6

...how do banks keep their ATMs safe?

Have a handful of companies sprouted after XP's end of cycle offering patches?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Pierre B
  • 248
  • 1
  • 4
  • 2
    Companies can pay for extended support from Microsoft. – schroeder Mar 31 '16 at 00:24
  • 1
    I'd note, before XP, it was probably OS2. Granted that's an obscure enough OS... that security by obscurity might have been a thing. – Journeyman Geek Apr 03 '16 at 14:24
  • 2
    From what i have heard: they almost dont; some run Proprietary networks for the ATMs so that its impossible to contact them from the outside. If that is done correctly, the attack surface is drastically reduced old OSes are just fine. – marstato Apr 03 '16 at 15:21

4 Answers4

8

ATMs normally lie on a isolated network directly to the bank that owns the ATM. This is normally enforced by a VPN-router if theres no leased point-to-point line at the location, where the local end does not allow any traffic outside the VPN, even if malicious software on the ATM deliberately tried, and the remote end's firewall is configured to not allow any traffic other than is required for ATM operation.

This means normally that the ATM does not have access to the internet, nor does the internet have access to the ATM.

As the customer also never gets to have any physical input to the ATM, like usb, keyboard or mouse, rather the customer input via cardreader, pinpad and screen selection buttons, are managed via RS232, and similiar interfaces, so the ATM software has full control and customer cannot send any data to the underlying operating system, the ATM can be considered being isolated and safe.

Thus: Since theres no possibility to inject malicious software, neither via the local console (if you don't have the keycard to open the restocking/maintenace room, but then the security of the ATM computer is less of a issue since if unautorized access has happened to that room, ATM is usually replaced as a precautionary measure), and neither via the internet, unless you do have access to the bank's server hall where the VPN terminates. There cannot be malware or hacks on the ATM in the first place, regardless of the security of the OS.

And in addition, even if someone managed, despite all security measures, to plant some sort of malware on the machine, the malware cannot send its data anywhere.

Communication with the card reader, pinpad and cash unit is usually encrypted end2end.

In other words, by planting malware on a ATM, you would just get a fancy receipt printer, or you can prank the user by changing the amount the user want to withdraw - eg user select "10$" but a "50$" bill comes out and "50$" is pulled from account (and most users would regard the ATM as broken and depoist the sum they got "too much")

So the security of the operating system on a ATM does not really matter. The security around is normally so tight so it compensates.

In addition, some newer ATM provisions their operating system and relevant ATM software via PXE, and reboots regularly, to clear out all and any unauthorized changes to the system installed on the ATM.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • Good answer. I agree with your comments about isolation. However, I disagree about impact. Most ATMs are designed so that if you have control of the host OS you can dump all the cash - a very serious impact indeed! – paj28 Mar 31 '16 at 15:46
  • 2
    Maybe that about host OS being able to control the cash unit without any authentication from the bank, is applicable to less secure ATMs, like those one-stop-to-go ATMs in the grocery's and such, those do even sometimes have a pw-protected admin panel with full control of the whole ATM. Real ATMs (in-the-wall ones), atleast here in swe, do have some e2e authentication system for the cash unit, else there would be no point of having a secure safe underneath with ink protection, sometimes with one-time passcodes, if you could just break open the ATM, and then reprogram the ATM to dump the cash. – sebastian nielsen Mar 31 '16 at 21:32
  • 1
    You can hack a system with a [surprisingly small attack surface](http://tasvideos.org/2513M.html). – Mark Apr 04 '16 at 08:36
  • 1
    Some ATMs have been hacked with malware installed via USB. http://www.kaspersky.com/internet-security-center/threats/tyupkin-malware-atm-security-malware – k1308517 Apr 04 '16 at 13:27
  • @k1308517 Did you even read the article you linked: 2 types of ATMs were attacked: These "one-stop-to-go" ATMs in groceries, they have almost no security, and also "real ATMs" lacking a security alarm in the restocking room and not having e2e cash units. As they said in the article, installing a security alarm will solve the problem. – sebastian nielsen Apr 04 '16 at 19:40
  • @Mark A game is usually not designed to be secure. A ATM is really designed to be secure from inside out. The reason one-stop-to-go ATMs are not designed to be secure is that they are usually managed by the grocery store owning them, and allowing insecure grocery networks into the bank network is a no-go. Instead, the shop owner has to fill them with own cash, and then the shop owner gets paid for any cash withdrawed. Thus any cash stolen would be loss of the grocery store. Its up to the grocery store to protect it, which can range from alarms to a e2e cash unit linked to grocery stores server – sebastian nielsen Apr 04 '16 at 19:45
7

Microsoft is supporting Windows XP under certain circumstances

As this article states the US Navy has re-upped support for their Windows XP footprint for another year as of 2015.

Microsoft is supporting the operating system from several aspects under these special agreements.

  • Security Patches

  • Bug Fixes

  • Customer Technical Support

Due to the high level of adoption from institutions that are critical to our nations infrastructure from banking to military, Microsoft kept behind some of it's Windows XP development team and created support agreements that they will offer under 'special' circumstances.

The Navy is paying $9 million per year for this agreement.

Here are some additional dates for end of 'extended support' for SQL 2005 and Exchange 2003.

Additional link regarding Microsoft 'extended support'.

Citizen
  • 378
  • 3
  • 16
0

As answers state above, it isn't just about updates to the system. Its also about the "attack surface" the system presents. If a means of attack is simply cut off (because of system security restrictions, software not installed or not enabled, firewall or network access blocks, etc) then the user can't attack through that route.

Quick examples to show what I mean: If you dont have the right to install new executables or replace DLLs without some security method applying, then weaknesses you could introduce that way aren't applicable unless you also have a weakness in that security system as well. No email installed / locked down browser scope, would automatically limit vulnerabilities available if emails could be clicked or arbitrary web pages opened, even if those vulnerabilities themselves still exist.

Stilez
  • 1,664
  • 8
  • 13
-1

If you lock down the whole computer, run only a single application, allow it to securely connect (even through open internet) only to a particular server (that you control), but block all incoming requests from the internet, then there are practically no vulnerability delivery ways to exploit.

A new 0-day would be only a concern if it could somehow get onto the target system.

And by the way: "XP" is still getting updates

filo
  • 303
  • 1
  • 5
  • I disagree with your wording. It is not the case that there are no vulnerabilities to exploit, merely that the typical routes for exploitation are mitigated. – schroeder Apr 03 '16 at 16:27