On 2006-11-17, Erik Funkenbusch <erik@xxxxxxxxxxxxxxxxxxxxxx> posted something concerning:
> On Fri, 17 Nov 2006 04:45:57 +0000, Mark Kent wrote:
> Further, it's not really important if the ATM is running SP2 or not if it's
> only connected to a secure internal network. And an RTOS is not needed for
> the simple tasks of an ATM. You need an RTOS if you need real-time
> support, and nothing in an ATM is real-time.
http://www.atmmarketplace.com/article.php?id=4172
06 Nov 2003
.....
The ATM is going to be around for a long time. In the future, there
will be more of them connected to the Internet, and they will know
who you are when you get there. And you won?t need a card to access
the ATM. They?ll be friendlier, easier and safer to use - these are
traits ATM manufacturers are always improving upon.
The "future" is now wrt the date on the article. Whether we've reached
*the* future or not is an open question. If it's done using Winders,
it's going to be problematic, so I doubt we're there in large numbers
yet.
http://www.wired.com/news/technology/0,1282,60497,00.html
"What Microsoft actually sells to the banks for ATM use is a
cut-down version of Windows that doesn't contain things like Web
servers," said Ross Anderson, a researcher in Cambridge, England,
and author of Security Engineering. "They have tried to cut out the
unnecessary rubbish that clutters up the typical PC. How good a job
they've done, I just don't know.... So we definitely can't rule out
the possibility that someone in the future writes a Slammer-style
worm that causes thousands of ATMs to start spewing out cash."
But one of Anderson's colleagues, Bruce Schneier, chief technology
officer at security monitoring and consulting company Counterpane
Internet Security, dismissed this scenario. He pointed out that the
machines would not operate online and therefore would not become
vulnerable to a malicious Internet attack or to some virus passed
around in an e-mail attachment. Because the machines have no
peripherals like floppy disks, it would be difficult for a cracker
to install code or steal information.
The guy from Diebold in the first link seems to disagree with the idea
of them not being connected to the internet. I think I'd take his word
for it over some clown at a consulting firm.
http://taint.org/2003/01/26/154359a.html
Boing Boing notes that the SQL Slammer worm ?caused service outages
at tens of thousands of Bank of America ATMs and wreaked havoc at
Continental Airlines. Apparently, customers at most of the #3
American bank?s 13,000 automatic teller machines were unable to
process transactions for a period of time.?
http://en.wikipedia.org/wiki/Automatic_Teller_Machine
Physical connections
ATMs typically connect directly to their ATM Transaction Processor
via either a dial-up modem over a telephone line or directly via a
leased line. Leased lines are preferable to POTS lines because they
require less time to establish a connection. Leased lines may be
comparatively expensive to operate versus a POTS line, meaning
less-trafficked machines will usually rely on a dial-up modem. That
/\/\
dilemma may be solved as high-speed Internet VPN connections become
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
more ubiquitous. Common lower-level layer communication protocols
/\/\/\/\/\/\/\/\
used by ATMs to communicate back to the Bank include SNA over SDLC,
TC500 over Async, X.25, and TCP/IP over Ethernet.
I don't think we're going to see announcements about companies
connecting their ATMs to the internet while using Winders. So I think
I'll sit this one out until after lots of damage is done and the owners
of the machines wise up. Let others suffer their ill fates. My money
and personal information won't be passing through ATMs in the near
future.
--
Microsoft's relationship to its users is that of the blue whale to
krill. Our only purpose is to breed, feed and get squeezed against its
giant tongue until every last drop of money is released.
-- Rupert Goodwins, ZDNet(UK)
|
|
