News that Windows-based ATMs operated by two unnamed financial institutions were affected by the W32/Nachi worm last August has heightened concerns of bankers planning a switch from the OS/2 operating system to Windows.
Unlike Windows, OS/2 never attracted hackers’ attention.
"Theoretically, OS/2 running on a bisync network is just as vulnerable, but how many hackers know how to do it?" said Stuart Spinner, director of enterprise data security for Concord EFS.
"Outside the ATM world, there's been very little exposure to that technology. With Windows, any 16-year-old kid running a TCP/IP network in his basement can download hacking tools from the Internet."
Details of how ATMs were infected remain shadowy, but breaches apparently occurred on ATMs networked via IP connections. While not all Windows-based machines are configured for IP, many financial institutions are moving to IP to integrate ATMs with other Windows-based channels.
"It would be too cost-prohibitive to switch to Windows without looking at extending your enterprise functionality into the ATM channel," said Steve Osborne, NCR's general manager of enterprise solutions for APTRA.
"You've had IP-enabled ATMs since the late '90s, but most of them have been on OS/2 rather than Windows. There's still a threat of infection, but it's significantly reduced. Similarly, there is a threat with Windows in a non-IP environment, but it's not as great. "
Nachi notwithstanding, it's difficult for worms and viruses to infect ATMs because they lack e-mail capabilities, Microsoft Word programs and other common entry points, Osborne said.
FIs rolling out Windows-based ATMs have adopted different networking approaches. Some use a virtual private network to funnel all ATM transactions through a Web browser that sits between the host and the ATM.
Others, including FleetBoston Financial, maintain a dedicated, leased-line connection for standard transactions, routing them to the host via SNA (IBM's Systems Network Architecture). Web-based transactions, such as a bill payment application the bank is piloting at some ATMs, are routed to servers via a VPN.
Jim D'Aprile, Fleet's VP of ATM/Self-Service Banking, noted that security concerns played a part in Fleet’s decision.
Firewalls and virus scans are crucial, said Tom Sonby, Concord ‘s vice-president of technology systems. "I'd say that 99.9 percent of the time, all it takes is the implementation of some very sensible procedures to minimize your exposure to attacks."
While widely implemented elsewhere in the enterprise, few of these measures are used at ATMs. "Software security is not something that this generation of ATM executives has had to deal with much," Osborne said.
That’s changing, said Kevin Carroll, Concord’s director of ATM services. "When an ATM is Windows based, you've got to consider it another desktop in your network. It's part of the enterprise, and you need to adopt the same security measures there that you have in place elsewhere."
