendors has also contributed to the near universal decision to use Windows as a replacement for OS/2, All said.

"This is being driven largely by vendors. They're telling (banks) how great and flexible Windows platforms are, and (banks) have been seeing (Windows ATMs) at trade shows," she said.

Leading ATM vendors say that shifting to Windows was inevitable and cite the dominance of the operating system on corporate networks and its built-in support for Web standards such as HTML (Hypertext Markup Language) and XML (Extensible Markup Language) as reasons for the move.

Banks will be able to create a consistent look and feel between home banking applications and ATMs. Even more important, they will be able to reuse business processes written for the Web and other Windows platforms on their ATMs, making it easier to deploy new ATM features, said Rob Evans, director of industry marketing at NCR, a leading ATM manufacturer based in Dayton, Ohio.

Despite support from vendors, security analysts predict that the move to Windows-based ATMs will almost certainly result in more disruptions from worms, viruses and hackers, because Windows presents more avenues for exploitation than OS/2 or a purpose-built ATM operating system.

"You're dealing with a general purpose operating system that has millions of lines of code. Banks can take advantage of the connectivity, but they're increasing their security risk," said Mike Rasmussen, a security analyst at Forrester Research Inc.

Bruce Schneier, chief technology officer at Counterpane Internet Security and author of the book "Beyond Fear," sees both advantages and disadvantages for banks in switching to Windows ATMs.

"The general purpose operating system does everything. Unfortunately, that also means there's more bad stuff that could run on the computer," he said.