Windows ATMs raise security concerns

IDG News Service - Last week's revelation by Diebold Inc. that its automated teller machines operated by two financial services customers were struck by the W32/Nachi worm raises the specter of even wider disruptions from virus and worm outbreaks and highlights a growing security concern that cash machines running Windows XP and interacting with other Windows systems are vulnerable to attack.
The outbreak of Nachi, also known as Welchia, occurred in August and required the two customers to take down and patch infected ATMs before they could be safely brought back online, said Jim Merrell, director of global product marketing at Diebold, a leading ATM manufacturer based in North Canton, Ohio.
The two financial institutions whose ATMs were affected haven't been identified.
The security problems on ATM networks come as many banks worldwide are migrating off of an older generation of machines using IBM's OS/2 operating system to new systems running Windows.
The mass migration is spurred by a number of factors, said Ann All, editor of ATMmarketplace.com, an online publication. They include IBM's decision to stop supporting OS/2 by 2006, market pressure from creditors such as MasterCard International Inc. and Visa International Inc. to introduce stronger Triple Data Encryption Standard encryption, and pressure from U.S. regulators to introduce new features for disabled users, All said.
Pressure from ATM vendors has also contributed to the near universal decision to use Windows as a replacement for OS/2, All said. "This is being driven largely by vendors. They're telling [banks] how great and flexible Windows platforms are, and [banks] have been seeing [Windows ATMs] at trade shows," she said.
Leading ATM vendors say that shifting to Windows was inevitable and cite the dominance of the operating system on corporate networks and its built-in support for Web standards such as HTML and XML as reasons for the move.
Banks will be able to create a consistent look and feel between home banking applications and ATMs. Even more important, they will be able to reuse business processes written for the Web and other Windows platforms on their ATMs, making it easier to deploy new ATM features, said Rob Evans, director of industry marketing at NCR Corp., a leading ATM manufacturer based in Dayton, Ohio.

Despite support from vendors, security analysts predict that the move to Windows-based ATMs will almost certainly result in more disruptions from worms, viruses and hackers, because Windows presents more avenues for exploitation than OS/2 or a purpose-built ATM operating system.
"You're dealing with a general-purpose operating system that has millions of lines of code.