Good to know my personal data PIN etc. are protected by a modern and secure OS....

I think you'll find that that's Windows XP Embedded. Nothing except the OS is actually stored on the ATM. The info is all on the server the ATM talks to when you use it. A lot of POS terminals use it too, like supermarket cash registers. They'll be in the same boat.

alphanumeric said:

I think you'll find that that's Windows XP Embedded. Nothing except the OS is actually stored on the ATM. The info is all on the server the ATM talks to when you use it. A lot of POS terminals use it too, like supermarket cash registers. They'll be in the same boat.

so who stops anyone to intercept that information? Or to implement a malware that also communicates the information elsewhere? At the moment i enter my PIN in the ATM, it is in the ATM on an outdated insecure OS.

i guess all the bailout money went to CEO bonuses after all, certainly not into security.

As far as I know it's a dedicated phone line from the ATM to the server. Communication is also encrypted. You would have to gain physical access to the internals to infect it with malware. They are not connected to the internet if that's what your thinking. There may not even be a hard drive, with an embedded system it could all be on flash ROM. It's not nearly as insecure as your thinking. It's quit a bit different from the XP you run on your home PC.

alphanumeric said:

As far as I know it's a dedicated phone line from the ATM to the server. Communication is also encrypted. You would have to gain physical access to the internals to infect it with malware. They are not connected to the internet if that's what your thinking. There may not even be a hard drive, with an embedded system it could all be on flash ROM. It's not nearly as insecure as your thinking. It's quit a bit different from the XP you run on your home PC.

There recently was the case where criminals drilled a hole in the ATM to access the USB port of the MB. they inserted a USB stick to upload their own version of the OS with malware. I'm not sure if they had to come back to download the data it logged, or managed to send it somehwere. I know this requires quite some insider knowledge, but ATM are not 100% safe and having an insecure OS doésn't help.

and if the OS securit doesn't matter becasue on encryption and dedicated phoen line, why are they replacing it at all? If you theory is true, they coudl run XP indefinitely (or at least till they get a new ATM).

I'm not saying you are wrong and I'm not an expert, but having an outdated OS is a risk.

It all comes down to "what risk"? If said PC never ever connects to the Internet then you would have to have physical access to it to infect it with malware. The majority of security patches issued by Microsoft are to fix flaws that could be exploited from the Internet. If said PC never connects to the Internet where is the risk. I'm not saying they shouldn't dump XP for a more secure OS, but in the case of an ATM you need to put some perspective on it. They likely don't patch ATM machines every patch Tuesday like you do your home PC, there is no need for it. The hardware is fixed and so is the software.

For someone to do what you posted means they would have to have insider info. It's a little more involved to setup a Windows XP embedded setup than it is to just install XP on your home PC. They would also have to have ATM program code that makes the ATM an ATM. It's a very custom image. It's likely very hard for you to get your hands on it even if you work for the bank of the company that makes the ATM's.

What I read from the article is that they "should" upgrade the ATM, not that they necessarily will. That's my spin on it anyway. I'm not going to lose any sleep over it.

Once again we must heard that from MS. When they finally drop support for XP, everthing will continue to run exactly the same as it was the day before it, nothing will break nothing will change (for good or bad). For the final user, MS support means ABSOLUTE NOTHING. I wonder how many times the bank IT guys have actually called them

XP is a great OS, contrary to the MS auto-FUD in favor of 7/8, and when properly configured it can be quite safe is used correctly. Of course, the default configuration is wide open to many security flaws which can easily be solved. The very same thing exists in latter versions too, a bit reduced.
And we must not forget that MS business is precisely that, to promote "upgrades" so that they charge the full price again for the same program with a few more features (that banks in particular will never use), so it's natural they boycott their older programs in favor of newer ones.

Security? Common! Banks are using Windows!!! If they REALLY want a secure system, they would use some Linux-based OS for their terminals, not Windows to begin with. A few lacking updates and patches for a very closed system will not make a real difference, more considering those computers aren't exposed to regular users, except in very limited, tightly controlled ways.