Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Can Your ATM Play Beethoven?

timothy posted more than 10 years ago | from the you-have-nothing-to-fear dept.

Security 657

bpiltz writes "A funk band in Harrisonburg, VA, called Midnight Spaghetti, has posted a story with photos about a newly installed Diebold Opteva 520 ATM at Carnegie Mellon University that crashed, then rebooted. The Windows XP operating system initialized without the actual ATM software. The result was a public desktop computer, with only a touch screen interface, left wide open for the amusement of the students at the most wired university in the U.S. Interestingly, Diebold is one of the leading manufacturers of e-voting machines."

cancel ×

657 comments

Sorry! There are no comments related to the filter you selected.

"Progress"? (4, Insightful)

FyRE666 (263011) | more than 10 years ago | (#8626563)

You know, I've been thinking for a few years now that ATMs (in the UK at least)
seem to be getting slower and slower to use. 10 years back, you'd insert your
card, be able to key in your pin number straight away and be straight into the
menu. Now, you insert the card, stand about while it thinks about checking it,
then you eventually enter a pin and wait around a bit more before using the
sluggish interface. Now I know that these machines have media player, web browser and
all sorts of other redundant crap installed on a full version of XP, I understand the
reason the queues are growing!

I don't need 24 million colours, animations and other crap just to take money out
of my account, dammit! It's staggering to think that the software has become so
bloated and slow that machines produced 10 years ago, with only a fraction of the
computing power of today were actually far more responsive to use.

I remember seeing an ATM reboot a few years back (brief power outage). It briefly
showed the OS2 logo before resuming normal operation ;-)

Re:"Progress"? (0)

Anonymous Coward | more than 10 years ago | (#8626578)

OS/2 used to be really big in the banking community.

Hmm...Why couldn't they have compiled a Linux kernel and encoded it on a credit card?

The Knopp-card!

Re:"Progress"? (2, Interesting)

myLobster (528056) | more than 10 years ago | (#8626609)

I wonder who (in the UK) remembers the old ATMs from days of yore, which had no screen. They had a red LED display (capable of a single line of text at a time) housed in a unit which users could pivot and peer into, a bit like an elongated letterbox...or am I just tripping?

Re:"Progress"? (4, Interesting)

Rogerborg (306625) | more than 10 years ago | (#8626637)

If you're tripping, we ate the same mushroom. I'm also having flashbacks to a printer that sounded like an AK-47 on full auto. And now we've got ATMs that feed you advertising for a bunch of crap that you really don't need while they make you wait for your money. Progress, eh?

Re:"Progress"? (0)

Anonymous Coward | more than 10 years ago | (#8626641)

Yeah, they had those in Australia too, complete with the old squish sensitive buttons like a ZX80.

Its been a few years since I saw one of them around though...

Re:"Progress"? (2, Interesting)

Cus (700562) | more than 10 years ago | (#8626666)

You're not wrong - last time I saw/used one of these was about '93 at a student union. You didn't have problems with people looking over your shoulder as you had to get quite cosy with the machines to read the LED display.

At least you didn't get huge amounts of burn-in with this method like you did with the 'shades of green' displays. I swear there were so many times I had to get my cash by remembering the keypresses.

Re:"Progress"? (1)

zakezuke (229119) | more than 10 years ago | (#8626764)

I remember these in America. My bank I had pre 1990 was one of those ones who only had like one cash machine in the state, or so it seemed at any rate. This specific cashmachine was as you described.... single line LED display. It was pretty dated even by late 1980s standards, but it was fast, efficent, and I enjoyed using it muchly except for the fact that it was roughly 5 miles away, and every other bank had a cash machine at every branch.

Most were monochrome amber, or green screens.

Re:"Progress"? (2, Insightful)

intertwingled (574374) | more than 10 years ago | (#8626614)

Maybe in the UK they switched to RISCOS? ;-) Or... maybe they switched from RISCOS to something else???

Better solution? (2, Interesting)

reality-bytes (119275) | more than 10 years ago | (#8626638)

Is shoud think the RISCOS would be a better solution for an ATM than it ever was for a desktop.

BTW, I'm not totally averse to Arc's etc, I have a 4000 series here somewhere that I hacked a NIC into and managed to get on the internet (how proud of myself was I?) ;)

Re:"Progress"? (2, Flamebait)

floydman (179924) | more than 10 years ago | (#8626623)

Actually guess what, with all the 24 million colors, and all the complexity taken out, some people just stand there wondering what to press next. I dont expect those to do :


$ cd ~/pinnumber
$ ./bank -fetch 100$ pinnumber
$ ./bank -query account
$ exit


but at the same time i have to say that ATM machines are over complicated, slow, and they screw up big time (my card has been SWALLOWED by the machine on more than one occasion).

Bottom line is that some one needs to make a new ATM solution that works, propably on an open source platform (is that secure enough, you tell me), and most impotrant is ...IT WORKS....

Re:"Progress"? (1)

vadim_t (324782) | more than 10 years ago | (#8626770)

Well, that Unix interface to a bank is about as bad as the ATM being mentioned in this article. I certainly hope that whoever makes a program like that takes care of making it ask for a password, like the 'passwd' command does, instead of requiring it as an argument and letting everybody see it.

And why 'cd ~/pinnumber'?

Re:"Progress"? (5, Interesting)

tormentae agent (763372) | more than 10 years ago | (#8626646)

I remember the same, when I actually trusted ATMs and banks...

After a brief five-year stint in North-Dakota, where time stood still in happy-land, I ended up in Dublin. I read an article about how Windows had made its way into the ATM-business, thinking "uh-oh-mf-cs-sob"...given my past experiences with this OS-king-of-userfriendliness.

Yesterday, I put my Norwegian super-VISA-bank-card into an Ulster Bank ATM and it stole it! It just swallowed the card, proceeding to say something like: "System down, please use another cashpoint."

So, I call Norway, to ensure there isn't a problem with the actual card. It takes me quite a bit of time before I actually managed to call Ulster bank's customer service line. When I get through, I explain the situation (I had to rephrase 'the ATM stole my card' into 'swallowed it' before I could be assisted).

So the customer service rep states that he can't help me. I ask if there's anyone with any authority that can help me get the card back (it takes me a while to get a new one from Norway). He says: "Sorry, Sir. The ATM in question not being directly attached physically to a bank, a contractor does that job for us. Your card will be destroyed when the ATM is serviced."

I state something to the extent of Ulster bank being poorly organized. The little turd on the other end of the line proceeds to tell me: "I'm sorry, but we took the network down for a few minutes. You must have inserted the card just at that moment."

If I find out this particular ATM is Windows-operated, I will hunt down Mr. Gates, roll him in tar and feathers and chase him out of town with a stick. In the meantime I will file a complaint with Ulster Bank for taking away my sole source of cash until next pay-day.

For once... (4, Insightful)

Kjella (173770) | more than 10 years ago | (#8626706)

If I find out this particular ATM is Windows-operated, I will hunt down Mr. Gates, roll him in tar and feathers and chase him out of town with a stick. In the meantime I will file a complaint with Ulster Bank for taking away my sole source of cash until next pay-day.

I'd rather find the execs of the bank, and roll them in tar and feathers and chase them out of town with a stick. Any one can make an offer... I can offer to run their ATM network on Linux 2.6.4-alpha1-test4-pre2 too. If they're willing to buy it, that's their stupidity, not mine.

Kjella

Here's what to do... (0, Insightful)

Anonymous Coward | more than 10 years ago | (#8626738)

Go into your local branch and take out a few quid...USING THE HUMAN BEING BEHIND THE COUNTER!!!!

And for large purchases use a credit card.

Now, I agree with your rant, but I'm tired of people who get so dependant on cash cards and their cell phone that they forget how to actually live.

You strike me as a person who is 72 hours of electricity away from being a cave-man.

Re:"Progress"? (4, Interesting)

zakezuke (229119) | more than 10 years ago | (#8626755)

So the customer service rep states that he can't help me. I ask if there's anyone with any authority that can help me get the card back (it takes me a while to get a new one from Norway). He says: "Sorry, Sir. The ATM in question not being directly attached physically to a bank, a contractor does that job for us. Your card will be destroyed when the ATM is serviced."

The hardest thing in the world is returning an ATM / Credit card. I found one next to a machine from an Alaskian credit union, and I being in washington. I thought to my self, "Hey, I will do the honest thing and try to get this card back to the owner".

Well, the 800 number on the back was unwilling to co-operate... they told me to cut up the card. This was on a saturday and may have not been offical bank help. So I tracked down the bank in Alaska, or near as I could find too it, and tried to talk to them about the issue basicly, "I have this card, i'd like to return it to the owner".

They refused to do the following
1. Provide me with any contact information as to where to send the card too (totally understand)
2. Take down my contact information so in the event the owner called to get a new one, they could say just use the old one, this guy will give it to you.
3. To actually take back the fucking card so they could return it to the owner in a timely fasion.

In the end, after getting frustrated trying to do the right thing, I used it to apply puddy to my automobile, and it probally is still encased in a lump of pudddy.

The point is, banks will assume the worst when it comes to you no longer physicaly having your card. They are not equiped to handle an honest person who actually didn't charge up anything on the card dispite the fact they could verify this fact who's trying to return the card. They will try to convience you they are doing you a favor when in reality they would rather let someone else do the paperwork, which always falls on the person giving you a new damn card.

Re:"Progress"? (2, Informative)

mpe (36238) | more than 10 years ago | (#8626756)

So the customer service rep states that he can't help me. I ask if there's anyone with any authority that can help me get the card back (it takes me a while to get a new one from Norway). He says: "Sorry, Sir. The ATM in question not being directly attached physically to a bank, a contractor does that job for us. Your card will be destroyed when the ATM is serviced."

Even though your card most likely has instructions to return it to the issuer if found.

I state something to the extent of Ulster bank being poorly organized. The little turd on the other end of the line proceeds to tell me: "I'm sorry, but we took the network down for a few minutes. You must have inserted the card just at that moment."

In which case the machine is broken. Since what it should have done is to return the card and put up an out of service message.

Re:"Progress"? (1)

Neophytus (642863) | more than 10 years ago | (#8626663)

I think it's fair to say if its displaying anything more than green on black it's bloated.

I know Royal Bank of Scotland still use these, but most others seem to have switched to a more 'useful' colourful interface.

Re:"Progress"? (4, Interesting)

CGP314 (672613) | more than 10 years ago | (#8626686)

A conversation I had with a friend:

``Alright, lets go to the bar.''

``Sure, but first I need to go to the bank on high street.''

``Why? That one is two block in the opposite direction, there's a bank the way we are going that's on the same system so it won't charge you any fees.''

``I know, but that one has one of those old black-and-green displays. You can't trust something like that. The other bank has an ATM with color and animation.''

It really upsets me to know that things like that actually matter to people.


-Colin [colingregorypalmer.net]

Re:"Progress"? (1)

Slashamatic (553801) | more than 10 years ago | (#8626744)

User customisation - please also remember that the latest multimedia ATMs can play advertising while you wait tuned to your account details. Oh, this is Mr Smith, lets show him a car loan or maybe tout a new Mortgage for Mr Jones.

You definitely don't want get near one of those ones!

Re:"Progress"? (1)

eraserewind (446891) | more than 10 years ago | (#8626725)

I agree. There was one bank that had all old green screen interface to their ATMs when I was in college, and the other's were fancy graphics. Everyone used to go to the green screen one whenever possible, because it was much faster to do anything on.

Re:"Progress"? (4, Informative)

fcw (17221) | more than 10 years ago | (#8626728)

You know, I've been thinking for a few years now that ATMs (in the UK at least) seem to be getting slower and slower to use.

Indeed. In the 1980s, Clydesdale Bank (in Scotland) actually used to feature the speed of their cash dispensers (a.k.a. ATMs) in their advertising, claiming that you could get money out of theirs faster than their competitors' machines. I don't recall any bank making claims like that for a long time.

Also, it's not just cash dispensers that are slow: railway ticket machines and car park payment machines are just two of the types of kit that I bemoan the speed of every time I use them. You can tell that they've been programmed in a very serial fashion, with no attempt to optimise the speed of the transaction for the user. Most machines could be programmed to pre-load blanks into printers, or pre-print static header information on receipts, or otherwise get started on time-consuming tasks, but they never seem to. You can practially follow the progress of the transaction through the machine's guts as it plods away at it.

And the receipt printers on point-of-sale equipment always seem to have the slowest possible mechanisms, making shop assistants who care feel that they have to apologise for keeping the customer waiting. (I bet if the banks could have used the old ZX80 scorched-black-on-silver-paper printer mechanism and saved a buck, they would have.)

Re:"Progress"? (2, Interesting)

mattbee (17533) | more than 10 years ago | (#8626782)

Snap, my bank's ATM machines have these uncomfortable delays: like when I put my card in for the first time, I have to wait for whatever Flash animation advertising the bank's newest product has finished before it will acknowledge me and ask for a PIN. My record wait is about 25 seconds. It wouldn't surprise me if the whole damn interface was built in Macromedia Director :-)

Clippy! (5, Funny)

Black Parrot (19622) | more than 10 years ago | (#8626568)


I see you're trying to extract free cash from a bolloxored ATM cum jukebox. May I help you?

minesweeper... (5, Funny)

Polybius (743489) | more than 10 years ago | (#8626569)

So who got the fastest ATM minesweeper times?

Re:minesweeper... (0)

Anonymous Coward | more than 10 years ago | (#8626689)

There already was a fastest time present named 'Diebold'. No one got to beat it yet.

Sweet! (1, Funny)

RyuuzakiTetsuya (195424) | more than 10 years ago | (#8626570)

Diebold's not only suppling votes to GWBush, but also campaign finance!

Obligatory play on words (5, Funny)

Stopmotioncleaverman (628352) | more than 10 years ago | (#8626571)

Start --> Programs --> ATM --> Configure --> Flush Cash (sic)

Diebold Automatic Teller and Media Server (1)

math major (756859) | more than 10 years ago | (#8626572)

It didn't have Minesweeper or Solitaire! Was much entertaining though.

And this surprises you (3, Funny)

OverlordQ (264228) | more than 10 years ago | (#8626573)

how? I mean given,

A) It's based off of Windows
B) It was made by Diebold.

Adding A + B != C where C equals something that works correctly.

Re:And this surprises you (0)

Anonymous Coward | more than 10 years ago | (#8626594)

The point of the article is not whether it surprises people, you nerd.

Re:And this surprises you (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8626599)

You should try talking to a "Certified Diebold Technician." I keep thinking to myself, "Do these people know anything?"

Yes, I work for one of the biggest ATM processors in the world (until I get laid off next year) and I've talked to more than a few of these guys. They pretty much all have one thing in common. Calling us for tech support on setting up the ATM. Go figure.....

Re:And this surprises you (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8626779)

linux r sux. u2.

Not just a desktop computer (1, Interesting)

Ed Avis (5917) | more than 10 years ago | (#8626580)

More to the point, it's a desktop computer with a touch screen interface and an attached money dispenser.

Re:Not just a desktop computer (2, Funny)

RyuuzakiTetsuya (195424) | more than 10 years ago | (#8626584)

more to the point, someone's going to make it run linux and play doom on it.

Eh! (0)

Slinky Saves the Wor (759676) | more than 10 years ago | (#8626581)

The poor can eat cake. And use a broken-by-design ATMs.

Election Day... (4, Funny)

myownkidney (761203) | more than 10 years ago | (#8626582)

The geek Jim [mithuro.com] goes to the election booth. Jim touches the opening screen. Jim watches while the screen BSoDs. Computer reboots. Jim is presented with the XP interface. Jim, finds the voting system back end. Jim "adjusts" the result:
Bush 15%
Kerry 15%
Nader 70%
Jim set's all Bush and Kerry votes to go to Nader.
Jim runs the voting system front end. Sets it to full screen.
Jim leaves.
Nader wins

I just don't know whether to laugh or cry! (5, Insightful)

oiron (697563) | more than 10 years ago | (#8626583)

COME ON!!!!!!!!!! Why in the world would someone waste a computer that's capable of running Windows XP (which probably means at least a Pentium with 64 MB RAM?) on an ATM? I mean, the thing is supposed to check your card, pin and then give you a load of cash... Last time I checked, that's a job for something less than an 8080, which could do the job faster, more securely, and cheaper. The right tool for the right job, people! /me rolls eyes

Re:I just don't know whether to laugh or cry! (1)

HoneyBunchesOfGoats (619017) | more than 10 years ago | (#8626603)

Checking the system requirements [microsoft.com] for XP shows that it needs something in the PII range at minimum, with at least 128MB RAM.

It would seems that Diebold makes sales off of marketing ("Our ATMs have MegaHertz!!") instead of engineering quality products.

Re:I just don't know whether to laugh or cry! (5, Insightful)

eggstasy (458692) | more than 10 years ago | (#8626604)

Thing is, its easier to code up a quick ATM script in Flash or something, than it is to design a whole "lean and mean" super customized secure embedded system from scratch, then code up some basic OS and development tools for it, and THEN do the interface in some obscure language with crappy libs.
People are lazy, and costs have to be kept down. What's usually important in a company, is to make their business process "lean and mean", not their software or PCs.

Re:I just don't know whether to laugh or cry! (4, Insightful)

Anonymous Coward | more than 10 years ago | (#8626639)

Why would anyone need to re-implement an ATM?
The old ones work.

Re:I just don't know whether to laugh or cry! (1)

gantrep (627089) | more than 10 years ago | (#8626736)

The old one's aren't as pretty.

Re:I just don't know whether to laugh or cry! (2, Insightful)

gantrep (627089) | more than 10 years ago | (#8626746)

Baahh.

"One's?" What the fuck is wrong with me!

I thought I knew the difference between plural and possessive.

Re:I just don't know whether to laugh or cry! (4, Insightful)

eraserewind (446891) | more than 10 years ago | (#8626739)

So they can show you pretty advertisements for mortgages and loans.

Re:I just don't know whether to laugh or cry! (2, Insightful)

ameoba (173803) | more than 10 years ago | (#8626786)

Maybe the old hardware they embedded in there (286s? became hard to get? "Customers Demand" color interfaces? They required Unicode support to localize the machine for Asian markets?

Re:I just don't know whether to laugh or cry! (0)

Anonymous Coward | more than 10 years ago | (#8626647)

But copies of the roms to the older ATMs must still be around. It would be absolutley cheapest to just use the same old design.

Re:I just don't know whether to laugh or cry! (1)

TobiasSodergren (470677) | more than 10 years ago | (#8626681)

A PC of today is cheap, there's tons of suppliers to choose from, the spare parts are available all over the world. Why wouldn't they choose a normal PC over an outdated 8080?

Using Java or .net also makes it easier to create programs that doesn't crash, when the amount of services increases in the ATM, and it's probably harder to run Java or .net on an 8080.

Change you cannot avoid (3, Interesting)

GeorgeTheNorge (67545) | more than 10 years ago | (#8626705)

It comes down to making the best of commercially available hardware and OS'es. And the available stuff is PIII or better, so you might as well run XP if you are an MS shop. DOS is more stable, but when it comes to Microsoft, the developer skill sets are weighted towards Windows. I myself haven't written an app for DOS in 10 years.

But you are on to something. Can we invent something that is the opposite of Moore's law? Something like: "Software will become nn% harder to write every two years due to steadily increasing complexity in hardware and operating systems."

Re:I just don't know whether to laugh or cry! (1)

jellomizer (103300) | more than 10 years ago | (#8626733)

Exactly heck I wouldn't recommend that you use a standard linux distribution.
If you were to use Linux I would recommend that you remove all features that you don't need from the kernel. And build your own distribution from scratch for maximum load time, and less variables for crashes and security risks. Just because the keyboard isn't there dosent mean that it is a security risk. Who knows how the transactions is taking place. (Over the internet possible) As well if someone is logged in on XP how long do you think it will take them to open the integrated web browser and open a webpage and download a virtual keyboard or cut and past from the text to make your words.

Economics, that's why (4, Insightful)

tkrotchko (124118) | more than 10 years ago | (#8626761)

This machine is indeed massive overkill, but the economics are that a desktop PC is about the cheapest computer out there.

An 8080 computer set up in a config with USB ports, serial, parallel, video, etc etc will probably run you something close to $3,000 US, and spares will be difficult as they'll have to be single supplier.

Also, the drivers for things like printers and card readers are only going to be available for Windows (and increasingly Linux), so if you have an embedded device, the integration costs are going to be high.

On the other hand, you can get a robust PC from a major manufacturer for something under $1,000 US and it can be replaced by any manufacturer. There are drivers for everything, and software development will be cheaper because windows programmers are more available than embedded programmers.

Its not just Midnight Spaghetti (0, Funny)

Anonymous Coward | more than 10 years ago | (#8626586)

Its "Midnight Spaghetti & The Chocolate G-Strings".
<homer-voice>chocolate g-strings.. argaaaahhhh</homer-voice>

ATM OS diversity (4, Interesting)

igrp (732252) | more than 10 years ago | (#8626588)

Around here, quite a few ATMs are still running OS/2 [mit.edu] For some weird reason, they - just like the ATM the article talks about - have a tendency to crash, reboot and not load the ATM interfacing software.

I got a chance to talk to one of my bank's IT people about this a few months ago, and basically, they don't know what's causing the crashes because analyzing the log files would just be too much trouble. So their SOP is to have some guy with a key come out, literally pull the plug on the machine and wait till it reboots.

He also told me that they were slowly migrating over to a "custom XP version", whatever that's supposed to mean. I probably should have told him that Windows machines can be prone to virus infections [windowsfordevices.com] (cough cought [securityfocus.com] ).

Re:ATM OS diversity (5, Informative)

zeitgeist77 (107700) | more than 10 years ago | (#8626636)

I work at a credit union, and we use OS/2 ATMs. They tried to foist a windows ATM on us, but couldnt get it to work because the tech was too dumb to tell the difference between a D911 (BiSync) and a D912 (LAN). Quite humorous, I played dumb till after he decided to install the OS2 version and then i pointed out to him it was a D912.

Funny side note though, on all our ATMs, the terminal driver (computer) has its own display on the backside of the unit along with a mouse and keyboard. Of course, we arent using the graphics capabilities because our terminal processor is hmm...slightly older than time.

So useful facts to be noted from experience:

1) Diebold techs do not know their rectums from a serial card. (Ive had to carefully hold their hands through IP setup and assigning the correct host:port combo to attach to the terminal processor)

2) Ive never seen an OS2 atm crash, nor have I ever seen it fail to boot the TCS (Terminal control software).

3) Windows driven ATMs have to the stupidist idea ive ever heard of, but cant really use linux...(see point one about said sub-sentient techs.)

4) I fear a world with diebold designed and serviced windows based voting devices. the havoc...the horror....

Staggering (1)

thinkninja (606538) | more than 10 years ago | (#8626590)

It won't be long before keyloggers are installed on these things. Hell, it beats the mini-camera scheme for capturing PINs.

Re:Staggering (0)

Anonymous Coward | more than 10 years ago | (#8626775)

I dont think a keylogger would work as these ATMs have hardware encryptors built into the keyboard itself.

Buffer overflow code on swipe card .. (4, Interesting)

Anonymous Coward | more than 10 years ago | (#8626605)

Would it be possible to load data on
a swipe card so that the software reading the card
suffered some kind of buffer overrun ? (Depending
of course on how carefuly the software checked for
them).

Re:Buffer overflow code on swipe card .. (4, Informative)

Spy Hunter (317220) | more than 10 years ago | (#8626721)

It would be hard; the amount of data that can be stored in a card's magnetic strip is very small. Format of magnetic strip data [howstuffworks.com]

Re:Buffer overflow code on swipe card .. (2, Informative)

maximilln (654768) | more than 10 years ago | (#8626731)

Fantastic idea that I'm sure many people have thought of.

The biggest hurdle seems to be acquiring a magnetic card reader which can interface with a home PC and bit-nibble the data on a valid card and a magnetic card writer. I certainly wouldn't know where to get either of these.

One could sign up for business VISA/MC access and maybe engineer some kind of hack on the cc reader that will bit-nibble the data and send it to a PC but I imagine there are hardware encryption chips that would have to be identified and removed along with circuit board traces rewired.

It'd be an interesting project...

Re:Buffer overflow code on swipe card .. (1)

Quarters (18322) | more than 10 years ago | (#8626757)

The biggest hurdle seems to be acquiring a magnetic card reader which can interface with a home PC and bit-nibble the data on a valid card

They're not controlled devices. Go search on eBay for "swipe card reader" and you'll get pages of hits.

Re:Buffer overflow code on swipe card .. (1)

maximilln (654768) | more than 10 years ago | (#8626763)

Okay. That still doesn't address the problem of circumventing hardware encryption, interfacing with a PC for custom analysis, and finding a swipe card writer.

OS/2 2.0 ATM, anyone? (1)

intertwingled (574374) | more than 10 years ago | (#8626606)

I once had the pleasure of watching a Wells Fargo ATM reboot. A lot of strange hex stuff, then, as clear as a bell, "OS/2 2.0 Booting", then it started testing all of the lights and various slots on the ATM machine. Was fun to watch. Oh, and it did boot all the way up. I didn't get to see an OS/2 Desktop =/.

Win XP ? (2, Interesting)

BorgDrone (64343) | more than 10 years ago | (#8626616)

Why are these things running WinXP and not something a little more secure ?

Aren't there any regulations about cash machine security ?

Re:Win XP ? (3, Informative)

igrp (732252) | more than 10 years ago | (#8626644)

To my knowledge, there are no specific regulations pertaining to what software an ATM must or must not run. After all, it's the financial institution's business and they're mostly liable for what their machines do (and, if their ATMs fail to perform the most basic safety checks, resulting in the ATM being robbed blind, then that's their problem, too).

Their have however been attempts to introduce legislation pertaining to ATM safety in general, both on the federal [theorator.com] and on the state level (the only example that I'm personally familiar with being NY (see here [state.ny.us] and here [state.ny.us] ) .

Dupe.... (3, Informative)

heytal (173090) | more than 10 years ago | (#8626627)

I had read it recently, and I found it on /. But it seems that this is not a dupe :-). This link was posted in the comments section very recently.
Here's the link. [slashdot.org]

It's good to look at comments, and submit stories. It gets you karma. Also, it's good to look around that comment, and then post comments in this story. That would gain karma too :-)

Posting a comment about the comment on which the current /. story is based, gains you karma too :-)

Not that unusual (4, Interesting)

Saint Stephen (19450) | more than 10 years ago | (#8626628)

I see "ordinary" ATMs stuck at a Phoenix BIOS boot prompt all the time. While I've never gotten to the Windows part of an ATM, it happens at information kiosks a lot.

They should have used the "On-Screen Keyboard" under Accessibility. It is a little scary that this was connected to cash.

If you want a good read for the database schemas an ATM uses, read "Principles of Transaction Processing." One interesting bit of knowledge is that the entire table of valid account names and their card hashes is replicated to each ATM! (Obviously for your bank only.) It sends out a ping that records "Joe took $50" to the main bank but it's only sort of a summary, the "full details" is kept at the ATM and sync'd at night.

One crazy thing that happened to me was I tried to withdraw $1100 from Bank A at Bank B's ATM. I got into a "Distributed Transaction Rollback" -- it got all the way through, printed out out my receipt that said I got the money, and -- never gave me my money. When I checked at a Bank A ATM, it showed the "hit" on my account. In about 15 minutes the Transaction Processor rolled back the transaction.

Insecurity and Paranoia (4, Interesting)

heironymouscoward (683461) | more than 10 years ago | (#8626629)

It's not immediately evident how Windows XP opens a security risk on an ATM, nor how this means that Diebold voting machines are somehow hackable.

ATMs not connected to the Internet and without keyboard are pretty much unhackable unless you can pry open the case and attach a keyboard and/or wireless connection. And if you could do that, I suspect pretty much any ATM would be hackable. There is a reason why ATMs are built from heavy steel and anchored in concrete.

Diebold systems raise paranoiac hackles for another reason: control and oversight. You don't need to invoke security flaws and Windows XP to realize that ballot boxes represent power and money. Whoever controls the counting process controls billions, trillions of $, and this is a temptation that few, if any, people can resist.

The argument against paperless touch-screen voting systems comes from the fact that such systems open the way to serious internal fraud, rather than hacking through any hardware or software weakness. Election fraud is done by incumbent politicians, not by hackers exploiting BSoDs.

The nightmare scenario for future US elections is where after a largely electronic and unverifiable poll, the governing party gets 55% of the vote despite exit polls showing that it got 45%. What would happen after such an event is anyone's guess, but it would not be pleasant.

Re:Insecurity and Paranoia (0)

Anonymous Coward | more than 10 years ago | (#8626650)

ATMs not connected to the Internet and without keyboard are pretty much unhackable unless you can pry open the case and attach a keyboard and/or wireless connection. And if you could do that, I suspect pretty much any ATM would be hackable. There is a reason why ATMs are built from heavy steel and anchored in concrete.

This curious design feature may also have to do with the large sums of money that tend to be associated with ATMs.

Re:Insecurity and Paranoia (5, Funny)

Anonymous Coward | more than 10 years ago | (#8626656)

No you fool! You pry the thing open, push the rectangular boxes of money aside and plug a USB keyboard into it and get hacking!

WRONG! (3, Informative)

Anonymous Coward | more than 10 years ago | (#8626659)

"ATMs not connected to the Internet and without keyboard are pretty much unhackable unless you can pry open the case and attach a keyboard and/or wireless connection."

If you read the article you would find out that they managed to input text - but with charmap instead of a keyboard.. So having no keyboard is no insurance that noone will be able to input character data.

Re:WRONG! (2, Interesting)

heironymouscoward (683461) | more than 10 years ago | (#8626682)

Hmmm, I did read the article (I'm new to Slashdot, sorry!). The charmap was clearly so painful to work with that they could do nothing except play some existing sound samples and speak one message.
You would need a lot better control than that to hack a machine in realtime. And if it's not in realtime, then the machine must have a network connection, or be able to save state in some way. ATMs seem designed without either of these, and so I'd regard them as "pretty unhackable" in the traditional sense. Attaching fake front-ends and spycams is much more feasible but this hardly depends on the OS used.

With a little preparation... (1)

Kjella (173770) | more than 10 years ago | (#8626734)

...remember, it does come with a smart card reader, which is accessible as a device in Windows. Insert rootkit card, run program from card and voila. You can probably skim card numbers, PINs, everything. Figure out how the money dispenser works and simply have it dump all the cash on demand, then clear itself from the ATM. They'd never have a clue what hit them.

Kjella

Hmm, if I were going to hack an atm (1)

way2trivial (601132) | more than 10 years ago | (#8626726)

I'd do one of the rolling jobbies like in wawa/7-11.


first of course, I'd get a job there, learn the service schedule
locally, I believe they use ISDN, but some just use modems... hack the line, take one that uses standard modem, and insert a relay// discern traffic based on your own atm both approved and denied.. when you feel confident, walk into another, insert a small box at end of phone cord that approves all atm withdrawal requests *up to the machine limit* and clean it out..

big heavy metal boxes, with little tiny unsecured phone lines.

the traffic sniffer shouldn't be anything more then a tone generator and two modems connected to a small pc.

Then how could the internet outtage affect ATM's (1)

Bender Unit 22 (216955) | more than 10 years ago | (#8626767)

If not, then how could the internet outtage we hade some time ago(the ddos attack deal if I remember correctly). There were many reports that the problems on differrent parts on the internet, caused problems for banks and ATM machines.

That being said, I simply don't understand why they would use the internet as transportation media. Companies making WANs on the internet using VPN is one thing but even they use dedicated lines if the connectivity is vital to their business.

Re:Insecurity and Paranoia (2, Insightful)

jellomizer (103300) | more than 10 years ago | (#8626776)

"I Wrote this without a keyboard"
Cut and past it really does work although a bit slow. say you use the integrated web browser and you can get a hand on most if not all the characters you need. Plus there is the character picker. but you probably have enough letters to choose from cutting and pasting to give you access to install a virtual keyboard or something. Now someone has access to a computer that dispenses money. I don't know about you but that seems like a security risk to me. Heck install a spy-ware program on it to record peoples ID and the next time it reboots you can use it to dispense some cash yourself. Using an OS Designed for home users (Including Standard Linux/Unix distributions) is a bad idea. For an ATM the computer OS needs to just run that ATM and thats it (well perhaps some diag software for the service people). Heck you can make a more secure system with MSDOS 3.0 after you delete all the extra files you dont need. And put the software in line 2 on of the autoexec file. Line one will need to install the touch-screen TSR.

DIEBOLD Election Machine (3, Funny)

myownkidney (761203) | more than 10 years ago | (#8626631)


Welcome to the 2004 Presidential Elections
Brought to you by DIEBOLD

Please select your new president:

George W. Bush [x] (recomended)
John Kerry [ ]
Ralph Nader [ ]

Submit [mithuro.com] Reset [mithuro.com]

If you are an official, and if you would like to adjust the vote manually, click here [mithuro.com]


Shouldn't that be... (1)

Kjella (173770) | more than 10 years ago | (#8626766)

George W. Bush [x] (recomended)
[ ] Ralph Nader
John Kerry [ ]
Kjella

Video of the ATM in action (4, Informative)

Anonymous Coward | more than 10 years ago | (#8626632)

http://yogi.pdl.cmu.edu/~cgeisser/photos/

Video with audio of ATM in action

crashing atms (0)

slart42 (694765) | more than 10 years ago | (#8626634)

I once had a debit card, which would certainly cause the cash machines of a certain bank in my area to crash - it would give me my card back, and display an error message, and then reboot into DOS after a while of not responding..

Bloated software, bloated website (1)

P-Nuts (592605) | more than 10 years ago | (#8626643)

It's not exactly surprising that they waste complexity on an ATM when they have this [diebold.com] bloated Flash website.

If only we could get it a wav file of this song (-1, Offtopic)

nounderscores (246517) | more than 10 years ago | (#8626649)

...Before the 2004 elections.

Puff the Nuclear Weapon

Puff the Nuclear Weapon was pointed at Iraq,
and waited in his submarine for the signal to attack.
Little George Bush Junior, he loved that rascal puff,
and all those days, he nightly prayed for the UN to get tough.

oh
Puff the Nuclear Weapon lived in the sea,
protecting all our freedoms to
a brand new SUV.
Puff the Nuclear Weapon lived in the sea,
protecting all our freedoms to
a brand new SUV.

Now Puff he liked to travel, so he wore travelling clothes
While Bush was home and on the phone, from locations undisclosed.
Presidents and Princes, they bowed when'ere he came,
and Nation States lowered their flags when Puff roared out his name.

oh
Puff the Nuclear Weapon defender of the peace,
securing the world's oil supply
and the occasional golden fleece.
Puff the Nuclear Weapon defender of the peace,
securing the world's oil supply
and hte occasional golden fleece.

Plutonium lasts for ever, but not so little boys.
ICBMs and M-16s give way to... other toys.
And one grey day it happened: The traders broke the Dow.
So Puff the Nuclear Weapon's on the open market now.

His warhead packed in plastic, green crates that bore his name.
Poor Puff would not intimidate for the Stars and Stripes again.
Without his life long friend, poor puff could not be brave,
so al-Qaida hid that that weapon in a deep, dark, man-made cave.

oh
Puff the Nuclear Weapon lived in the sea,
but now he's in a backpack
some where close to you and me.
Puff the Nuclear Weapon defender of the free,
and you can blame it all upon
Bush fiscal policy.


lyrics fully GPL. And it's satire too.

Re:If only we could get it a wav file of this song (0)

Anonymous Coward | more than 10 years ago | (#8626713)

I always liked the original song, "Puff The Magic Dragon", though it was always a sad song for me. We used to sing it when we were kids, and it always saddened me.

Boy, times sure change (2, Interesting)

Rogerborg (306625) | more than 10 years ago | (#8626651)

>Finally, an annoyed faculty member in an adjacent office unplugged the machine and dispersed the crowd.

I remember back in the day, when faculty in a technical university would stop two wars before breakfast, and still have time to help with a hack before the toast popped.

Kind of sad to see the spirit of exploration being so ruthlessly crushed. Attention US Educators: creativity and free thinking is our only advantage over India and China. Ponder on who's going to be paying for your Medicare before you decide to quell your inquisitive students.

And that's legal? (1, Insightful)

jsebrech (525647) | more than 10 years ago | (#8626653)

I'm curious how it could be legal to use windows for an atm machine. It seems to me that a windows machine can't possibly be made trustworthy (in the "verification of what's running" way), and therefore is just a network break-in waiting to happen. If you can't trust the platform you're running on, it's irrelevant how secure your software is. And I don't suppose secure is an appropriate word to describe diebold's software.

This reminds me of the case a few years back where people ran a network of fake atm machines. They would do the actual atm transaction, but then store your card info and pin, and since they had modified the actual atm, nobody was the wiser. It wasn't until millions of dollars started disappearing from accounts that people caught on.

I could never trust a financial network that's designed in a way that such a thing is even possible.

hrmmmm (1)

ShadowRage (678728) | more than 10 years ago | (#8626655)

surprised it didnt say
" with only a touch screen interface, left wide open for the amusement of the students at the most wired university in the U.S. Interestingly, Diebold is one of the leading manufacturers of failing software and hardware, next to microsoft."

seriously, why does anyone even uses diebold is beyond me.. they have a real bad track record with stability and security, on top of that.. with windows XP? I wouldnt trust that crap with my bank info, at all.

Pictures of something similar (4, Interesting)

Caligari (180276) | more than 10 years ago | (#8626669)

I took pictures of Diebold ATM machines doing something similar in Paris.

Take a look here [unworkable.org]

Seen it before, at the grocery store. (1)

cixelsyd (239) | more than 10 years ago | (#8626670)

This happens often at the local supermarket, with the "U-SCAN" self-checkout machines. My girlfriend always stops me from tinkering with them, and they appear to be running Win2k, but I have to wonder how difficult it would be to get it to spit out change.....

Imagine a Beo... (4, Informative)

frenchs (42465) | more than 10 years ago | (#8626677)

Here is the Diebold specificaion PDF for the 520. It says the thing has a P4 in it, and I would assume this is because they designed some sort of software framework for the Optiva to be expandable in the future to do things like sell concert tickets.

Imagine if that CDR drive was usable to load programs onto it. Furthermore, I'm really hoping these things don't have bluetooth in them.

520 Spec PDF [diebold.com]

-Steve

No, but my phone thought it could... (1)

Hallucinosis (13082) | more than 10 years ago | (#8626678)

it's a good thing the phone was free.

No regrets.

Can my Atm play Beethoven? (2, Informative)

ShadowRage (678728) | more than 10 years ago | (#8626684)

no, dont think so...

but I hear it can play metallica and pong.

The Rhyme Of The ATM User (4, Funny)

pandrijeczko (588093) | more than 10 years ago | (#8626708)

Windows, Windows, every where,
Why's getting out money so hard?
Windows, Windows, every where,
It's eaten up my card.

The spirit deep within: O Gates!
That ever this should be!
Yea, buggy things did crawl with legs
Within Windows XP.

About, about, it must reboot
My card's still held within!
No beer to quench my thirst tonight,
Blue screen, and wallet thin.

And some in dreams assured were
Of the spirit that plagued me so:
The demon Gates had followed me
From Redmond's deepest flows.

And my poor tongue, through beerish drought,
Was withered at the root;
I could not speak, no more unless
This teller would reboot.

Ah! well a-day! what evil looks
Had I from old and young!
Instead of the cross, this penguin fine
About my neck was hung.

Same in airport (3, Funny)

dargaud (518470) | more than 10 years ago | (#8626711)

I got a retrospective scare at an airport in souther Italy last month. While waiting for my luggage, all the screens suddenly showed an error Windows popup in the middle. I wanted to click the [OK] button so bad...

What really scares me! (3, Interesting)

zakezuke (229119) | more than 10 years ago | (#8626718)

Bank Fraud! Something that debits let's say a penny per transation is actually a moderatly simple program to design provided you actually have access to bank accounts and a bank network. It's difficult for your average joe to do without access to machines on the bank network. Well... a cash machine is indeed on a bank network, and has the ability to withdrawl sums of money, log bank cards / pin numbers, the lot! These things rebooting in a way that can actually be used like normal windows scares the hell out of me.

I've seen OS/2 on ATM screens many times (0, Flamebait)

gatkinso (15975) | more than 10 years ago | (#8626732)

Where is all the FUD about that??

The more I read Slashdot, the more disgusted I am. A bunch of little Linux fans sniping at Microsoft every chance they get.

Christ get a life.

Re:I've seen OS/2 on ATM screens many times (3, Insightful)

vadim_t (324782) | more than 10 years ago | (#8626780)

The problem's not so much Windows as the lack of customization.

If those machines were locked down embedded Windows or something similar, then I wouldn't be so worried. But these things appear to be more like a normal Windows installation with an ATM program on top. That *is* scary.

Think of it, if so much care was taken on the design of the ATM, how do you know that your credit card number and PIN aren't in a text file that can be read directly if you manage to get to the Windows interface?

And what will happen when the virus of the week hits it because nobody bothered closing unneeded ports?

Famous High-visibility Windows Barfs (1)

trveler (214816) | more than 10 years ago | (#8626741)

Here. [linuxjournal.com]

Character map? (2, Insightful)

vrt3 (62368) | more than 10 years ago | (#8626747)

Why didn't they use the on-screen keyboard instead of the character map for entering text?

Ahem, is the money dispenser connected via serial? (3, Interesting)

nlt (677934) | more than 10 years ago | (#8626754)

So if the money dispenser is connected via a serial port, maybe you could "echo tray1-4>COM1" and get 4 hundred dollar bills? obviously you'd need to know their system, but hey, if you knew someone who did know it, well then wikkid.

Stupid Student's or maybe.. (4, Insightful)

sh0rtie (455432) | more than 10 years ago | (#8626769)


too honest

they had a machine that would give them money and all they did was use media player ? Diebold got off lightly!.

they [evil student] could of written a keylogger/pin reader/card cloner/data capture using the on-board vbscript/wscript language, (full access to filesystem and shell), build in a network check so as soon as the machine detects a network connection (as the students said it wasnt connected to anything presume at some point it will be connected to a network by an engineer or repairman) it trys to post the captured data to some.random.location.com, install it as a system service so it runs automatically in the background , even schedule it to run at specific times and you have one totally compromised machine

would of taken an hour max of programming time, maybe 15min if all you had to do was type it in and not compose it.

scary that not only is the software Windows but it has its own built in programming enviroment with access to every program on that machine including network access, and the only tool you need is notepad.

Windows XP Embedded (4, Insightful)

XNormal (8617) | more than 10 years ago | (#8626773)

If they insist on using a Microsoft OS at least the could use Windows XP Embedded. [microsoft.com]

It's a componentized version of Windows XP with a set of tools to customize it, remove any unnecessary components and prepare system images. It also has tricks like running from read-only media and intercepting message boxes that end users should not see.

It's even cheaper (for a moderate number of licenses).

geez, if they're going to use windoze (1)

next1 (742094) | more than 10 years ago | (#8626778)

you'd think they would at least use the basic security of a password to logon!

OT: Taxicab roof sign boot sequence (1)

Jayfar (630313) | more than 10 years ago | (#8626783)

In Philadelpia, and I imagine other large US cities, within just the past year or so taxicabs have begun sporting new rooftop electronic advertising signs. Each of the signs' 2 sides, about 4' long, is divided into 2 portions. For most of its length, it consists of a orangish leds, which are used to display sports scores and crude pixelated versions of league logos. The rightmost portion, however, is a full color lcd display, typically showing a red & white ESPN logo. What caught my eye was one day seeing a cab pulling away from a hotel, apparently from a cold start, and before it was out of view, I plainly saw the lcd going through post and the bios portion of a pc boot sequence. Regretably the cab was gone before I could observe what os it was running.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>