Windows ATMs raise security concerns

Use of general-purpose platform expected to increase risks

Last week's revelation by Diebold that its automated teller machines (ATMs) operated by two financial services customers were struck by the W32/Nachi worm raises the specter of even wider disruptions from virus and worm outbreaks and highlights a growing security concern that cash machines running Windows XP and interacting with other Windows systems are vulnerable to attack.

The outbreak of Nachi, also known as "Welchia," occurred in August and required the two customers to take down and patch infected ATMs before they could be safely brought back online, said Jim Merrell, director of global product marketing at Diebold, a leading ATM manufacturer, of North Canton, Ohio.

The two financial institutions whose ATMs were affected have not been identified.

The security problems on ATM networks come as many banks worldwide are migrating off of an older generation of machines using IBM's OS/2 operating system to new systems running Windows.

The mass migration to Windows is spurred by a number of factors, said Ann All, editor of ATMmarketplace.com, an online publication covering the ATM market. They include IBM's decision to stop supporting OS/2 by 2006, market pressure from creditors such as Mastercard International and Visa International to introduce stronger Triple DES (Data Encryption Standard) encryption, and pressure from U.S. regulators to introduce new features for disabled users, All said.

Pressure from ATM vendors has also contributed to the near universal decision to use Windows as a replacement for OS/2, All said.

"This is being driven largely by vendors. They're telling (banks) how great and flexible Windows platforms are, and (banks) have been seeing (Windows ATMs) at trade shows," she said.

Leading ATM vendors say that shifting to Windows was inevitable and cite the dominance of the operating system on corporate networks and its built-in support for Web standards such as HTML (Hypertext Markup Language) and XML (Extensible Markup Language) as reasons for the move.

Banks will be able to create a consistent look and feel between home banking applications and ATMs. Even more important, they will be able to reuse business processes written for the Web and other Windows platforms on their ATMs, making it easier to deploy new ATM features, said Rob Evans, director of industry marketing at NCR, a leading ATM manufacturer based in Dayton, Ohio.

Despite support from vendors, security analysts predict that the move to Windows-based ATMs will almost certainly result in more disruptions from worms, viruses and hackers, because Windows presents more avenues for exploitation than OS/2 or a purpose-built ATM operating system.

"You're dealing with a general purpose operating system that has millions of lines of code. Banks can take advantage of the connectivity, but they're increasing their security risk," said Mike Rasmussen, a security analyst at Forrester Research Inc.

Bruce Schneier, chief technology officer at Counterpane Internet Security and author of the book "Beyond Fear," sees both advantages and disadvantages for banks in switching to Windows ATMs.

"The general purpose operating system does everything. Unfortunately, that also means there's more bad stuff that could run on the computer," he said.

A switch to Windows-based ATMs could still be worth the security headaches if the new features, savings and efficiencies offset the costs of securing them and cleaning up after outbreaks, Schneier said. But if ATM vendors and banks have miscalculated the costs of securing those systems, the decision to move to Windows could prove fateful, he said.

"The worry is that (Windows ATMs) actually have higher costs than they anticipated. What if, now, hackers target Windows ATM machines and steal money? Does that affect customers? I hope that they're thinking about this because there are real risks," he said.

At FleetBoston, the decision to move to Windows-based ATMs was driven by the company's two main ATM vendors, Diebold and NCR, which account for almost all of Fleet's 3,500 ATMs. Both are encouraging the use of Windows XP over Linux or Unix on newer ATMs and legacy hardware, according to Jim D'Aprile, manager of ATM functionality and payment product engineering at Fleet.

The desire for more consistency between ATM networks and the rest of Fleet's business applications was also an important factor, D'Aprile said.

"I don't want to put a plug in for Windows, but it is the operating system of choice for desktops and Web-enabled applications, so if you want compatibility with those systems, its a no-brainer," he said.

Fleet recently completed a pilot test of 100 Windows NT ATMs in New York City and Boston and is certifying Windows XP for deployment, D'Aprile said.

The new ATMs look similar to Fleet's other ATMs but will offer new features, like the ability to manage multiple transactions simultaneously on the ATM and the ability to access online bill payment features set up through the company's home banking service, called "Homelink," he said.

Despite the enthusiasm about new features, both ATM vendors and their customers say that security issues stemming from the use of Windows are a major concern. And while major ATM vendors are united in their choice of Windows as a replacement for OS/2, there is no consensus among them on how to address the security concerns accompanying that choice.

For example, Diebold and NCR, disagree on whether ATMs are safer using embedded versions of Windows XP (XPE) or "off-the-shelf" versions of the OS.

Diebold is shipping its new line of Opteva ATMs with Windows XPE, said Steve Grzymkowski, senior product marketing manager at Diebold. The embedded OS promises to give Diebold better efficiency on its ATMs by removing unnecessary drivers and files, he said.

NCR disagrees.

"We are not recommending the use of Windows XP embedded," said Evans. "When you've gone to an embedded operating system, you've got to account for weird stuff in the code, and that means you're going to get patches for your version several weeks behind the rest of the market."

NCR is shipping full versions of XP on its Personas series ATMs and has hundreds of the machines deployed in the field. The company's APTRA software is also designed to run on the off-the-shelf XP platform, Evans said.

"If you ever need a patch to clean up a virus or bug, we'll be first in line -- not waiting for Blaster protection," he said.

Diebold considers the issue of waiting longer for patches "an important concern," but the company receives ample warning from Microsoft on new vulnerabilities and does not believe that the use of XPE will cause a delay in issuing patches to ATM customers, Grzymkowski said. Diebold individually tests Microsoft patches with all its ATM hardware, but is generally able to turn software patches around in 24 hours, he said.

After introducing Windows NT-based ATMs on its Series 7000 machines, Fujitsu Transaction Solutions, a division of Fujitsu Ltd., is shipping Windows XP Embedded on its new Series 8000 machines, said Kent Schrock, director of marketing.

Software updates will be distributed on CDs and installed on ATMs using a software distribution tool or manually, using what vendors and banks refer to as "sneaker net," technicians who visit and manually service ATMs, Schrock said.

Beyond the question of which operating system to use, ATM vendors are also divided about additional security steps.

Diebold and other ATM vendors are "hardening" the installations of Windows they ship with their ATMs, disabling unnecessary services and ports and removing files that support peripheral devices used by ATMs. In November, Diebold and Sygate announced that Diebold ATMs will be outfitted with Sygate's firewall software to protect them from software security threats.

However, other vendors have not followed suit, with many leaving decisions about securing ATMs to their customers.

"When customers ask me (about ATM security), I tell them to talk to their network security people. They need to treat their ATM like other devices on their network and protect it," Schrock said.

But the transition to Windows might be difficult for ATM network administrators accustomed to managing low-profile OS/2 systems, experts say.

"There wasn't really a security issue at all in the OS/2 world, but there is in the Windows world," All said.

Patch distribution could also be a problem. The well-established "sneaker net" might not be quick enough in getting ATMs protected from fast moving threats like Slammer or Blaster. At the same time, more than one ATM vendor spokesperson expressed uncertainty about how their company would respond to a scenario similar to the Blaster worm, which appeared only weeks after a new vulnerability was disclosed.

"That's a tough situation. I don't know. It sounds like a dangerous situation. I know we'd have to respond very quickly and would respond quickly. I hope our customers would respond and take care of their networks," Schrock said.

Exposure to Windows in other areas of their network has probably made banks more attuned to the security risks accompanying the platform, he said.

Schrock admits that banks are probably "talking a better game than they're playing" when it comes to ATM security.

Diebold says its customers get the message.

"We've seen a significant increase in awareness on our customers' part and in the amount of monitoring that takes place compared to (OS/2-based ATMs)," Merrell said. "Most financial services companies are very concerned (about security) and are monitoring their networks very carefully. It's very expensive to customers when ATM networks go down, so they take all the steps necessary to prevent that from happening."

Fleet is hedging its bets with the new Windows-based ATMs, relying on an existing leased line network using IBM's Systems Network Architecture (SNA) to connect ATMs to a Tandem Computers mainframe for processing core ATM functions such as customer personal identification numbers and account information, D'Aprile said.

"That connection type has been in place for 20 years and isn't prone to hacking. It allows us to isolate ourselves a bit more," he said.

For other ATM functions requiring a connection to Fleet's network, the company is connecting ATMs using a VPN (virtual private network). Fleet has also used NCR's APTRA toolkit to develop more secure applications for Windows ATMs. For example, the applications are programmed to detect network disruptions such as worm outbreaks and prevent customer ATM transactions when they occur, he said.

Still, D'Aprile said that news of the worm outbreak on Diebold's systems is a concern and banks will have to be much more vigilant in keeping up with the many Windows patches than when they ran OS/2 on their ATMs.

Even so, the roll-out of Windows-based ATMs is expected to accelerate in coming years, as smaller banks and credit unions follow the lead of larger financial institutions, according to ATMMarketplace.com's All.

Banks will also begin moving their ATMs from expensive leased line networks to less-secure TCP/IP (Transmission Control Protocol/Internet Protocol) based networks, which offer opportunities for expanded features, remote access management and easier software distribution, Diebold's Grzymkowski said.

"The benefits to banks like Wells Fargo (and Company) and Fleet far outweigh the inconvenience," said NCR's Evans. "You get a consistent look and feel, expanded transactions across all channels and new solutions. Those are well worth the inconvenience you might get from a PC virus."

Related:

Copyright © 2003 IDG Communications, Inc.