Re: Windows-based cash machines 'easily hacked'

["Dennis Henderson" <hendomatic () gmail com>]

On Tue, Mar 18, 2008 at 10:40 AM, der Mouse <mouse () rodents montreal qc ca>
wrote:

> > If you're simply letting your vendor make all the decisions about
> > your ATM's then you're not really doing everything you can to make
> > them as secure as they can be.
>
> If you're using Windows-based ATMs _at all_ you're _already_ "not
> really doing everything you can to make them as secure as they can be".


You guys gotta get your feet firmly planted in reality. Everyone can bash
Windows all they want. The current set of vendors use Windows for their ATM
OS. Yes terrible idea. No one is willing to change at this point.

The term doing "everything you can do" is relative at best. The business
unit wants ATMs, the customers want ATMs. Everyone develops for Windows. No
significant development is being done that I am aware of using a
different OS.

So we take that baseline of threat and we do "everything we can do" to make
the system as secure as it can be.




> There's just no excuse - IMO - for using the most insecure (in
> practice) operating system on the planet for an ATM...especially in the
> presence of all the alternatives.  (Not all the alternatives are really
> _good_, but practically anything else is better than Windows.)


Great pontification, but certainly Windows is used where the risk is far
greater than a lowly ATM.

The driver here is that ATM's are not viewed by most banks as profit making
applications. Can you imagine the network access required to allow other
services like travel planning, purchasing tickets, etc...?  I've been thru
that battle and so far we've managed to keep the ATM at my bank fairly
generic in function.

Then having said that, the amount of money that banks are willing to spend
on ATM technology is not quite as much as if there were a positive ROI. In
turn the vendors dont have unlimited amounts of cash to design and roll out
an ATM platform on a more secure OS.

In the financial world, there are not many niches where some play and some
dont. The industry more or less as a whole responds to legislation, customer
demand and regulation. This does vary by country, but I'm only talking about
the US.

When I use a term commercially reasonably secure, that means that what I'm
doing is more or less in line with what legislation, regulators and
customers demand. Its not making the case that its holistically secure.

As long as I'm doing everything I can to secure the transaction and limit
what any device connected to the ethernet cable where the ATM is located can
do, as well as apply the list of controls and monitoring that we do, the
risk is mitigated to commercially reasonably acceptable levels for the
regulators and the company.

Sure the risk is not zero as the purists of this list would like, but until
it is either required by law, or driven by the market itself, this area of
financial services will be fairly static.



Dennis

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.