Is running Windows XP on ATMs stupid?

Is running Windows XP on ATMs stupid?

Summary: When creating a secure, locked down IT system — for something that is directly responsible for handling cash transactions — would you choose the most popular, most targeted operating system?


When creating a secure, locked down IT system — for something that is directly responsible for handling cash transactions — would you choose the most popular, most targeted operating system?

You would think that running the most widely used operating system on your network of ATMs is just an invitation for trouble. At least some security folk reckon XP makes ATMs an easy touch for hackers.

But not the execs at National Australia Bank (NAB), who this week announced the bank is overhauling its 1,600 ATMs to run on Windows XP.

Gibbins and NAB are not alone on this front. Seventy-five percent of Australia's ATMs run on some version of Windows, according to an NCR spokesperson.


According to NCR's chief technology officer Alan Chow, running ATMs on Windows is about "brand image".

"Banks spend a lot of energy personalising [an ATM] screen. The ATM is the brand image of the bank. If you want to see the difference why they choose [a full version of Windows XP] — versus a stripped down embedded OS — go to the ATMs at the corner store and compare the user interfaces. Without the interface, it's just a cash dispenser. This is about brand image," he said.

So there's a trade off between convenience and security. I can appreciate that. And I'm sure NAB can mitigate the threats that affect the rest of the world on Windows XP from affecting both its 28,000 newly XP'd desktops and now its ATMs. Running Windows doesn't necessarily mean you're screwed. Just Ask Bruce Schneier.

Back in 2003, Cambridge security researcher, Ross Anderson, in a Wired article, said ATMs running Windows would likely see a Slammer style attack, resulting in money spewing forth from thousands of machines.

FUD and rubbish, said Bruce Schneier. Why? Because in 2003 the machines did not operate online and therefore would not become vulnerable to a malicious Internet attack or to some virus passed around in an e-mail attachment.

But National Australia Bank proudly announced this week that it will be the first bank to roll out ATMs that operate on TCP/IP networks.

So don't be surprised if you start seeing ATMs spewing cash from their dispensers. I am going to carry around a swag bag just in case.

Topics: Windows, Apps, Banking, Microsoft, Operating Systems, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE:

    I wonder if there is a timeline set for this change - I'd be interested to see how this pans out, especially if there's some connection to issues about internet security.
    Nico del Castillo
    Microsoft Security Outreach Team
  • Better odds than the pokies?

    Thank God I don't have an account at NAB.
    XP running the ATMs is a disaster waiting to happen IMHO.
    Maybe I start hovering around the ATMs waiting for when, not if, they get haxored and start spewing out ca$h.
  • You're assuming...

    ..that the things aren't blue-screeing already!

    BSOD !
  • previously, on Windows ...
    windows 9x on an atm. boingg...
    windows 9x running a billboard. boingg...
  • The usual blindness continues

    The constant blindness of the anti-Microsoft-for-whatever-reason-even-unfounded-ones continues...

    Does any one know what ANZ, Westpac and certain other banks in Australia are running their ATMs on? yep... they're already running on WinXP; sure one of them is embedded XP while the other is full XP.

    Do you guys really think the banks are going to connect ANY of their PCs DIRECTLY to the internet?? if you REALLY think that, then I feel very sorry for you.
  • TCPIP != Internet

    Westpac may be moving to XP and TCP/IP for their ATMs - but I highly doubt they will be exposed or visible in any way whatsoever to the Internet or any machines connected to the Internet.
  • != Westpac :|

    And what I say "Westpac" I actually mean "NAB" :)
  • XP on ATMs

    NAB you say , hmmm better get a wheelbarrow ready.
  • Commonplace in Portugal

    In Portugal, we have a independent organization (SIBS) that runs every standard ATM (every bank has theirs, but you'll only find them at the respective bank, whereas SIBS' ATMs are everywhere).

    They run on Windows 95/98 and 2k since I can recall using ATM's...

    Some people seem to forget that the problem with computers, on whichever OS, lies between the monitor and the chair... Since ATM's run on "kiosk mode", there's no way the user can harm the system...

    P.S.: SIBS was considered the most advanced and secure ATM (and virtual credit card) company in Europe last year...
  • Some Sanity Please

    The version of XP running ATM's is NOT the same version running on your PC at home. It is a cut down, stripped down, locked down version. While it is still XP, and who knows what the next security issue will be with it, you would have more success trying to smash it open using a tank to get the money out rather than hacking it. Also as stated before, TCP/IP does mean internet access - there are lots of Banks using this communication method already. It is their own private networks using secure encyrypted VPN tunnelling.
  • ATMs on XP

    I wonder why this is just such big news. We (bank in belgium) have been running our ATMS on NT4, and now on XP, for many years without any problem. Of course they are fully locked down, authentication is in a hardware modul, thre is no keyboard (touch screen), so no CTRL-ALT-DEL... This has allowed us to leverage business application development and provide rich functionality to customers using ATM (full graphics, video announcements...).
  • XP in ATM's

    It is amazing how people fly of the handle with faux knowledge and a heap of ignorance (I'm not being mean, just brutally honest). XP has been used for years in ATM's without security breach's. However, some people talk as though doomsday is near with a certainty of an expert. Some banks use closed network while others us open. The bottom line is security is paramount. While OS errors do occur, most software errors can be traced to either bad programming or hardware faults, NOT the OS. The biggest problem is people not getting their money. Again, that is not a problem with the OS.
  • More rubbish

    ..more of the same rubbish from ZDNet. Every time I come back to this site, a new low is found. Please lift your game - what sensationalist rubbish. Liam, this is pathetic.
  • XP on ATM's

    First time I saw Windows on an ATM was back in 1996.
    So this is nothing new.
    Can't remember any instance of them being hacked by hacking the OS. (other ways - yes)
    So - this article sounds a bit like "wishing it was so" and hoping the readers won't notice that.
    Have you that low an opinion about your readers?
  • Do you guys really think the banks are going to connect ANY of their PCs DIRECTL

    Actually, they probably do. The other alternative would be leased lines which get really expensive since you are paying for them all of the time, not just for the bandwidth they use.

    Of course, I would expect that all connections would be hardware encrypted. Then you would have to break the encryption to make a connection.
  • Reality, Its a nice Place

    Windows and MS systems do get a bad name, not because they are bad products. with all the Third party apps and drivers you would expect to see varying degrees of issues. Linux Mac and MS, all have great aspects. XP on an ATM, sorry this is not a bad thing, Progress comes in many forms...
  • NAB comms

    As an ex NAB IT employee I can say for a fact that their ATM network is connected via encrypted, dedicated, leased lines directly back to the NAB comms infrastructure.
    A person would have to physically tap a line and crack the encryption to get real time or baytch access.
    Even if successful, with the checks and balances existing in the back-office reconciliation systems any 'weird' transactions are automatically captured and manually checked.
    Think about it - Australian banks technical and security risk management are bees knees. They are also 'self insured' ie they cover their own losses.
    Wwe all know how badly aussie banks love their $bil profits, so there is no way on earth NAB would implement a new OS without going over every single possible physical 'hack' .
    XP - simply not an issue.
  • XP ATM

    You see thanks to the smartness of the security who do the maintenance of most ATMs and restocking them with cash, i have come across one St.George bank ATM that was left unlocked and no one was attending. As I had my arm resting on the top of the ATM and tried to take cash out and took a step back the whole draw was opened up with access to the WXP interface with a mouse and keyboard provided, including all you normal PC ports.

    Now one might say there would be a password protection on the system well we all know how secure windows is… and good bless Linux :)

    However I just told the security guy in the mall and yeah… I know what you might think and I thought may be I should try and get myself used to the system but its not worth the trouble…
  • Forget the security..

    What's interesting about this is that embedded systems (like ATMs, etc) were one area outside of the server where Linux was really taking off.

    Looks like just another instance of Microsoft moving into a new area purely in order to stifle competition.
  • Suggestion

    don't come back to the site then. Problem solved.

    you remind me of those morons who complian about low standards on television - don't like it? there's always on off button, my friend.