Windows ATMs raise security concerns

Use of general-purpose platform expected to increase risks

Diebold considers the issue of waiting longer for patches "an important concern," but the company receives ample warning from Microsoft on new vulnerabilities and does not believe that the use of XPE will cause a delay in issuing patches to ATM customers, Grzymkowski said. Diebold individually tests Microsoft patches with all its ATM hardware, but is generally able to turn software patches around in 24 hours, he said.

After introducing Windows NT-based ATMs on its Series 7000 machines, Fujitsu Transaction Solutions, a division of Fujitsu Ltd., is shipping Windows XP Embedded on its new Series 8000 machines, said Kent Schrock, director of marketing.

Software updates will be distributed on CDs and installed on ATMs using a software distribution tool or manually, using what vendors and banks refer to as "sneaker net," technicians who visit and manually service ATMs, Schrock said.

Beyond the question of which operating system to use, ATM vendors are also divided about additional security steps.

Diebold and other ATM vendors are "hardening" the installations of Windows they ship with their ATMs, disabling unnecessary services and ports and removing files that support peripheral devices used by ATMs. In November, Diebold and Sygate announced that Diebold ATMs will be outfitted with Sygate's firewall software to protect them from software security threats.

However, other vendors have not followed suit, with many leaving decisions about securing ATMs to their customers.

"When customers ask me (about ATM security), I tell them to talk to their network security people. They need to treat their ATM like other devices on their network and protect it," Schrock said.

But the transition to Windows might be difficult for ATM network administrators accustomed to managing low-profile OS/2 systems, experts say.

"There wasn't really a security issue at all in the OS/2 world, but there is in the Windows world," All said.

Patch distribution could also be a problem. The well-established "sneaker net" might not be quick enough in getting ATMs protected from fast moving threats like Slammer or Blaster. At the same time, more than one ATM vendor spokesperson expressed uncertainty about how their company would respond to a scenario similar to the Blaster worm, which appeared only weeks after a new vulnerability was disclosed.

"That's a tough situation. I don't know. It sounds like a dangerous situation. I know we'd have to respond very quickly and would respond quickly. I hope our customers would respond and take care of their networks," Schrock said.

Exposure to Windows in other areas of their network has probably made banks more attuned to the security risks accompanying the platform, he said.

Schrock admits that banks are probably "talking a better game than they're playing" when it comes to ATM security.

Diebold says its customers get the message.

"We've seen a significant increase in awareness on our customers' part and in the amount of monitoring that takes place compared to (OS/2-based ATMs)," Merrell said. "Most financial services companies are very concerned (about security) and are monitoring their networks very carefully. It's very expensive to customers when ATM networks go down, so they take all the steps necessary to prevent that from happening."