the new look site is very nice @zdnetasia @zdnetaustralia
1 minute ago by susan_m on twitter
We have relaunched: Take the tour of what's new on ZDNet Australia!
ZDNet / Windows / Story
Is running Windows XP on ATMs stupid?
When creating a secure, locked down IT system — for something that is directly responsible for handling cash transactions — would you choose the most popular, most targeted operating system?
You would think that running the most widely used operating system on your network of ATMs is just an invitation for trouble. At least some security folk reckon XP makes ATMs an easy touch for hackers.
But not the execs at National Australia Bank (NAB), who this week announced the bank is overhauling its 1,600 ATMs to run on Windows XP.
Gibbins and NAB are not alone on this front. Seventy-five percent of Australia's ATMs run on some version of Windows, according to an NCR spokesperson.
Why?
According to NCR's chief technology officer Alan Chow, running ATMs on Windows is about "brand image".
"Banks spend a lot of energy personalising [an ATM] screen. The ATM is the brand image of the bank. If you want to see the difference why they choose [a full version of Windows XP] — versus a stripped down embedded OS — go to the ATMs at the corner store and compare the user interfaces. Without the interface, it's just a cash dispenser. This is about brand image," he said.
So there's a trade off between convenience and security. I can appreciate that. And I'm sure NAB can mitigate the threats that affect the rest of the world on Windows XP from affecting both its 28,000 newly XP'd desktops and now its ATMs. Running Windows doesn't necessarily mean you're screwed. Just Ask Bruce Schneier.
Back in 2003, Cambridge security researcher, Ross Anderson, in a Wired article, said ATMs running Windows would likely see a Slammer style attack, resulting in money spewing forth from thousands of machines.
FUD and rubbish, said Bruce Schneier. Why? Because in 2003 the machines did not operate online and therefore would not become vulnerable to a malicious Internet attack or to some virus passed around in an e-mail attachment.
But National Australia Bank proudly announced this week that it will be the first bank to roll out ATMs that operate on TCP/IP networks.
So don't be surprised if you start seeing ATMs spewing cash from their dispensers. I am going to carry around a swag bag just in case.
Related stories
NAB splashes out AU$100m on Windows ATMs
NAB gives staff final word on IT jobs offshoring
NAB ditches Windows NT for XP
Telstra, NAB and Visa turn mobiles into credit cards
NAB offshores IT jobs in skills hunt
NAB floats denial-of-service threats to the cloud
SMS two-factor authentication dead in 3 years: NAB
Talkback
Better odds than the pokies?
Thank God I don't have an account at NAB.
XP running the ATMs is a disaster waiting to happen IMHO.
Maybe I start hovering around the ATMs waiting for when, not if, they get haxored and start spewing out ca$h.
Anon April 25th, 2008You're assuming...
..that the things aren't blue-screeing already!
BSOD !
mr black April 25th, 2008previously, on Windows ...
http://web.archive.org/web/20020926070404/digitallaughter.com/pix/sparbank.jpg
windows 9x on an atm. boingg...
http://web.archive.org/web/20050321073334/zem.squidly.org/bsod/images/19981005.jpg
windows 9x running a billboard. boingg...
Alex 4.0 April 26th, 2008The usual blindness continues
The constant blindness of the anti-Microsoft-for-whatever-reason-even-unfounded-ones continues...
Does any one know what ANZ, Westpac and certain other banks in Australia are running their ATMs on? yep... they're already running on WinXP; sure one of them is embedded XP while the other is full XP.
Do you guys really think the banks are going to connect ANY of their PCs DIRECTLY to the internet?? if you REALLY think that, then I feel very sorry for you.
Glen Roberts April 27th, 2008Do you guys really think the banks are going to connect ANY of their PCs DIRECTL
Actually, they probably do. The other alternative would be leased lines which get really expensive since you are paying for them all of the time, not just for the bandwidth they use.
Of course, I would expect that all connections would be hardware encrypted. Then you would have to break the encryption to make a connection.
Rich Tomkinson April 30th, 2008Maybe, perhaps, absolutely
Actually, they probably do...which means you have no idea of what you speak. All ATM's are either directly connected to a banks infrastructure or uses a standard phone line to dial home. They do not conect to the internet.
Anonymous May 7th, 2008TCPIP != Internet
Westpac may be moving to XP and TCP/IP for their ATMs - but I highly doubt they will be exposed or visible in any way whatsoever to the Internet or any machines connected to the Internet.
James April 28th, 2008!= Westpac :|
And what I say "Westpac" I actually mean "NAB" :)
James April 28th, 2008XP on ATMs
NAB you say , hmmm better get a wheelbarrow ready.
sherro April 29th, 2008Commonplace in Portugal
In Portugal, we have a independent organization (SIBS) that runs every standard ATM (every bank has theirs, but you'll only find them at the respective bank, whereas SIBS' ATMs are everywhere).
They run on Windows 95/98 and 2k since I can recall using ATM's...
Some people seem to forget that the problem with computers, on whichever OS, lies between the monitor and the chair... Since ATM's run on "kiosk mode", there's no way the user can harm the system...
P.S.: SIBS was considered the most advanced and secure ATM (and virtual credit card) company in Europe last year...
Anonymous April 29th, 2008Some Sanity Please
The version of XP running ATM's is NOT the same version running on your PC at home. It is a cut down, stripped down, locked down version. While it is still XP, and who knows what the next security issue will be with it, you would have more success trying to smash it open using a tank to get the money out rather than hacking it. Also as stated before, TCP/IP does mean internet access - there are lots of Banks using this communication method already. It is their own private networks using secure encyrypted VPN tunnelling.
PigBucket April 29th, 2008Um... no it's not
You have no idea what you're talking about. We use standard XP Pro.
NFCU emp. May 3rd, 2008ATMs on XP
I wonder why this is just such big news. We (bank in belgium) have been running our ATMS on NT4, and now on XP, for many years without any problem. Of course they are fully locked down, authentication is in a hardware modul, thre is no keyboard (touch screen), so no CTRL-ALT-DEL... This has allowed us to leverage business application development and provide rich functionality to customers using ATM (full graphics, video announcements...).
Anonymous April 29th, 2008XP in ATM's
It is amazing how people fly of the handle with faux knowledge and a heap of ignorance (I'm not being mean, just brutally honest). XP has been used for years in ATM's without security breach's. However, some people talk as though doomsday is near with a certainty of an expert. Some banks use closed network while others us open. The bottom line is security is paramount. While OS errors do occur, most software errors can be traced to either bad programming or hardware faults, NOT the OS. The biggest problem is people not getting their money. Again, that is not a problem with the OS.
Walter Thomason April 29th, 2008More rubbish
..more of the same rubbish from ZDNet. Every time I come back to this site, a new low is found. Please lift your game - what sensationalist rubbish. Liam, this is pathetic.
Anonymous April 29th, 2008Suggestion
don't come back to the site then. Problem solved.
you remind me of those morons who complian about low standards on television - don't like it? there's always on off button, my friend.
Anonymous May 2nd, 2008XP on ATM's
First time I saw Windows on an ATM was back in 1996.
So this is nothing new.
Can't remember any instance of them being hacked by hacking the OS. (other ways - yes)
So - this article sounds a bit like "wishing it was so" and hoping the readers won't notice that.
Have you that low an opinion about your readers?
Jan Janssen April 30th, 2008Reality, Its a nice Place
Windows and MS systems do get a bad name, not because they are bad products. with all the Third party apps and drivers you would expect to see varying degrees of issues. Linux Mac and MS, all have great aspects. XP on an ATM, sorry this is not a bad thing, Progress comes in many forms...
Anonymous April 30th, 2008NAB comms
As an ex NAB IT employee I can say for a fact that their ATM network is connected via encrypted, dedicated, leased lines directly back to the NAB comms infrastructure.
A person would have to physically tap a line and crack the encryption to get real time or baytch access.
Even if successful, with the checks and balances existing in the back-office reconciliation systems any 'weird' transactions are automatically captured and manually checked.
Think about it - Australian banks technical and security risk management are bees knees. They are also 'self insured' ie they cover their own losses.
Wwe all know how badly aussie banks love their $bil profits, so there is no way on earth NAB would implement a new OS without going over every single possible physical 'hack' .
XP - simply not an issue.
Matt April 30th, 2008XP ATM
You see thanks to the smartness of the security who do the maintenance of most ATMs and restocking them with cash, i have come across one St.George bank ATM that was left unlocked and no one was attending. As I had my arm resting on the top of the ATM and tried to take cash out and took a step back the whole draw was opened up with access to the WXP interface with a mouse and keyboard provided, including all you normal PC ports.
Now one might say there would be a password protection on the system well we all know how secure windows is… and good bless Linux :)
However I just told the security guy in the mall and yeah… I know what you might think and I thought may be I should try and get myself used to the system but its not worth the trouble…
HA April 30th, 2008Forget the security..
What's interesting about this is that embedded systems (like ATMs, etc) were one area outside of the server where Linux was really taking off.
Looks like just another instance of Microsoft moving into a new area purely in order to stifle competition.
Anonymous May 2nd, 2008So does NFCU
I work for Navy Federal Credit Union. Interestingly enough they use XP almost exclusively for their ATM's.
NFCU Emp. May 3rd, 2008Is running Windows XP on ATMs stupid: No
Its good to see all the well informed (not) comments on here about Windows XP and how it means ATM's are a step away from robbery. Windows XP is secure and stable as ever when users don't have the ability to install viruses, spyware and other rubbish and its running over secure links to banks just like it is today so hacking and hackability just don't exist anymore so than any other operating system. I'm also happy to report I've seen linux, unix and Mac OS all with viruses and having been hacked before too. So lets put things into perspective. The only reason windows is bagged so much is because everyone uses it. If 90% of the world used anything else in existance with such success i'd be happy with what i'd produced.
If your windows isn't running so well, try deleting all the viruses, removing the spyware and putting it on non-home brand hardware. You may get a surprise.
Anonymous May 4th, 2008Liar.
There are no Linux viruses .
You've just made all that up.
It's obvious you have no idea what you're talking about.
Educate yourself.
mr black May 8th, 2008Putting things into perspective
It's true, XP is used in ATMs by many international banks and in other embedded systems as well. As long as it's connected to closed circuit networks, there is almost no risk of Viruses, Trojans and other malware infections even if windows by itself is infection prone. That said I already saw one or two ATMs needing a CRTL+ALT+DEL and also public advertising systems with a blue screen. Because of this lack of stability, XP is not the best OS for embedded systems.
Anonymous May 4th, 2008Exactly.
I"ve lost count of the number of times I've walked past BSOD kiosks, display points and wallscreens etc, all over the world.
Anyone who depends on Windows for mission critical applications is an idiot, pure and simple. The real heavy lifting is invariably done by a Unix variant or an embedded RTOS. Windows is useful for typing up spongecake recipes but that's about the limit.
mr black May 8th, 2008Brand image?
Funny, I thought it was about getting cash out of the slot. As for XP, that seems like overkill to handle a very simple interface. DOS maybe, more sensibly *nix, but using that dogs breakfast, which was designed, if you will pardon the expression, for a very different purpose, strikes me as pointless, almost masochistic. I'm sure it works, so does a Trabant, but if I were a bank I would not want my life-blood controlled by a sealed box that I had no access to. Which is what you get if you use Windows.
Anonymous May 9th, 2008This happened to me today.
I was using a CBA ATM in the Belconnen shopping centre in Canberra not an hour ago. Half way through the transaction I watched as the Diebold machine reported a software error in "Agilis Application" , against a Windows XP backdrop, and promptly crashed and rebooted. Once it ran through the POST there was the familiar Win XP startup screen. When it rebooted ( a process that took 5 minutes due to it waiting for things to timeout) it decided my card did not exist and promptly crashed again. So there I am with no ATM card standing next to a crashing XP ATM. Calls to the CBA were of no use as they told me my ATM card was now lost and would be destroyed and I needed to get my bank to issue me with a new one. So, if your shiny new XP ATM crashes and burns then you'll lose your card too! I have never, ever seen any other ATM crash like that and I fear with widespread adoption of XP this will become the norm.
Not happy Jan.
Anonymous May 14th, 2008Just how customised are we talking?
Just yesterday at my university I came across a Commonwealth ATM with one of those boxes asking if you want to report an error to Microsoft. In the background was a full bone stock xp desktop complete with rolling hills wallpaper, full xp style blue task bar and a standard set of icons on the desktop (ie My Documents, IE, etc). It was running a sygate firewall and the icon in the start bar was indicating a critical security error. Not exactly the hallmarks of a lean, mean stripped down xp. I just can't fathom why XP is the common choice here. Is NAB suggesting they can't run a nice GUI on a unix based OS?
Brendan Ross May 14th, 2008wow....
that's amazing.
Doesn't instill me with much confidence I must say!
mr black May 15th, 2008I don't get it?
XP on ATMs...I'm sure it does a fine job...but so could many other systems. It isn't exactly rocket science. Other systems could exactly the same job and provide exactly the same service for free.
Using XP doesn't make ANY sense at all.
Coles switched to a cool HTML based POS system all running on windows 98. They could have saved millions running exactly the same sytem on linux of bsd or whatever.
We're not talking about a desktop here - these are specific machines.
Windows makes absolutely no sense at all in this instance.
Stupidity rules.
Anonymous May 20th, 2008ATM's on XP
Sure, why not. Coupled with decent hardware and stringent development and testing, it'll be just as stable as the next ATM. It just seems those who don't really know XP (and Windows in general) inside out criticise it.
And for those pulling up photos and screen dumps of BSOD's - I can show you a few from linux, unix and Apple OS's. It's amazing how some people neglect to point out flaws in everything else isn't it? ;-)
Michael May 22nd, 2008I call BS.
I have never, ever, ever seen a crashed ATM running Linux but it appears the Windows ATM are crashing on a regular basis.
This is hardly surprising considering how crash-happy Windows is at the best of times.
Like one of the previous posters said, for heavy lifting jobs you're mad if you use Windows, it's only good for games and word processing.
mr black May 23rd, 2008Not just NCR
It is not just NCR who uses XP.
Diebold uses XP and so does wincorp., as a person who works closely with ATM's the software can be painful compared to the older o/s used on the ATM's, it makes it easier for branch staff and the first line crew/cash crews to work out.
As for the security, especially for the NAB network good luck!!!
Sam August 5th, 2008icash australia have windows xp on their atms - MARKED AS SPAM BY AKISMET
well guys i can honestlty say that xp is the best platform ever produced by Windows & all of our machines at iCash Australia run on this.
It provides a very customised ATM thats for sure & there is no problem with security with the adequate firewall, visit our site to see
http://www.atm-eftpos-australia.com/index.html
Anonymous November 28th, 2008Now...
Please see this article:
http://tinyurl.com/XP-ATMs-Hacked
Anonymous June 6th, 2009ZDNet Australia Live
RT @EmilyCBaxter: CBSi UPDATE : The new ZDNet + drinks with BNET/RSVP Tues 23 March - http://bit.ly/auguBu
6 minutes ago by cynjh on twitter
Our sister site @zdnetaustralia has relaunched http://www.zdnet.com.au/ looking good!
11 minutes ago by cnetaustralia on twitterLove the new looks guys. Much easier to get to relevant stories and topics. The graph for tags is brill. It's a bit much for my poor ...
12 minutes ago by longtimelistener on Check out the new ZDNet Australia
Big up to my peeps at www.ZDNet.com.au (and www.ZDNetasia.com and www.ZDNet.com.uk). Loving the redesign!
16 minutes ago by randolphramsay on twitter
How Exciting! @zdnetaustralia has relaunched and it looks slick and amazing!! Good job!! :) Check it out now http://www.zdnet.com.au/
21 minutes ago by Meli55a on twitter
Check out the new ZDNet Australia: ZDNet Australia today launched a new interactive platform, bringing content fro... http://bit.ly/dtp1Ip
31 minutes ago by tessa_alfred on twitter
@zdnetaustralia http://www.zdnet.com.au/membersh... returns a 404 (from header link)
31 minutes ago by waydomatic on twitter
.@zdnetaustralia has a new look - http://www.zdnet.com.au/. Well done team!
1 hour ago by lkovacevic on twitter
Dissecting a health care CRM failure: ZDNet (blog)
Most writing on IT failures focuses on either detailed technica... http://bit.ly/9pVBuK
Don't believe most of the crapola -- which is seemingly coming from those in the employ of the Wireless Radiation Industry. Cell phon...
1 hour ago by prd34 on Is your mobile phone killing you?
TCO: New research finds Macs in the enterprise easier, cheaper to manage than Windows PCs| ZDNet.com http://ow.ly/1nwrR
3 hours ago by AndrewNim on twitterWhen you say something like the internet could collapse, you need to provide some reasoning behind it and prove you actually know how the...
4 hours ago by Rai on Internet infrastructure to collapse by 2010?
Redesign complet pour ZDNet UK et AU, Twitter au centre http://www.zdnet.co.uk/ http://www.zdnet.com.au/
9 hours ago by eparody on twitter
@ThomasShaw linkedin connect should work again, thanks to @hobyho magic #zdnet
10 hours ago by pastawoua on twitter
MS has confirmed that Windows Phone 7 won't have cut/copy/paste functionality: http://blogs.zdnet.com/hardware/... Disappointing.
10 hours ago by japha on twitterThank you, bsteco! We're checking into the situation and will post developments here soon! -Brian Haverty, Editorial Director, ZDNet....
13 hours ago by Brian Haverty on Telstra reduces traffic light delays*** PLEASE NOTE *** This article is factually untrue, and a formal Telstra retraction was requested at 6:30pm today. If ZDNet wishes to...
14 hours ago by bstec0 on Telstra reduces traffic light delaysIt means being able to remotely fix an issue or better identify the cause of an issue. This results in less technicians required to driv...
15 hours ago by Anonymous on Telstra reduces traffic light delaysI still do not believe that an Australian Government would regulate the destruction of an Australian company by foul blackmail to the fi...
15 hours ago by Anonymous on Conroy loses Greens over NBN studywhat has howrd got to do with it! My point is little nerdy Kev 07 fooled us all. In hind sight it was all hipe and no substance. climate...
15 hours ago by gd on Conroy loses Greens over NBN studyWhy didn't Howard fix it the previous 10 years or however to long he was in.
16 hours ago by pop on Conroy loses Greens over NBN studyMr conroy and therefore " I'm responsible" Mr Rudd are treating the taxpayers like idiots. They don't think we deserve to see the repo...
16 hours ago by gd on Conroy loses Greens over NBN studyIeraci so meant that as a pun, I reckon.
16 hours ago by Anonymous on Telstra reduces traffic light delaysHaha.. may not be the best use of the term "truck rolls" when talking about traffic intersections! I think in this case it could have a ...
16 hours ago by Chris Anderson on Telstra reduces traffic light delaysAll, I assume certain things. My boyfriend is aboriginal. I read this link, and as a white gay man I would never show him this site Th...
16 hours ago by Anonymous on Google removes Encyclopedia Dramatica linkhaha, that was very funny, taking the **ss like that.
cause no one could be dumb enough to really believe it.
Not only has Conroy lost the greens, labor has lost me. Entirely because of Conroy. I will not sit by and vote for a man who wants to tre...
17 hours ago by tim on Conroy loses Greens over NBN study
Linkedin 
RSS Feeds 
Newsletters 
Twitter 
RE:
I wonder if there is a timeline set for this change - I'd be interested to see how this pans out, especially if there's some connection to issues about internet security.
**************
Nico del Castillo
Microsoft Security Outreach Team
http://www.microsoft.com/hellosecureworld/level7