Windows Cash Machines virus risk

Ah, it warms my heart to hear this. After spending so many years in the a large financial organisation I can never mention working on their Branch Banking system and building it around OS/2, it’s good to see that people will finally agree that it was (and still is) a better choice. Albeit without any support from IBM!

From about 1995 to 2000, I worked with the team of about eight or so guys who were responsible for building the Client-Server system for the financials banking platform. We sourced, tested, designed and configured all the software required to allow the Developers to build their applications and communicate with the existing banking platforms.

It was a lot of work, and we lived by that wonderful ethos, work hard play hard and had a great time doing it. The best thing was designing everything from scratch, there were no real rules other than security and stability, we had to aim for 24/7 and quite frankly Windows could provide neither. Actually, to compare the two systems now, I still think OS/2 beats Windows on both counts.

I really enjoyed working on the Systems Management side, building the Intelligent Start-up routine took months, but afterwards it allowed you to control the starting of components on the Server or Client and to test each had started successfully. If TCPIP had started successfully it would then send out alerts of what had failed. Then there’s the centralised Systems Management and Scheduling system for all eight hundred sites.

Okay, I’m getting techie, reminiscent and disappearing up my own bum. The point of this was about the BBC News story about the growing concerns over Automated Teller Machines (ATM’s or Cash Machines) and the Windows Operating System.

They are highlighting that the machines and their networks are susceptible to Viruses, claiming there have already been four incidents where viruses have disrupted ATM Networks.

Typical scare mongering ensues with the quote:

…the move to Windows in cash machines was not without risks…there have been four incidents in which cash machines have been unavailable for hours due to viruses affecting the network of the bank that owns them.

Todd Thiemann, spokesman for anti-virus firm Trend Micro

Well considering the amount of ATM’s and networks that support them out there, I don’t think that’s a huge figure, especially when the downtime is claimed to be hours. Also, there is a great dependancy on where the network is for these ATM’s, is it through the network that the Bank uses for all it’s staff, is it a closed and secure network, does it have Internet connections at some point? All these points make a serious difference to the above statistic and push the blame on or off the Bank. There may be nothing wrong with the ATM network at all, it just can’t get the space it needs on the network because all the employee’s PC’s are firing data back and forth due to a general virus infection.

For instance, if the ATM’s also operate on the same network as the employees of the Bank, that would hugely increase the risk of downtime. All the employees using their computers would increase the traffic and take network bandwidth away from the ATM’s, that also opens up the possibility of virus infection from every one of the employees PC’s who may have Internet connection, CD and floppy drive access, not to mention possible access to additional data devices via a USB port.

He also went on to say that research was showing:

…70% of new cash machines being installed were Windows based.

Todd Thiemann – Trend Micro

Well done you, lovely figure. What does that mean? When I applied for a job at NCR some four to five years ago, they were busy moving to a new plant in Dundee and increasing their output of Windows based ATM’s. Not to the UK or USA, mainly to the far eastern market.

So that puts an interesting slant on that statistic too. He’s using statistics and recent reports to get the company name in the press. I’m always dubious of companies and spokespeople who do this.

However, quite handily, another expert debunks the entire claim of the article with another interesting statistic:

…a cash machine has a lifetime of up to 10 years which means that only about 10% of all ATMs get swapped for a newer model every year.

Dominic Hirsch – Retail Banking Research

So, there’s not really a big deal, but it is a good warning. With careful planning and future thinking, networks can be configured to keep the ATM data away from the other Banks networks, and to be honest, most should already be doing this. I know that RBSG does, and although some of the networks are shared, there is careful network filtering in place to ensure this doesn’t happen.

Let’s also understand that these viral attacks are not going to affect your balance or your account, there are just stopping information from getting to the ATM. Your balance and account details are still very safe in the mainframe. Locked away. Oh, and the mainframe does not run Windows!

Going back to the OS/2 issue, when I was at NCR some five years ago, they stated that some 85% of all ATM’s still used OS/2, and of that the majority were still running a quite old version. Why would that be? OS/2 is stable, it’s strong and it’s very secure.

During our development we were managing 24/7 easily and that is without redundancy, i.e. one Server in each Branch. If we had any problems with crashes or system hangs, we would have IBM issue a fixpack or a private fix between fixpack releases. These would often come from the work of debugging the kernel – that is the very core of the Operating System. You could think of that as the one EXE that keeps the whole system together, this is accessible by plugging a laptop into the serial port and talking directly to the kernel in a debugging language.

OS/2 is, and has been for a very long time, the preferred choice of the Financial industry for their core banking systems. I do know that HBOS use a similar system to RBSG.

When it started, OS/2 was a joint venture with IBM and Microsoft (MS), but MS split and decided to start working on Windows. Nice when they had grabbed all that development time with IBM! Still, IBM came out with the better product, just not the better marketing. Had they marketed correctly from day one, perhaps there would be as many moans about IBM and their domination of the OS market, who knows.

What I know is that OS/2 does rock, it’s just doesn’t have the applications to back it up as anything but an OS for majot organisations runninc Client-Server systems such as a banking platform. Add to the mix that the support is up in 2006 forever, and I think you can see there is no future in it. Still, it continues to be one of the leaders in both the ATM and Financial sector.

All hail Base Stack. You know who you are.

2 comments on “Windows Cash Machines virus risk”

  1. Colin Hardie Reply

    I worked at RBOS from 1995-97 and came back last year and am still working here. We are still running on an NT4/Office 97 platform. Who cares if OS/2 is not supported when their primary desktop isn’t either 🙂

  2. Richard Reply

    Hey Colin. I’m back there too, but in HR now.

    Good point, I guess support can be an extremely vague word in this case! Microsoft do provide a fair bit of support, as do the RBSG internal departments, but how effective is it?

    After the story about the Air Steward being sacked for her Blog, perhaps I should go no further!

Leave A Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.