dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5078
DarkSithPro (banned)
join:2005-02-12
Tempe, AZ

DarkSithPro (banned)

Member

How can consumers be protected if 95% of ATMs use XP when support ends soon?

I'm a little confused at why State and Federal Government hasn't done anything about this? Most ATMs use XP and support ends April 8. So essentially after that date all of us who withdraw money are at a much higher risk of our accounts being compromised.
nonymous (banned)
join:2003-09-08
Glendale, AZ

nonymous (banned)

Member

If the atm is secure and if on a private network wouldnt matter. Now cut a hole to connect to a usb port or put it on a punlic nstwork a different answer.
dave
Premium Member
join:2000-05-04
not in ohio

1 recommendation

dave to DarkSithPro

Premium Member

to DarkSithPro
What do you propose? Are you in favour of government regulations demanding that a private company keeps spending money on a product it stopped selling several years ago? Or that there is a legally-mandated crash program to replace privately-owned functioning devices with an inadequately-tested replacement?

Tejas
@verizon.net

Tejas

Anon

Banks are still running OS/2, Windows 2000, NT. Their security is not in the OS, besides ATMs run a special version called XP Embedded. It's designed just for that type of environment. It allows you to install only what you need and prevent writes to the drives. It's good until 2016
DarkSithPro (banned)
join:2005-02-12
Tempe, AZ

DarkSithPro (banned) to dave

Member

to dave
said by dave:

What do you propose? Are you in favour of government regulations demanding that a private company keeps spending money on a product it stopped selling several years ago? Or that there is a legally-mandated crash program to replace privately-owned functioning devices with an inadequately-tested replacement?

No, cracking down on companies that use outdated software when they where warned in 2008. How is it fair to the consumer when their personal data is being handled by an insecure OS?
DarkSithPro

DarkSithPro (banned) to Tejas

Member

to Tejas
said by Tejas :

Banks are still running OS/2, Windows 2000, NT. Their security is not in the OS, besides ATMs run a special version called XP Embedded. It's designed just for that type of environment. It allows you to install only what you need and prevent writes to the drives. It's good until 2016

Well that's a sigh of relief. Thanks...
Frodo
join:2006-05-05

Frodo to DarkSithPro

Member

to DarkSithPro
»blogs.msdn.com/b/windows ··· ded.aspx
quote:
Additionally, Windows XP Embedded at the supported Service Pack level, currently SP3, exited Mainstream support and entered the Extended support phase of its Lifecycle on January 11, 2011. During the Extended Support phase for Windows XP Embedded, Microsoft continues to provide security updates at no additional charge. Additionally, paid support remains available. Extended Support for Windows XP Embedded at the supported service pack level is available until January 12, 2016.
So, two more years for XP embedded so long as it is on the current service pack.
nonymous (banned)
join:2003-09-08
Glendale, AZ

nonymous (banned) to DarkSithPro

Member

to DarkSithPro
As another already said it should.be an embedded version of the OS. The core OS should be fairly secure at this point and doesnt have all the extra bloat surrounding the core OS to attack.
dave
Premium Member
join:2000-05-04
not in ohio

1 edit

1 recommendation

dave to DarkSithPro

Premium Member

to DarkSithPro
But the more significant point is that the *device* is either secure or not. Focusing on one part of the device misses the point: in this case, practically all relevant XP vulnerabilities rely on the ATM being on the public network with exposed insecure services, which would be foolish regardless of which OS was running the ATM.

(The only exception seems to be an ATM with USB ports and autorun enabled - but once again that's not the fault of the OS, it's the fault of someone building a physically insecure ATM).

In any case, the ATM will be no less secure in April than it is today.
OZO
Premium Member
join:2003-01-17

OZO to DarkSithPro

Premium Member

to DarkSithPro
said by DarkSithPro:

I'm a little confused at why State and Federal Government hasn't done anything about this?

What either State or Federal Government have to do with that?

What you call "outdated software" is in eyes of a beholder. XP is secure and obviously does its job very bell. Otherwise, those companies will begin to think, that they have to replace it. But if they don't think so, why do you care? Do you want govt to spend more money and you, as a result, pay more taxes? Is that what you want?

Personally, I don't have any problem if XP will be used there next 10-20+ years . I have enough concerns about security of my own devices and communications and what banks are using now are far, far behind any of them...

BTW, this exactly topic was discussed here just a couple of days ago.

goalieskates
Premium Member
join:2004-09-12
land of big

4 recommendations

goalieskates to DarkSithPro

Premium Member

to DarkSithPro
said by DarkSithPro:

No, cracking down on companies that use outdated software when they where warned in 2008. How is it fair to the consumer when their personal data is being handled by an insecure OS?

You're assuming the newer stuff is more secure. Why? Because the marketing people told you so?

The simple act of writing a new version with even more bells and whistles (and hence, more points of vulnerability) makes newer more insecure, not less. Also, a lot of Windows bugs persist through several versions - they're not total rewrites.

vaxvms
ferroequine fan
Premium Member
join:2005-03-01
Polar Park

vaxvms to DarkSithPro

Premium Member

to DarkSithPro
said by DarkSithPro:

No, cracking down on companies that use outdated software

So you want the government to crack down on the government as well.
DarkSithPro (banned)
join:2005-02-12
Tempe, AZ

DarkSithPro (banned)

Member

Wow, look at all the outrage over my concern. Tejas simply explained it and that's it. No need to jump all over me.
DarkSithPro

DarkSithPro (banned) to goalieskates

Member

to goalieskates
said by goalieskates:

said by DarkSithPro:

No, cracking down on companies that use outdated software when they where warned in 2008. How is it fair to the consumer when their personal data is being handled by an insecure OS?

You're assuming the newer stuff is more secure. Why? Because the marketing people told you so?

So we should all be using Internet explorer 6 then, right? It launched with XP, so it should be as secure, or more secure than IE8,9,10 and 11? Same guys created the XP OS, so their browser directly reflects their security model, right?

anonome
@verizon.net

anonome

Anon

The Internet and sites thereon (as well has how we use it/them) have changed a lot over the years. ATMs haven't changed much at all.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to DarkSithPro

Premium Member

to DarkSithPro
So, XP is fine for ATMs, but not for POS systems.

Got it.
dave
Premium Member
join:2000-05-04
not in ohio

dave to DarkSithPro

Premium Member

to DarkSithPro
said by DarkSithPro:

Same guys created the XP OS, so their browser directly reflects their security model, right?

No, because (a) it wasn't the same 'guys', it was different divisions in a huge company where not everyone pulls in the same direction, and (b) a key feature of browsers is to download and execute chunks of code from the internet; the OS, not so much.

Uninstall all user-facing web access, and you'll solve most of your security problems. Disable net-facing services and that takes care of practically all of the rest. In an ATM, you're left with programming errors in the UI, and the physical ('cut through the wall') attacks.
dave

dave to DarkSithPro

Premium Member

to DarkSithPro
said by DarkSithPro:

Wow, look at all the outrage over my concern.

Outrage? No. Mostly, I was amused by the sight of a red-roomer calling for more government regulation of business.

Woody79_00
I run Linux am I still a PC?
Premium Member
join:2004-07-08
united state

Woody79_00 to DarkSithPro

Premium Member

to DarkSithPro
ATM and XP insecure? Being secure or insecure depends on more then just the OS.

As long as those ATM's are not connected to the internet, and walled off, they will be fine, barring someone doesn't drill the atm and get it that way (OS won't help much there)

Also Darksith, your acting like changing from XP Embedded to a new OS is something they could easily do, and thats just simply not true. Many of those ATM's run custom coded software and perhaps even some in-house written software as well that may simply not work on newer windows versions for whatever reasons.

You do realize that many hospitals run XP too? I was in one of the largest hospitals in eastern half of the USA when my dad was sick, and all the computer terminals the nurses ran around with, and all the portable table PC hooked up to medical equipment were all running Windows XP. That doesn't make that software insecure, infact, that software played a big part in saving my dad's life.

As long as those ATM are not hooked up to the internet, they are most likely fine.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy to DarkSithPro

MVM

to DarkSithPro
ATMs use a different version of XP, Windows XP Embedded and Microsoft support lasts until early 2016.

That said, it is the banks and the ATM owners that should worry, not customers. Most ATM hacks are designed to empty the cash trays.

EGeezer
Premium Member
join:2002-08-04
Midwest

1 recommendation

EGeezer

Premium Member

Re: ATM hacks

said by Kilroy:

Most ATM hacks are designed to empty the cash trays.

And the rest are mostly attaching a skimmer and camera to an ATM - or simply placing a fake ATM on top of a real one to steal card information and PINs.

Given the walled garden network environment of an ATM system, I'd be more concerned about this kind of hack than vulnerabilities in the imbedded code.

When businesses realize that the consequences of poor security are much more expensive than the costs of good security, they will chose good security.

Assigning liability for bad choices trumps regulations to prevent bad choices.

David
Premium Member
join:2002-05-30
Granite City, IL

David to DarkSithPro

Premium Member

to DarkSithPro

Re: How can consumers be protected if 95% of ATMs use XP when support ends soon?

Before I started AT&T, Amano pay station cash registers used Windows 95 (which was end of life'd well after XP came out) The only network capability they had was a dial up modem for the credit card portion of the machine. That's pretty much it. Any interfacing you did, you did with a rs-422 cable/console port.

I would imagine a lot of ATMs probably won't need more than XP only because they will dial a secure number or be connected to a secured network.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy to EGeezer

MVM

to EGeezer

Re: ATM hacks

said by EGeezer:

And the rest are mostly attaching a skimmer and camera to an ATM - or simply placing a fake ATM on top of a real one to steal card information and PINs.

Which has absolutely nothing to do with the operating system that the ATM is running. Though I just heard on the latest Security Now! podcast that the Target POS machines were also running this version of XP.

ROCINANTE
Original Member 007
Premium Member
join:1999-06-29
Hartsdale, NY

ROCINANTE to DarkSithPro

Premium Member

to DarkSithPro

Re: How can consumers be protected if 95% of ATMs use XP when support ends soon?

What does IE have to do with ATMs?
fartness (banned)
Donald Trump 2016
join:2003-03-25
Look Outside

fartness (banned) to DarkSithPro

Member

to DarkSithPro
I remember a few years back everyone at college asking why they're teaching us how to fix/maintain Windows 98 computers. We were told we'd still see them in the field. I've used OS/2 but I probably wouldn't be very l337.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 recommendation

Name Game to DarkSithPro

Premium Member

to DarkSithPro
XP is not secure enough on ATM's ... if you have too much RAM windows can not handle the impact and you end up with muffler overflow. »www.wjla.com/articles/20 ··· 443.html
dave
Premium Member
join:2000-05-04
not in ohio

1 recommendation

dave

Premium Member

OT: Why you need copy-editors.
said by article :
No one was injured from the accident.
Ramming a van through a store door and stealing an ATM is 'an accident'?