A recent disclosure by Diebold that its automated teller machines operated by two financial services customers were struck by the W32/Nachi worm has heightened concern of even wider disruptions from virus and worm outbreaks, and highlights a growing security concern about vulnerability of cash machines running Windows XP and interacting with other Windows systems.
The outbreak of Nachi, also known as "Welchia," occurred in August and required the two customers to take down and patch infected ATMs before they could be safely brought back online, says Jim Merrell, director of global product marketing at Diebold, a leading ATM manufacturer. The affected financial institutions were not identified.
Make Way for Windows
Security problems on ATM networks are coming as many banks worldwide are migrating off an older generation of machines that run IBM's OS/2 operating system. Many are moving to new systems running Windows.
The mass migration to Windows is spurred by several factors, says Ann All, editor of ATM Marketplace.com, an online publication covering the ATM market. IBM has decided to stop supporting OS/2 by 2006. Banks are feeling pressure from creditors such as Mastercard and Visa to introduce stronger data encryption, and U.S. regulators are pushing for new features for disabled users, All says.
The choice of Windows is driven largely by ATM vendors, All adds. "They're telling [banks] how great and flexible Windows platforms are," she says.
Leading ATM vendors say that adopting Windows was inevitable, and cite the operating system's dominance on corporate networks and its built-in support for Web standards.
Banks will be able to create a consistent look and feel between home banking applications and ATMs. Even more important, they can reuse business processes written for the Web and other Windows platforms on their ATMs, making it easier to deploy new ATM features, says Rob Evans, director of industry marketing at NCR, a leading ATM manufacturer.
Despite support from vendors, security analysts predict that the move to Windows-based ATMs will almost certainly result in more disruptions from worms, viruses, and hackers, because Windows presents more avenues for exploitation than OS/2 or an ATM-specific OS.
"You're dealing with a general-purpose operating system that has millions of lines of code. Banks can take advantage of the connectivity, but they're increasing their security risk," says Mike Rasmussen, a security analyst at Forrester Research.
Bruce Schneier, chief technology officer at Counterpane Internet Security and author of the book Beyond Fear, sees both advantages and disadvantages for banks in switching to Windows ATMs.
"The general-purpose operating system does everything. Unfortunately, that also means there's more bad stuff that could run on the computer," he says.
A switch to Windows-based ATMs could still be worth the security headaches if the new features, savings, and efficiencies offset the costs of securing them and cleaning up after outbreaks, Schneier says. But if ATM vendors and banks miscalculate the cost of securing those systems, the decision to move to Windows could prove fateful, he adds.
"The worry is that [Windows ATMs] actually have higher costs than they anticipated," Schneier says. "What if, now, hackers target Windows ATM machines and steal money? Does that affect customers? I hope that they're thinking about this because there are real risks."
Fleet Tests It Out
At FleetBoston, the decision to move to Windows-based ATMs was driven by the company's two main ATM vendors, Diebold and NCR, which account for almost all of Fleet's 3500 ATMs. Both encourage the use of Windows XP instead of Linux or Unix on newer ATMs and legacy hardware, according to Jim D'Aprile, manager of ATM functionality and payment product engineering at Fleet.
Fleet also wanted more consistency between ATM networks and the rest of its business applications, D'Aprile says.
"I don't want to put a plug in for Windows, but it is the operating system of choice for desktops and Web-enabled applications, so if you want compatibility with those systems, it's a no-brainer," D'Aprile says.
Fleet recently completed a pilot test of 100 Windows NT ATMs in New York and Boston and is certifying Windows XP for deployment, D'Aprile adds. The new ATMs resemble Fleet's other ATMs but offer new features. For example, users can manage multiple transactions simultaneously on the ATM, and access online bill payment features set up through the company's Homelink home banking service, he says.
Despite the enthusiasm about new features, both ATM vendors and their customers say they are concerned about security issues stemming from Windows. Although major ATM vendors are united in choosing Windows to replace OS/2, they do not agree on how to address their security concerns. For example, Diebold and NCR disagree on whether ATMs are safer using embedded versions of Windows XP (XPE) or "off-the-shelf" versions of the OS.
Diebold is shipping its new line of Opteva ATMs with Windows XPE, says Steve Grzymkowski, senior product marketing manager at Diebold. The company believes the embedded OS gives Diebold better efficiency on its ATMs by removing unnecessary drivers and files.
But NCR is shipping full versions of XP on its Personas series ATMs, hundreds of which are already deployed. The company's APTRA software runs on the off-the-shelf XP platform, Evans says.
"We are not recommending the use of Windows XP embedded," Evans adds. "When you've gone to an embedded operating system, you've got to account for weird stuff in the code, and that means you're going to get patches for your version several weeks behind the rest of the market."
Waiting longer for patches is "an important concern" to Diebold, but the company gets ample warning from Microsoft on new vulnerabilities and does not believe that using XPE will delay delivery of patches to ATM customers, Grzymkowski says. Diebold individually tests Microsoft patches with all its ATM hardware, but generally turns patches around in 24 hours, he adds.
After introducing Windows NT-based ATMs on its Series 7000 machines, Fujitsu Transaction Solutions, a division of Fujitsu, is shipping Windows XPE on its new Series 8000 machines, says Kent Schrock, director of marketing.
Fujitsu will distribute software updates on CDs and install them on ATMs using a software distribution tool or manually by visiting technicians, Schrock says.
Beyond the question of operating systems, ATM vendors are divided about additional security.
Diebold and other ATM vendors are "hardening" the installations of Windows they ship with their ATMs, disabling unnecessary services and ports and removing files that support peripheral devices. In November, Diebold and Sygate announced that Diebold ATMs will run Sygate's firewall software to protect them from software security threats.
However, few other vendors have followed suit, and many are leaving security decisions to their customers.
"When customers ask me [about ATM security], I tell them to talk to their network security people," Schrock says. "They need to treat their ATM like other devices on their network and protect it."
But the switch to Windows might be difficult for ATM network administrators accustomed to managing low-profile OS/2 systems, experts say.
"There wasn't really a security issue at all in the OS/2 world, but there is in the Windows world," All says.
And some are concerned about patch distribution, despite Diebold's confidence. More than one ATM vendor spokesperson expressed uncertainty about how their company would respond to a scenario similar to the Blaster worm, which appeared only weeks after a new vulnerability was disclosed.
"It sounds like a dangerous situation. I know we'd have to respond very quickly and would respond quickly. I hope our customers would respond and take care of their networks," Schrock says.
Familiarity with Windows probably makes banks more attuned to the platform's security risks, he adds.
Schrock also admits that banks are probably "talking a better game than they're playing" when it comes to ATM security.
Diebold says its customers get the message.
"We've seen a significant increase in awareness on our customers' part and in the amount of monitoring that takes place compared to [OS/2-based ATMs]," Merrell says. "Most financial services companies are very concerned [about security] and are monitoring their networks very carefully. It's very expensive to customers when ATM networks go down, so they take all the steps necessary to prevent that from happening."
Fleet is hedging its bets with the new Windows-based ATMs, relying on an existing leased line network using IBM's Systems Network Architecture to connect ATMs to a Tandem mainframe for processing core ATM functions such as customer personal identification numbers and account information, D'Aprile says.
"That connection type has been in place for 20 years and isn't prone to hacking. It allows us to isolate ourselves a bit more," he says. The company also uses a VPN for other ATM functions requiring a connection to Fleet's network.
Still, D'Aprile says news of the worm outbreak on Diebold's systems is a concern and banks must be much more vigilant about keeping up to date on Windows patches.
Even so, the rollout of Windows-based ATMs is expected to accelerate in coming years, as smaller banks and credit unions follow the lead of larger financial institutions, according to ATM Marketplace.com's All.
Banks will also begin moving their ATMs from expensive leased line networks to less-secure TCP/IP-based networks. The advantage of those networks is the opportunity for expanded features, remote access management, and easier software distribution, Diebold's Grzymkowski says.
"You get a consistent look and feel, expanded transactions across all channels, and new solutions," says NCR's Evans. "Those are well worth the inconvenience you might get from a PC virus."