 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Mike Raiford wrote:
> I'll never forget the time I used an ATM machine, and as it was
> processing the transaction I hears several of the characteristic IE link
> click sounds as it finished up.. that was a bit worrying.
Many ATMs are just running a web browser with appropriate plug-ins for
running the hardware. It's much easier to add new features to 100,000
machines that way than it is to go around with secure storage operated by a
trained technician updating the machines. I.e., for all the reasons any
other business creates an intranet instead of a desktop app.
--
Darren New, San Diego CA, USA (PST)
Serving Suggestion:
"Don't serve this any more. It's awful."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 03/11/2010 08:04 PM, Darren New wrote:
> Mike Raiford wrote:
>> I'll never forget the time I used an ATM machine, and as it was
>> processing the transaction I hears several of the characteristic IE
>> link click sounds as it finished up.. that was a bit worrying.
>
> Many ATMs are just running a web browser with appropriate plug-ins for
> running the hardware. It's much easier to add new features to 100,000
> machines that way than it is to go around with secure storage operated
> by a trained technician updating the machines. I.e., for all the reasons
> any other business creates an intranet instead of a desktop app.
...so what you're saying is that many ATMs are trivially hackable?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 04/11/2010 09:59, Invisible a écrit :
> ...so what you're saying is that many ATMs are trivially hackable?
That would be illegal (to crack an ATM), so it cannot happen.
You are also assuming the ATM is directly on the internet... I hope they
are just on a private network with better protection.
For instance, the train ticket vending machine of my country used to be
connected to the mainframe (or whatever that be, aka the mother system)
via an X.25 connection. So, to connect to it to crack it, you would have
needed to know its address (and it's far longer than 4 numbers ranging
from 0 to 255), get an X.25 access yourself and hope it was not in a
closed-group than your port as no chance to be in... Would you have been
successful, the network operator would have got evidence against your
port... not that you cannot have do it on a trojan-ed system.
X.25 access being soon to be decommissioned (you cannot get new one, old
ones are to be closed soon) by the main telecom operator here.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 2010-11-04 04:59, Invisible a écrit :
> On 03/11/2010 08:04 PM, Darren New wrote:
>> Mike Raiford wrote:
>>> I'll never forget the time I used an ATM machine, and as it was
>>> processing the transaction I hears several of the characteristic IE
>>> link click sounds as it finished up.. that was a bit worrying.
>>
>> Many ATMs are just running a web browser with appropriate plug-ins for
>> running the hardware. It's much easier to add new features to 100,000
>> machines that way than it is to go around with secure storage operated
>> by a trained technician updating the machines. I.e., for all the reasons
>> any other business creates an intranet instead of a desktop app.
>
> ...so what you're saying is that many ATMs are trivially hackable?
You'd need access to the lan they're on. I will make the educated
guess* that most banks will put the ATMs on a dedicated subnet isolated
form the rest of the branch to prevent a virus that the mortgage officer
caught on her laptop to propagate to the tellers' PCs and the ATMs.
*Banks have been operating on the assumption that everyone is a thief
for hundreds of years. Security is not new to them.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 2010-11-04 05:18, Le_Forgeron a écrit :
> Le 04/11/2010 09:59, Invisible a écrit :
>> ...so what you're saying is that many ATMs are trivially hackable?
>
> That would be illegal (to crack an ATM), so it cannot happen.
>
> You are also assuming the ATM is directly on the internet... I hope they
> are just on a private network with better protection.
>
> For instance, the train ticket vending machine of my country used to be
> connected to the mainframe (or whatever that be, aka the mother system)
> via an X.25 connection. So, to connect to it to crack it, you would have
> needed to know its address (and it's far longer than 4 numbers ranging
> from 0 to 255), get an X.25 access yourself and hope it was not in a
> closed-group than your port as no chance to be in... Would you have been
> successful, the network operator would have got evidence against your
> port... not that you cannot have do it on a trojan-ed system.
>
> X.25 access being soon to be decommissioned (you cannot get new one, old
> ones are to be closed soon) by the main telecom operator here.
Those were probably X.25 over point-to-point links, or at the very least
on a private network, not some available-to-the-public X.25 cloud.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>>> Many ATMs are just running a web browser with appropriate plug-ins for
>>> running the hardware. It's much easier to add new features to 100,000
>>> machines that way than it is to go around with secure storage operated
>>> by a trained technician updating the machines. I.e., for all the reasons
>>> any other business creates an intranet instead of a desktop app.
>>
>> ...so what you're saying is that many ATMs are trivially hackable?
>
> You'd need access to the lan they're on. I will make the educated guess*
> that most banks will put the ATMs on a dedicated subnet isolated form
> the rest of the branch to prevent a virus that the mortgage officer
> caught on her laptop to propagate to the tellers' PCs and the ATMs.
>
> *Banks have been operating on the assumption that everyone is a thief
> for hundreds of years. Security is not new to them.
And yet, the above statements suggest that what is "easier" comes before
what is more secure.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 2010-11-03 12:19, Invisible a écrit :
>>> Well, the essential point was risk reduction. Sure, you *can* reverse
>>> engineer it. Now tell me how long it'll take, with the same accuracy
>>> with which I can predict how long it'll take to buy a copy of Windows.
>>>
>>
>> Hmm, thousands of dollars in programming hours, and the risk that you
>> get something critical wrong or, $75 per machine for a license.
>
> While these arguments seem sound, it still doesn't really address the
> whole "you don't need an entire desktop OS just to run a trivial
> embedded device like an ATM" angle.
An ATM is a computer with a screen, a keyboard, another input device
(the card reader) three printers (receipt printer, bank book printer and
money dispenser), and a network card.
If the ATM supplier has to decide between buying off-the-shelf parts
designed for an off-the-shelf OS, or reinventing 12 different wheels,
which option do you think he's going to chose? Keep in mind that he has
to price his machines within the same ballpark as his competitors who
are also trying to reduce R&D and production costs as much as possible,
themselves. Fewer $$$ (or €€€ or £££) spent on manufacturing, means
more $$$ (or €€€ or £££) in profit.
Besides, the desktop OS also offers additional features that you can
use, such as video or sound - to help train your users or provide
advertising, performance and environmental statisitics gathering, remote
management, etc...
Let's also look the problem from a different angle:
Your company makes card readers. Would you prefer to design your card
readers to use a standard protocol such as RS-232 and write Windows
drivers only, or have to support 57 flavors of cash registers, ATMs and
building security systems? You're going to support Windows. Fewer $$$
(or €€€ or £££) spent on development, means more $$$ (or €€€ or
£££) in
profit.
Finally, one of the main factors a bank will use when it decides to buy
10,000 ATMs from Diebold, NCR or Toshiba, is ease of management. If the
ATM uses a standard desktop OS, patch management and other routine
updates (sending a new bunch of ads, special promotions, etc...) will
look a lot like distributing a patch or new version of Excel to the
30,000 office PCs the bank has in its branches and corporate
headquarters, so training costs and management tools costs will be
lower. Fewer $$$ (or €€€ or £££) spent on acquiring, operating, and
maintaining ATMs, means more $$$ (or €€€ or £££) in profits.
Sure an ATM doesn't _need_ many of the functions provided by a desktop
OS, but as you can see, there's a very good reason to go that way
anyway. (Let's see if you can spot it!)
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 2010-11-04 09:10, Invisible a écrit :
>>>> Many ATMs are just running a web browser with appropriate plug-ins for
>>>> running the hardware. It's much easier to add new features to 100,000
>>>> machines that way than it is to go around with secure storage operated
>>>> by a trained technician updating the machines. I.e., for all the
>>>> reasons
>>>> any other business creates an intranet instead of a desktop app.
>>>
>>> ...so what you're saying is that many ATMs are trivially hackable?
>>
>> You'd need access to the lan they're on. I will make the educated guess*
>> that most banks will put the ATMs on a dedicated subnet isolated form
>> the rest of the branch to prevent a virus that the mortgage officer
>> caught on her laptop to propagate to the tellers' PCs and the ATMs.
>>
>> *Banks have been operating on the assumption that everyone is a thief
>> for hundreds of years. Security is not new to them.
>
> And yet, the above statements suggest that what is "easier" comes before
> what is more secure.
Banks have also been in the business of making a profit for a few
hundred years. They have to balance "secure" with "easy". They are not
the CIA, who will go for "secure" regardless of cost.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> And yet, the above statements suggest that what is "easier" comes before
> what is more secure.
I would imagine banks are pretty good at figuring out the optimal ratio of
"ease" (ie cost) to security to maximise profits.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
> ...so what you're saying is that many ATMs are trivially hackable?
Why would they be trivially hackable? They're on a private network with
end-to-end hardware-keyed encryption, locked in a box that needs two keys to
open.
--
Darren New, San Diego CA, USA (PST)
Serving Suggestion:
"Don't serve this any more. It's awful."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
