Another reason for not using Windows

[hazel]

Did you know that ATMs use Windows? No, I didn't either. There's an article in this week's New Scientist which describes a new ATM worm which masquerades as a Windows program called lsass.exe. This program usually manages a keyring for caching passwords; ATMs don't require it, but because it's a standard part of Windows, security experts probably wouldn't be suspicious at finding it. The rogue version harvests PINs and other security data; then, when a particular card is inserted, it prints out the harvested data through the ATM's receipt printer. All the cards can then be cloned.

Maybe they ought to use Linux

[bigtomrodney]

Yeah a lot of ATMs run Windows 2000. There are only a handful of manufacturers of ATMs. ATMs that I have seen all reside on their own closed networks, they really need to for what they do. Again they're insured to the hilt and also a very sore spot for banks who could lose a lot of money through skimmers and bulldozer raids. There is a huge amount of attention around their security so to be honest whatever risks there are around ATMs, they're not yours

I hate to sound like I'm just saying "it's fine there's nothing to worry about, move along" but I actually work in the financial services industy and have come into direct contact with frontend, backend and mid-tier processes surrounding security in all of the systems you mentioned. I'm personally very careful with passwords and PINs but what I do know is that if there are any losses to be had they'll be the insurance company's.

The largest threats to you are social engineering; phishing emails, 419 scams, polite phonecalls asking you to verify details....Put it this way, as long as it's you inititiating the transaction and you haven't done anything silly like write your PIN on your card or emailed your logon details for online transactions then you're completely safe. This is one thing I can assure you of.

[bigtomrodney]

Oh yeah, the lsass.exe thing. If you check Task Manager in Windows you'll almost certainly find lsass.exe as a running process. The thing is it's also been targeted or used as a disguise for years now (in fact it's long considered old news). It's might fool humans, but it certainly won't fool your antivirus or antimalware!

[hazel]

Yeah a lot of ATMs run Windows 2000. There are only a handful of manufacturers of ATMs. ATMs that I have seen all reside on their own closed networks, they really need to for what they do. Again they're insured to the hilt and also a very sore spot for banks who could lose a lot of money through skimmers and bulldozer raids. There is a huge amount of attention around their security so to be honest whatever risks there are around ATMs, they're not yours

I'm not worried. I have no reason to be as I never use ATMs anyway. I do have a plastic card but I use it only to guarantee cheques. And the article did make it clear that this particular scam needs insider help. But I admit I was surprised to find that, in an area where security is so important, people would use Windows at all. I thought Linux was the preferred option for embedded systems.

[Rubberman]

I remember getting a BSOD on an airport checkin terminal, and thinking to myself, "What a bunch of morons! Do I REALLY want to fly with them?". Management makes the call for WIndows, often for all the wrong reasons. Real time, highly secure, and mission critical systems all should be almost anything BUT Windows! I just keep remembering the fiasco of the Denver International Airport baggage handling system. When it was announced, and that it would be controlled by a distributed WIndows NT system, I banged my head against my desk in disbelief, and said (as I best recall), that it would NEVER work! Guess what? It never did, and they eventually ditched the entire thing at a cost of some $100's of millions of USD.

[Jonathan183]

It's a bit of a worry ... but if they were running Vista I'd be really worried. I guess I just expect someone to have a good think about what they are doing before deciding on an OS for this sort of application ... maybe Win2k was the best choice - but it depends on your selection criteria

... the thing with insurance is we end up paying for it in the end, so insured loss just means spreading costs across many people.

[bigtomrodney]

The simple answer is accountability. Large companies won't use open source in high-risk operations, because if anything goes wrong the buck stops with them.

If an ATM gets reamed by a hacker due to a Microsoft flaw, the bad press and possibly even legal procedings ends with Microsoft. If a bank use a customised Linux that they either did themselves or used a small firm to do the work on there isn't enough accountability. It really is as simple as that. If banks thought they could save all of that licence money, believe me they would. In this arena even Red Hat aren't considered big enough. Maybe when they partner up with Siemens/Nixdorf and sell that system out of the box banks will take it on.

[Rubberman]

I remember getting a BSOD on an airport checkin terminal, and thinking to myself, "What a bunch of morons! Do I REALLY want to fly with them?". Management makes the call for WIndows, often for all the wrong reasons. Real time, highly secure, and mission critical systems all should be almost anything BUT Windows!

Well, I wonder how much running Windoze cost United Airlines today when their checkin systems died at O'Hare here in Chicago? What dren! Well, I hardly ever fly Untied Airlines any longer - much prefer Southwest. Better leg room and way cheaper fares! And I don't have to pay extra to check in luggage.

[bigvoo]

A girl I work with gave me 2 broken laptops, I had them both running within 30 minutes ( ya...windows problems not hardware ) one also had a broken lcd, so I used it to install linux beside xp, just to show her..she had said " my brother told me not to use that linux stuff" to which I replied " and why then, doesn't your brother fix the windows xp ??" any how, I booted the computer into linux mint, and did a few things, THEN i rebooted into xp, it was a riot, ( 9 ) pop-up's...everyting from norton, to windows updates to blah blah blah, and the comp was just nearly un-usable....plus the guy she bought it from had removed some drivers fro some reason, 2 days later she begged me to remove windows and put mint in. :P

[Rubberman]

There is one good thing about Windows. It serves as a baseline for what not to do when creating a computer operating system.