CONTINUE TO SITE »
or wait 15 seconds

News

How can you bar your Windows against hacker mischief?

April 18, 2004

News that Windows-based ATMs operated by two unnamed financial institutions were affected by the W32/Nachi worm last August has heightened concerns of bankers planning a switch from the OS/2 operating system to Windows.

Unlike Windows, OS/2 never attracted hackers' attention.

"Theoretically, OS/2 running on a bisync network is just as vulnerable, but how many hackers know how to do it?" said Stuart Spinner, director of enterprise data security for Concord EFS.

"Outside the ATM world, there's been very little exposure to that technology. With Windows, any 16-year-old kid running a TCP/IP network in his basement can download hacking tools from the Internet."

Details of how ATMs were infected remain shadowy, but breaches apparently occurred on ATMs networked via IP connections. While not all Windows-based machines are configured for IP, many financial institutions are moving to IP to integrate ATMs with other Windows-based channels.

"It would be too cost-prohibitive to switch to Windows without looking at extending your enterprise functionality into the ATM channel," said Steve Osborne, NCR's general manager of enterprise solutions for APTRA.

"You've had IP-enabled ATMs since the late '90s, but most of them have been on OS/2 rather than Windows. There's still a threat of infection, but it's significantly reduced. Similarly, there is a threat with Windows in a non-IP environment, but it's not as great. "

Nachi notwithstanding, it's difficult for worms and viruses to infect ATMs because they lack e-mail capabilities, Microsoft Word programs and other common entry points, Osborne said.

FIs rolling out Windows-based ATMs have adopted different networking approaches. Some use a virtual private network to funnel all ATM transactions through a Web browser that sits between the host and the ATM.

Others, including FleetBoston Financial, maintain a dedicated, leased-line connection for standard transactions, routing them to the host via SNA (IBM's Systems Network Architecture). Web-based transactions, such as a bill payment application the bank is piloting at some ATMs, are routed to servers via a VPN.

Jim D'Aprile, Fleet's VP of ATM/Self-Service Banking, noted that security concerns played a part in Fleet's decision.

Firewalls and virus scans are crucial, said Tom Sonby, Concord 's vice-president of technology systems. "I'd say that 99.9 percent of the time, all it takes is the implementation of some very sensible procedures to minimize your exposure to attacks."

While widely implemented elsewhere in the enterprise, few of these measures are used at ATMs. "Software security is not something that this generation of ATM executives has had to deal with much," Osborne said.

That's changing, said Kevin Carroll, Concord's director of ATM services. "When an ATM is Windows based, you've got to consider it another desktop in your network. It's part of the enterprise, and you need to adopt the same security measures there that you have in place elsewhere."

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf

Software
Top 10 ATM software solutions
Software
Examining the past, present and future of XFS
Commentary
ATM features: 5 to include
Special Report
2024/25 ATM & Self-Service Software Trends
Presented by KAL ATM Software GmbH
Recent Posts
Bank of England softens tone on stablecoins, say they should be regulated
Ross, Pennsylvania Chase ATM set ablaze for alleged anti-government protest
4 strategies for Independent ATM Deployers
America First Credit Union to open 8 branches in Arizona
Crest Savings Bank selects Vine for AI commercial lending


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'