
ATMs in India Could Be Hacked Because Banks Haven't Updated Windows Since 2014 - known
https://www.huffingtonpost.in/2018/06/26/atms-could-be-hacked-because-banks-havent-updated-windows-despite-5-years-of-warnings_a_23468813/
======
jboggan
I used to install/upgrade ATMs and was horrified that we were replacing the
extremely solid OS/2 machines with Windows XP based computing cages (circa
2011). There was no method to update the machines other than sending a
technician out monthly to take the machine offline and manually load the
patches from a CD, and ATM technicians are expensive so most simply didn't.

Most NCR ATMs use one of three keys that are easily available on the internet.
Most banks don't check ID or even know that they have a technician coming to
service their ATM, especially if you're dressed nicely or carrying a
clipboard. Most of the Windows XP based NCR ATMs have multiple PS/2 ports and
USB ports to plug in a keyboard and they all tend to have the same admin
password.

~~~
snarf21
A lot of the medical devices (like a pump in the hospital) have similar
issues, running old Windows 95 or CE with 0 patches ever.

~~~
liveoneggs
but then all of the pumps would stop working and people would die every time
there was an update. General purpose operating systems are just a bad idea for
running these hardware appliances.

~~~
3pt14159
I agree we need stripped down OSes to run this stuff, but the core problem is
thinking "we'll just air gap it and never update it" not that the OS is
general purpose.

Look at QNX: Millions of components run it in safety critical situations and
none of it is patchable. After QNX got owned in 2017 what are we supposed to
do? Open up every tank, car, and nuclear power plant? We need reliable update
schedules. Trying to air gap things doesn't work. There is always a way to
access the interface and bridgeware is only getting better.

~~~
jdietrich
Airgapping is a very useful layer of defence in a lot of applications. Never
pushing updates is usually a bad idea, but automatic updates pushed by the OS
or equipment vendor can be equally problematic. Regressions are irritating on
consumer devices, but they can be catastrophic in critical embedded systems.

If there's anything that can be called a "solution", it looks very much like
good engineering. No technology or methodology can stop you from shipping
broken systems. If you're shipping ATMs that run Windows XP in 2011, your
problems almost certainly run much deeper than a bad choice of platform.

------
itissid
I have had a terrible experience when dealing with banks in India. To open
accounts for non resident customers(NRE), one has to scan and send ID proofs
and Account Opening Forms over email. And they ask for all your details SSN,
DoB, Address you name it. In a few instances the emails being sent were not
even encrypted by the end server. The attack surface is so large that one
cannot begin to imagine what exact audits they are running.

With sophisticated phishing attacks that are now hosted on HTTPs servers, this
practice is just lunacy and it happens in every bank. Big small, private,
public all engage in this nonsensical practice. Among the biggest names: SBI,
YesBank, Central Bank are the ones that do this. I know this because I have
inquired how to open accounts at these places.

I actually have a dedicated personal relationship manager who filled out all
the forms! And even now for certain operations like booking currency
forwards(FCNRs) they ask you to fill forms and send it over the email. Not to
mention its inefficient as well.

Its a testament to two things: 1\. There are so many people in India that
banks just find it cheaper to hire a person and let him interface with you
instead of designing a web application. 2\. No one gives a shit about privacy.
3\. The system is wide open for people to Man in the Middle and Phish.

~~~
JumpCrisscross
I tried opening an NRE account to redeem some bonds a family member bought in
my name. (Never managed it.) Their banker asked me for my SSN over WhatsApp.
Forwarded to my New York State regulator, who promptly fined their New York
office.

~~~
diogenescynic
I’ve had similar experiences where Indian bankers have said their mailbox has
a size limit or is full so the document needed to be emailed to their gmail or
yahoo account. No thanks...

------
Crosseye_Jack
"Haven't Updated Windows Since 2014"

I thought Windows XP Embedded was going to get security updates until 2019.
[https://blogs.msdn.microsoft.com/windows-
embedded/2014/02/17...](https://blogs.msdn.microsoft.com/windows-
embedded/2014/02/17/what-does-the-end-of-support-of-windows-xp-mean-for-
windows-embedded/) Says Jan 2019 for Standard embedded and April 2019 for
POSReady.

I recall MS heavily pushing companies to update but unless these ATM's are
running retail XP they should be getting (at least bare minimum) security
updates.

Not saying they shouldn't be upgrading to a newer OS but I feel using the
retail EOL date when talking about the embedded version might be a little
misleading.

~~~
freeone3000
You need a network connection to update. These have not been.

~~~
Crosseye_Jack
ATM's need a network connection to query the bank. The updates can be sent via
their internal network. If they are "small in shop ATM's" using a phone line
to query the banks back end then they could dial in and maintain the call
during the store downtime and download the patches. Looking at Windows update
catalog the updates are not large files anyway. Sure they might take an hour
or two over a simple 56k modem link but the updates and imo an update path are
available.

From the articles 3rd paragraph:-

> Microsoft first released Windows XP in 2001, seventeen years ago, and
> stopped supporting the operating system in 2014. This meant that it stopped
> developing new security patches for Windows XP, which would protect it from
> software exploits developed by hackers.

Which gives the impression that the updates are simply just not available not
that they don't have a network connection to fetch the updates from.

Even if they were running the latest version of Windows security patches
should still be applied.

~~~
sandworm101
>> ATM's need a network connection to query the bank. The updates can be sent
via their internal network.

Some of these are on satellite connections. They don't need much data. Lots of
banking transactions can be squeezed into a single megabyte. Sending multi-gig
windows updates to all the ATMs would be a serious headache.

~~~
Crosseye_Jack
But Windows XP Embedded month to month security updates are not multi-gig
updates. The last batch of security updates totalled <15MB and updates for the
month of May totalled ~36MB.

EDIT: Even if the network connect back to the banks was SMS then my point was
that it’s not that there are no updates for Windows XP embedded which the
article give the impression of, the point would then be that the manufacturer,
integrater, banks, who ever didn’t have the foresight of needing some
bandwidth for updates. The updates are available just that who ever is in
charge of these ATMs failed to keep them updated.

------
superasn
I remember that the last time I read about an ATM hack in India, the M.O was
that the attackers were simply putting a matchstick under the "*" key which
made the ATM stuck so that the victim left the ATM without collecting the
money which the attackers retrieved afterwards. The whole MO is explained here
(1). It could be because of outdated systems.

(1) [http://www.dnaindia.com/bangalore/report-school-dropout-
tric...](http://www.dnaindia.com/bangalore/report-school-dropout-tricks-atm-
with-matchstick-arrested-1638552)

------
crtasm
> unpatched systems are at risk to cyberattacks.

All systems are at risk, unpatched ones just more so.

~~~
noobermin
Of course, but more so means the probability is greater by the very least an
O(1) factor.

------
speeder
Tried to read this on my Android.

Got sent to a page claiming my Android had four viruses, spawned endless
popups and dialogs and I had to force close the browser :(

~~~
wlesieutre
It was probably one of your viruses ;)

More seriously, I've had similar problems on iOS with unclosable tabs where
even force quitting didn't work because it'd restore to the same page. The
workaround ended up being "Click a link in Mail and that tab will be
frontmost, then you can go in the tab switcher and kill it."

Hasn't happened in a while, IIRC the problem was javascript popups forcing
focus off the rest of the UI. Maybe it's been fixed on the iOS side.

Of course the other side of the problem is webpages letting insecure ad
networks run arbitrary javascript in all of our browsers. It's not great.

~~~
saagarjha
JavaScript pop ups don’t block the rest of the UI anymore; this has been fixed
in Safari in both iOS and macOS.

------
boruto
I work in India, where my we service ATM's for a nationalised bank. While
these run on XP, we are advised to install all security updates. I read in the
thread somewhere that they use satellite network so windows updates cannot be
sent. That is incorrect. Most of them are connected via LAN and most are
updated remotely. RBI recently passed a regulation to upgrade the OS by 2019.
I guess windows 7 would be used.

------
morbusfonticuli
I'm surprised of banks putting the ATMs into the same network as the computers
of the banks' employees. I mean: is there any(!) need for the normal banker to
have network access to the ATM? And if a separate network is too expensive,
one could at least put them in vlans / vpns.

~~~
netsharc
Did not read the article, but what the hell! That's one "Hey check this porn
out!" e-mail away from total ownage...

I guess as a hacker, having a phone app where I can press a button and the ATM
in front of me spits out its contents would be kinda neat...

------
pitaj
Humor me here: we should decriminalize hacking. It's the only way to force
companies to take security seriously. If they can't rely on government to
track down and punish hackers, financial companies especially will have to
step up their game and take proactive steps to prevent issues like this.

~~~
cncrnd
That would be a mistake because it also incentivizes hackers, making the
problem bigger on that side. What I would like is something that punishes
companies that get hacked as well, like set fines for leaking personal
information instead of settlement. People same to take GDPR seriously, a
similarly stringent regulation on security practices would be effective.

~~~
thaumasiotes
How much of a success do you perceive PCI requirements as being?

------
abiox
i suppose what surprises me the most is that someone would use windows in an
atm. i would've thought it would've been an rtos or maybe a locked down bsd or
selinux.

~~~
vbezhenar
Every ATM I ever saw uses Windows.

~~~
astrodust
They used to use OS/2, but then Windows came along and we've been living in a
world filled with misery ever since.

On no planet does using a consumer version of Windows in these things make
sense.

~~~
mrguyorama
Good thing it's not typically a consumer version! If you watch one reboot (or
other applications like store POS systems) you can see that it is Windows XP
embedded, or nowadays sometimes Windows 7 embedded, which is decidedly NOT a
"consumer" oriented OS

~~~
astrodust
It really depends on the vendor. Big names are at least careful enough to do
that. The bottom of the barrel white-label vendors often don't care. I
wouldn't be the least bit surprised if some of those Windows installations are
using pirated keys.

It's perpetually concerning how bad the state of systems like this is. A
grocery store near me recently deployed a brand new set of self check-out
counters...running Windows XP.

Amusingly the credit card/debit card reader is running Linux and shows the
old-school penguin image on boot.

~~~
cimmanom
I enjoyed seeing Tux on the boot screen of a seat-back in-flight entertainment
system recently. And was also amused to see startup sequences for things like
MySQL and postfix scroll by.

~~~
mrguyorama
I don't. That usually means it crashed!

~~~
cimmanom
This was during pre-flight when normally all they play anyway is ads that you
can't turn off.

------
modi15
Not really. Each ATM in India is defended by a human.

~~~
dddddaviddddd
An ATM needs a network connection, no? Remote exploits may be possible, or
remote exploit combined with a local actor to pick up cash under guise of a
legitimate withdrawal.

~~~
reaperducer
_An ATM needs a network connection, no?_

No.

ATM's weren't always networked. The transactions were reconciled daily or
weekly by the local bank, and the network (NYCE, Star, etc...) transactions
sent out weekly or monthly.

A friend of mine used to leverage this all the time. He would have $200 in his
account at his home bank, but withdrawal $500 from a different bank. By the
time the transactions got back to his home back, his parents would have
already deposited his monthly allowance into his account.

It worked... most of the time. But I remember once his parents were out of
town and didn't make the deposit as expected, and he ended up massively
overdrawn. But back then, the banks just cut you off. They didn't ding you for
an overdraft fee, then another overdraft fee a day later because you couldn't
pay the first overdraft fee, etc...

~~~
macintux
ATMs are often cited as an example for the utility of eventual consistency. If
it's off the network, it can still offer withdrawals to be reconciled later.

Banking in general has been on the eventual consistency model for centuries.

------
excalibur
And I thought it was dangerous when I saw a Windows 10 lock screen on a kiosk
at Burger King.

~~~
pandasun
It's probably not a good idea to share here what I saw at a national (very
well known) gas station when it crashed. Given that there's gasoline involved
and everything.

~~~
schoen
Maybe it would be a good idea to tell the company or its equipment vendor or a
regulator.

------
tiuPapa
I thought Indian ATMS had their own Linux-based OS, not Windows.

~~~
theSage
I recollect they were about to use BOSS but I suppose that never went through.

------
shmerl
Why do they use Windows to begin with?

~~~
madmulita
Drivers, drivers, drivers.

We've tried many times to switch to linux, the showstopper has always been the
same.

~~~
ringbugger
Unfortunately this is very true. For medical devices, you need to mostly use
certified parts. Need a touchscreen? It needs to withstand very strong
disinfectants and maybe you have hard requirements for leakage currents. There
are 3 possible vendors left. None of them has drivers for systems that would
be far better than windows xy.

Vendors probably think that all their customers use windows anyway for non-
discernible reasons.

------
perseusprime11
Now that we made this announcement, sure they can be hacked!

------
nkkollaw
I'm in the EU, I opted out of all "cookies", and my adblocker still blocked 17
requests :-/

I think HN should give users a way to flag websites because on mobile it's
getting riskier every day to click on links.

I'm currently using a Moto G2 while my newer phone is being repaired, and crap
like this can easily make it freeze for 5 minutes.

------
meuk
I think Microsoft is the first party to blame here. They put out a horribly
insecure OS.

