Is running Windows XP on ATMs stupid?

Summary:When creating a secure, locked down IT system — for something that is directly responsible for handling cash transactions — would you choose the most popular, most targeted operating system?

When creating a secure, locked down IT system — for something that is directly responsible for handling cash transactions — would you choose the most popular, most targeted operating system?

You would think that running the most widely used operating system on your network of ATMs is just an invitation for trouble. At least some security folk reckon XP makes ATMs an easy touch for hackers.

But not the execs at National Australia Bank (NAB), who this week announced the bank is overhauling its 1,600 ATMs to run on Windows XP.

Gibbins and NAB are not alone on this front. Seventy-five percent of Australia's ATMs run on some version of Windows, according to an NCR spokesperson.

Why?

According to NCR's chief technology officer Alan Chow, running ATMs on Windows is about "brand image".

"Banks spend a lot of energy personalising [an ATM] screen. The ATM is the brand image of the bank. If you want to see the difference why they choose [a full version of Windows XP] — versus a stripped down embedded OS — go to the ATMs at the corner store and compare the user interfaces. Without the interface, it's just a cash dispenser. This is about brand image," he said.

So there's a trade off between convenience and security. I can appreciate that. And I'm sure NAB can mitigate the threats that affect the rest of the world on Windows XP from affecting both its 28,000 newly XP'd desktops and now its ATMs. Running Windows doesn't necessarily mean you're screwed. Just Ask Bruce Schneier.

Back in 2003, Cambridge security researcher, Ross Anderson, in a Wired article, said ATMs running Windows would likely see a Slammer style attack, resulting in money spewing forth from thousands of machines.

FUD and rubbish, said Bruce Schneier. Why? Because in 2003 the machines did not operate online and therefore would not become vulnerable to a malicious Internet attack or to some virus passed around in an e-mail attachment.

But National Australia Bank proudly announced this week that it will be the first bank to roll out ATMs that operate on TCP/IP networks.

So don't be surprised if you start seeing ATMs spewing cash from their dispensers. I am going to carry around a swag bag just in case.

Topics: Windows, Apps, Banking, Microsoft, Operating Systems, Security

About

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.