The anticipated migration of ATMs to from IBM’s OS/2 to Windows XP is expected to bring with it a whole new slew of security issues, an NCR Corp. company official and analyst cautioned at a press briefing last month. But one credit union already running its ATMs on Windows says it’s confident in its machines’ ability to withstand breaches.
There are currently 35,000 ATMs deployed across Canada, said Stephen Risto, director of the Toronto-based APTRA Software Centre of Expertise at NCR, which makes both ATM software and hardware. The machines are “extremely well-used” because “Canadians love the self-service channel.” But ATMs still run on the same technology they were using when they were first introduced in the 1970s – they still sport a black, green or blue screen with text, “one of the most basic interfaces.”
Comparing the migration to Windows XP to a “brain transplant,” Risto said it will fundamentally change the way ATMs are used by both consumers and the financial institutions or retailers that deploy them.
From a functional point of view, Windows-based ATMs could pave the way for things like talking ATMs for people with disabilities, via a text-to speech engine; image-based deposits, where the system takes a digital image of the cheque (not enclosed in an envelope) and prints the image on the back of the customer’s deposit receipt as proof of the deposit; personalization and customer preferences like language, fast-cash options and screen colours; and targeted marketing of other financial services or products using already accumulated business intelligence.
The Credit Union Central of Manitoba (CUCM) has had Windows NT-based ATMs since 2001. Dale Thompson, vice-president of network services for Celero Solutions Inc., which takes care of CUCM’s IT needs, said Windows has given CUCM’s more than 60 member credit unions the ability to customize interfaces for their users. “That makes it look like they’re dealing with their own credit union.” Thompson doesn’t anticipate a move to XP in the next year, but said it will have to happen eventually because the support for NT ends next year.
One thing that could put a damper on Windows-based ATMs’ service is the issue of security. Earlier this month, North Canton, Ohio-based ATM maker Diebold Inc. revealed that some of its ATMs, operated by two of its financial services customers, suffered a W32/Nachi worm attack in August.
Jamie Sharp, research director, customer segments with IDC Canada Ltd. in Toronto, agreed that with the move to a more “generically-flavoured operating system,” the possibility of vulnerabilities and attacks would be expected to “go up with magnitude.” To compensate, companies would have to spend more time “hardening” the installations of Windows they ship with their ATMs – that would involve disabling unnecessary services and ports and removing files that support peripheral devices used by ATMs.
Celero’s Thompson said he’s always found ATMs “really hard to break into,” because “they really are a single-purpose device.” Thompson said the trick was to isolate the traffic on the ATMs from the rest of the traffic happening on the wide-area network. “That way, all that will be allowed through to that (ATM) device is the messages destined for it – and that eliminates viruses and worms and those kinds of things.”
Risto noted that in conjunction with the move to Windows, banks will also begin moving their ATMs from expensive leased line networks to less-secure Transmission Control Protocol/Internet Protocol (TCP/IP)-based networks – which “in theory, would make ATMs more vulnerable.” That calls for “defense in depth with multiple layers of security,” including installing firewalls and “having all the pieces in place so that recovery is possible,” he said.