New ATM Technology

I was watching Fox News this morning and Bank of America had a commercial on new developments in their ATM technology.

They have 16,000 ATM's and are working on the ability for their machines to take cash/check deposits without envelopes. The new generation of ATM's will take individual dollar bills, scan them for authenticity and issue you a receipt.

You can also deposit a check directly into the ATM and the machine will print you a receipt with a facsimile of the check's face.

Pretty futuristic stuff.

Heh, I thought "New Asynchronous Transfer Mode Technology" /ubbthreads/images/graemlins/icon23.gif

But this is cool news too! /ubbthreads/images/graemlins/smile.gif

I do worry about the reliability factor, of course. I just get so frustrated when ATM's are "out of service" and then need to hunt for another.

are these the same new ATM's that will be running windows?

So that we can deposit our cash directly to the hackers without having to go through the middle man? /ubbthreads/images/graemlins/smile.gif

I will be watching closely to see just how much of a disaster that these are and just how much that the banks own up to rather than try to keep secret.

Sadly, one of the reasons for the envelopes is to create a packet with the whole deposit within it. That allows the bank to verify that the deposit matched what the customer keyed in. This helps validate a deposit in the rare case where the ATM dies mid transaction.

One of the nice things about the envelope is that the ATM takes it on the first try, every time. I'd hate to deposit $1000 in $20 bills if it's as picky as all the other currency accepting device I've used. I'd be there for hours.

Daniel

[ QUOTE ]
One of the nice things about the envelope is that the ATM takes it on the first try, every time. I'd hate to deposit $1000 in $20 bills if it's as picky as all the other currency accepting device I've used. I'd be there for hours.

[/ QUOTE ]

OH MAN! I hadn't even thought about that. It will be like the scene where you're trying to get a dollar accepted by the pop machine /ubbthreads/images/graemlins/grin.gif People lined up around the block while you fight with 1 bill after another. man thats hilarious!

I WANT PayPal deposits at the ATM!

PayPal gave me their fancy Visa Debit Card tied to my account, but I can't deposit cash to my PP account at an ATM with it. /ubbthreads/images/graemlins/mad.gif

When I first got that PayPal debit card I was sooo excited, I thought I finally had my fool-proof off-the-books way to move the change and loose bills I painstakingly save for my "mad-money" gun/gear/gadget/light fund onto plastic and all it's inherent flexibility for Internet/mail-order.

Alas, it's not to be. PayPal's site makes it sound like they may do it someday. I will continue to hope.

If you have a non-sympathetic/anti-gaget wife, you understand my disapointment.

[ QUOTE ]
James S said:
are these the same new ATM's that will be running windows?

So that we can deposit our cash directly to the hackers without having to go through the middle man? /ubbthreads/images/graemlins/smile.gif

[/ QUOTE ]

Hasn't this been addressed? ATMs have been running Windows NT, 2000, XP embedded for years. Hell, I'm sure there are still ATMs running OS/2 with buggy, vulnerable versions of sendmail for critical communications - but I'm not worried.

If the machine crashes, so does the application that's the sole method of user I/O with the machine. That keypad on the front isn't like a keyboard that can interact directly with the OS, you know. Only a technician with a laptop can interact with the OS at an administrator level. Crashed ATMs aren't very exciting. Sometimes you see the BSOD, other times you see the actual desktop - never able to interact with it because the application that communicates with the keypad/touchscreen/etc has gone down and whatever you're doing on the keypad is written to the equivalent of /dev/null.

ATM networks are isolated from the internet. You'd have to crack the carrier's frame relay/PPP/etc network to intercept data. I've yet to hear about hackers successfuly making ATMs spit out cash on demand.

Last I checked, most ATMs have more than adequate physical security to keep hackers away from those vulnerable PS/2, USB, serial/whatnot ports - in addition to securing that 20-40 thousand dollars of currency...

I'm far more worried about the scads of ecommerce sites out there using shopping cart apps running defaults, or the servers running unpatched Windows NT server OSs... far easier money for the enterprising hacker than "hacking" ATMs.

The specter of Windows on ATMs is due to the fact that several cases have been reported where the ATMs were tied to the bank's IP network, and a virus got through to the internal machines.

I'm pretty sure it was BofA that lost it's ATMs two years ago when one of the viruses crashed them along with other internal infected systems.

If the machine does not crash, it can be used just like all the other hijacked computers on the net. If a hacker ever realized that they were on an ATM, it would be time to look at the binary to see what havock could be created. I can see a variation of key loggong, sending ATM card numbers and pins back to someone who will sell teh info.

You can not assume the keypad interface is dead just because you see the desktop. Windows programs break in too many innovative ways.

I'm much more worried when I see Windows in a combat situation, such as a naval vessel. Yuck!

Daniel
(OS/2 and sendmail? Really?)

I like the plain old ATMs with a big old CRT monitor that only has two colors and text. Whenever I go to a newer one there's always more options to read, more buttons, more random pointless crap going on on the screen that I don't need to see. With the old ATM I go to I could get money out in my sleep...

I work for an armored car company in their ATM servicing department, so I get to see all the latest and so called greatest machines. Apparently the new machines that Marty Weiner referenced will take the cash in from deposits and then reuse those bills to restock it's own cash cassettes to give back out to the customers. This will mean that they'll get loaded less often, although the way some of these machines are poorly designed it'll just mean more problems to deal with.

Error reading drive C:/

Abort, Retry, Cashout?

[ QUOTE ]
gadget_lover said:
The specter of Windows on ATMs is due to the fact that several cases have been reported where the ATMs were tied to the bank's IP network, and a virus got through to the internal machines.

I'm pretty sure it was BofA that lost it's ATMs two years ago when one of the viruses crashed them along with other internal infected systems.

[/ QUOTE ]
That's not the case. The worms of a few years ago that ran rampant on ATM networks were traced to infected technicians' laptops. Since ATMs don't need firewalls (closed network), the worms spread rapidly. The infection did not spread from the ATM network into other internal networks because of firewalls at the network perimiter - likely based on the all that is not explicitly permitted is denied philosophy (easy enough to impliment for a single, uniform purpose like an ATM).

These same firewalls will quite reliably prohibit nonroutine, unauthorized communication from the secured inner network (itself likely protected by draconian firewall rules from the LAN that workstations are on).

Banks take network security very seriously and spend the money/deploy the equipment to keep it secure. My father used to work for a bank and saw some of this closeup. Banks segment the hell out of their network and are always looking for intrusions on their secure networks ... and probably have honeypots all over the place as well (ex: user-mode linux will let you set up what appears to be an entire server farm on a single box with startlingly modest specs).

Here's another curveball : BofA uses SPX/IPX as their layer 3 protocol. Sure, it's not as standardized or scalable as IP (but scales better than you might think - several routing protocols support it), but it's obscure and nearly unhackable.

[ QUOTE ]
If the machine does not crash, it can be used just like all the other hijacked computers on the net. If a hacker ever realized that they were on an ATM, it would be time to look at the binary to see what havock could be created. I can see a variation of key loggong, sending ATM card numbers and pins back to someone who will sell teh info.

[/ QUOTE ]
Keep in mind that you're dealing with very specialized hardware running a stripped-down OS. You're going to have to figure out how to compromise a nonstandard machine, keylog on unfamiliar hardware, and convince several hardnosed firewalls to pass some rather unusual data (or compromise who knows how many "middle man" machines to slip under the firewalls) ... nevermind that such a rigidly standardized platform can just generate memory hashes at random and shutdown just as soon as something doesn't smell right on a CRC check - or it spots "zombieATM.exe" in the process list.

[ QUOTE ]
You can not assume the keypad interface is dead just because you see the desktop. Windows programs break in too many innovative ways.

[/ QUOTE ]
I've seen a number of crashed "kiosks," from ATMs to gift registry kiosks to self-checkout machines. Only the self-checkout machine was of poor enough design to use the touchscreen as a mouse ... that failed to interact with the NT 4.0 desktop. For all I know, it wasn't even manipulating the "actual" mouse pointer.

Now ... is it possible to somehow compromise ATMs despite the thorough security?

Yes.

Is it worth the effort when you can lift several thousand credit cards #s, expiration dates, shipping addresses, security IDs, and names from some poorly-secured ecommerce server ... without leaving so many "fingerprints"?

Probably not.

There are some plausible social-engineering scenarios that can bypass some of the security processes I've mentioned, but they seem just as dicey as running the firewall / ATM self-disganostic gauntlet...

[ QUOTE ]

I'm much more worried when I see Windows in a combat situation, such as a naval vessel. Yuck!

Daniel
(OS/2 and sendmail? Really?)

[/ QUOTE ]

There was an article in The Register joking about "Windows for Warships" a few years back ... but I hear the Navy has a specialized "distro" (snicker) of Windows NT running the sub fleet.

Yes on the OS/2. Financial institutions were the only place that OS/2 really took off and continues to have staying power.

I watched a CSI episode once, I think it was, where a guy put a card reader over the card slot on an ATM, as well as a camera behind a pamphlet holder. With the card reader reading the cards as they went into the ATM, and the camera capturing PIN codes, he was able to steal a large amount of money before being caught.

It was just a CSI episode though, but it is an interesting thought, that has nothing to do with the ATM software itself.

[ QUOTE ]
IlluminatingBikr said:
I watched a CSI episode once, I think it was, where a guy put a card reader over the card slot on an ATM, as well as a camera behind a pamphlet holder. With the card reader reading the cards as they went into the ATM, and the camera capturing PIN codes, he was able to steal a large amount of money before being caught.

[/ QUOTE ]

There has been warnings of this happening around ATMs around Asia and Australia.

Geoff

hmm if those machines hand out the cash they take in, get ready for some pretty nasty looking bad smelling bills. Oh and don't use the ATM next to the fish market :-D

The BOA incident was due to the back end data bases (MS SQL Server) being infected so they were down, the ATM's them selves were never infected. There are however a lot of ATM's (and other devices) running windows. There are a few web sites dedicated to pictures of blue screens. I had to wait for the windows register to reboot one day in Home Depot.