dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4876
share rss forum feed


DarkSithPro

join:2005-02-12
Tempe, AZ
kudos:2

How can consumers be protected if 95% of ATMs use XP when support ends soon?

I'm a little confused at why State and Federal Government hasn't done anything about this? Most ATMs use XP and support ends April 8. So essentially after that date all of us who withdraw money are at a much higher risk of our accounts being compromised.

nonymous
Premium
join:2003-09-08
Glendale, AZ
If the atm is secure and if on a private network wouldnt matter. Now cut a hole to connect to a usb port or put it on a punlic nstwork a different answer.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

reply to DarkSithPro
What do you propose? Are you in favour of government regulations demanding that a private company keeps spending money on a product it stopped selling several years ago? Or that there is a legally-mandated crash program to replace privately-owned functioning devices with an inadequately-tested replacement?


Tejas

@verizon.net
Banks are still running OS/2, Windows 2000, NT. Their security is not in the OS, besides ATMs run a special version called XP Embedded. It's designed just for that type of environment. It allows you to install only what you need and prevent writes to the drives. It's good until 2016


DarkSithPro

join:2005-02-12
Tempe, AZ
kudos:2
reply to dave
said by dave:

What do you propose? Are you in favour of government regulations demanding that a private company keeps spending money on a product it stopped selling several years ago? Or that there is a legally-mandated crash program to replace privately-owned functioning devices with an inadequately-tested replacement?

No, cracking down on companies that use outdated software when they where warned in 2008. How is it fair to the consumer when their personal data is being handled by an insecure OS?


DarkSithPro

join:2005-02-12
Tempe, AZ
kudos:2
reply to Tejas
said by Tejas :

Banks are still running OS/2, Windows 2000, NT. Their security is not in the OS, besides ATMs run a special version called XP Embedded. It's designed just for that type of environment. It allows you to install only what you need and prevent writes to the drives. It's good until 2016

Well that's a sigh of relief. Thanks...

Frodo

join:2006-05-05
kudos:1
reply to DarkSithPro
»blogs.msdn.com/b/windows-embedde···ded.aspx
quote:
Additionally, Windows XP Embedded at the supported Service Pack level, currently SP3, exited Mainstream support and entered the Extended support phase of its Lifecycle on January 11, 2011. During the Extended Support phase for Windows XP Embedded, Microsoft continues to provide security updates at no additional charge. Additionally, paid support remains available. Extended Support for Windows XP Embedded at the supported service pack level is available until January 12, 2016.
So, two more years for XP embedded so long as it is on the current service pack.

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to DarkSithPro
As another already said it should.be an embedded version of the OS. The core OS should be fairly secure at this point and doesnt have all the extra bloat surrounding the core OS to attack.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 edit

1 recommendation

reply to DarkSithPro
But the more significant point is that the *device* is either secure or not. Focusing on one part of the device misses the point: in this case, practically all relevant XP vulnerabilities rely on the ATM being on the public network with exposed insecure services, which would be foolish regardless of which OS was running the ATM.

(The only exception seems to be an ATM with USB ports and autorun enabled - but once again that's not the fault of the OS, it's the fault of someone building a physically insecure ATM).

In any case, the ATM will be no less secure in April than it is today.

OZO
Premium
join:2003-01-17
kudos:2
reply to DarkSithPro
said by DarkSithPro:

I'm a little confused at why State and Federal Government hasn't done anything about this?

What either State or Federal Government have to do with that?

What you call "outdated software" is in eyes of a beholder. XP is secure and obviously does its job very bell. Otherwise, those companies will begin to think, that they have to replace it. But if they don't think so, why do you care? Do you want govt to spend more money and you, as a result, pay more taxes? Is that what you want?

Personally, I don't have any problem if XP will be used there next 10-20+ years . I have enough concerns about security of my own devices and communications and what banks are using now are far, far behind any of them...

BTW, this exactly topic was discussed here just a couple of days ago.
--
Keep it simple, it'll become complex by itself...


goalieskates
Premium
join:2004-09-12
land of big

4 recommendations

reply to DarkSithPro
said by DarkSithPro:

No, cracking down on companies that use outdated software when they where warned in 2008. How is it fair to the consumer when their personal data is being handled by an insecure OS?

You're assuming the newer stuff is more secure. Why? Because the marketing people told you so?

The simple act of writing a new version with even more bells and whistles (and hence, more points of vulnerability) makes newer more insecure, not less. Also, a lot of Windows bugs persist through several versions - they're not total rewrites.


vaxvms
ferroequine fan
Premium
join:2005-03-01
Wormtown
kudos:3
Reviews:
·Charter
reply to DarkSithPro
said by DarkSithPro:

No, cracking down on companies that use outdated software

So you want the government to crack down on the government as well.


DarkSithPro

join:2005-02-12
Tempe, AZ
kudos:2
reply to DarkSithPro
Wow, look at all the outrage over my concern. Tejas simply explained it and that's it. No need to jump all over me.


DarkSithPro

join:2005-02-12
Tempe, AZ
kudos:2
reply to goalieskates
said by goalieskates:

said by DarkSithPro:

No, cracking down on companies that use outdated software when they where warned in 2008. How is it fair to the consumer when their personal data is being handled by an insecure OS?

You're assuming the newer stuff is more secure. Why? Because the marketing people told you so?

So we should all be using Internet explorer 6 then, right? It launched with XP, so it should be as secure, or more secure than IE8,9,10 and 11? Same guys created the XP OS, so their browser directly reflects their security model, right?


anonome

@verizon.net
The Internet and sites thereon (as well has how we use it/them) have changed a lot over the years. ATMs haven't changed much at all.


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to DarkSithPro
So, XP is fine for ATMs, but not for POS systems.

Got it.
--
Oh, Opera, what have you done?

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to DarkSithPro
said by DarkSithPro:

Same guys created the XP OS, so their browser directly reflects their security model, right?

No, because (a) it wasn't the same 'guys', it was different divisions in a huge company where not everyone pulls in the same direction, and (b) a key feature of browsers is to download and execute chunks of code from the internet; the OS, not so much.

Uninstall all user-facing web access, and you'll solve most of your security problems. Disable net-facing services and that takes care of practically all of the rest. In an ATM, you're left with programming errors in the UI, and the physical ('cut through the wall') attacks.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to DarkSithPro
said by DarkSithPro:

Wow, look at all the outrage over my concern.

Outrage? No. Mostly, I was amused by the sight of a red-roomer calling for more government regulation of business.


Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state
reply to DarkSithPro
ATM and XP insecure? Being secure or insecure depends on more then just the OS.

As long as those ATM's are not connected to the internet, and walled off, they will be fine, barring someone doesn't drill the atm and get it that way (OS won't help much there)

Also Darksith, your acting like changing from XP Embedded to a new OS is something they could easily do, and thats just simply not true. Many of those ATM's run custom coded software and perhaps even some in-house written software as well that may simply not work on newer windows versions for whatever reasons.

You do realize that many hospitals run XP too? I was in one of the largest hospitals in eastern half of the USA when my dad was sick, and all the computer terminals the nurses ran around with, and all the portable table PC hooked up to medical equipment were all running Windows XP. That doesn't make that software insecure, infact, that software played a big part in saving my dad's life.

As long as those ATM are not hooked up to the internet, they are most likely fine.
--
Tech Tips


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to DarkSithPro
ATMs use a different version of XP, Windows XP Embedded and Microsoft support lasts until early 2016.

That said, it is the banks and the ATM owners that should worry, not customers. Most ATM hacks are designed to empty the cash trays.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 recommendation

Re: ATM hacks

said by Kilroy:

Most ATM hacks are designed to empty the cash trays.

And the rest are mostly attaching a skimmer and camera to an ATM - or simply placing a fake ATM on top of a real one to steal card information and PINs.

Given the walled garden network environment of an ATM system, I'd be more concerned about this kind of hack than vulnerabilities in the imbedded code.

When businesses realize that the consequences of poor security are much more expensive than the costs of good security, they will chose good security.

Assigning liability for bad choices trumps regulations to prevent bad choices.
--
»www.flickr.com/photos/egeezer/


David
I start new work on
Premium,VIP
join:2002-05-30
Granite City, IL
kudos:101
Reviews:
·DIRECTV
·AT&T Midwest
·magicjack.com
·Google Voice
reply to DarkSithPro

Re: How can consumers be protected if 95% of ATMs use XP when support ends soon?

Before I started AT&T, Amano pay station cash registers used Windows 95 (which was end of life'd well after XP came out) The only network capability they had was a dial up modem for the credit card portion of the machine. That's pretty much it. Any interfacing you did, you did with a rs-422 cable/console port.

I would imagine a lot of ATMs probably won't need more than XP only because they will dial a secure number or be connected to a secured network.
--
If you have a topic in the direct forum please reply to it or a post of mine, I get a notification when you do this.
Koetting Ford, Granite City, illinois... YOU'RE FIRED!!


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to EGeezer

Re: ATM hacks

said by EGeezer:

And the rest are mostly attaching a skimmer and camera to an ATM - or simply placing a fake ATM on top of a real one to steal card information and PINs.

Which has absolutely nothing to do with the operating system that the ATM is running. Though I just heard on the latest Security Now! podcast that the Target POS machines were also running this version of XP.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein


ROCINANTE
Original Member 007
Premium
join:1999-06-29
Hartsdale, NY
reply to DarkSithPro

Re: How can consumers be protected if 95% of ATMs use XP when support ends soon?

What does IE have to do with ATMs?
--
CRUNCH THIS!


fartness
computersoc dot com
Premium
join:2003-03-25
Look Outside
reply to DarkSithPro
I remember a few years back everyone at college asking why they're teaching us how to fix/maintain Windows 98 computers. We were told we'd still see them in the field. I've used OS/2 but I probably wouldn't be very l337.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

reply to DarkSithPro
XP is not secure enough on ATM's ... if you have too much RAM windows can not handle the impact and you end up with muffler overflow. »www.wjla.com/articles/2014/01/va···443.html

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

1 recommendation

OT: Why you need copy-editors.

said by article :
No one was injured from the accident.
Ramming a van through a store door and stealing an ATM is 'an accident'?