Concerns over Windows ATMs

Concerns over Windows ATMs

Cash machine networks could soon be more susceptible to computer viruses, a security firm has warned. The warning is being issued because many banks are starting to use the Windows operating system in machines. Already there have been four incidents in which Windows viruses have disrupted networks of cash machines running the Microsoft operating system. But banking experts say the danger is being overplayed and that the risks of infection and disruption are small. For many years the venerable IBM operating system, known as OS/2, has been the staple software used to power many of the 1.4m cash machines in operation around the world. But IBM will end support for OS/2 in 2006 which is forcing banks to look for alternatives. There are also other pressures making banks turn to Windows said Dominic Hirsch, managing director of financial analysis firm Retail Banking Research. He said many cash machines will also have to be upgraded to make full use of the new Europay, Mastercard and Visa credit cards that use computer chips instead of magnetic stripes to store data. US laws that demand disabled people get equal access to information will also force banks to make their cash machines more versatile and able to present information in different ways. Todd Thiemann, spokesman for anti-virus firm Trend Micro, said the move to Windows in cash machines was not without risks. Mr Thiemann said research by the TowerGroup showed that 70% of new cash machines being installed were Windows based. Already, he said, there have been four incidents in which cash machines have been unavailable for hours due to viruses affecting the network of the bank that owns them. In January 2003 the Slammer worm knocked out 13,000 cash machines of the Bank of America and many of those operated by the Canadian Imperial Bank of Commerce. In August of the same year, cash machines of two un-named banks were put out of action for hours following an infection by the Welchia worm. Incidents like this happen, said Mr Thiemann, because when banks start using Windows cash machines they also change the networking technology used to link the devices to their back office computers. This often means that all the cash machines and computers in a bank share the same data network. “This could mean that cash machines get caught up in the viruses that are going around because they have a common transmission system,” he said. “Banks need to consider protection as part of the investment to maintain the security of that network,” Mr Thiemann told BBC News Online. But Mr Hirsch from Retail Banking Research said the number of cash machines actually at risk was low because so few were upgraded every year. Currently, he said, a cash machine has a lifetime of up to 10 years which means that only about 10% of all ATMs get swapped for a newer model every year. “Windows cash machines have been around for several years,” he said. “Most banks simply upgrade as part of their usual replacement cycle.” “In theory there is a bigger threat with Windows than OS/2,” he said, “but I do not think that the banks are hugely concerned at the moment.” “It’s pretty unusual to hear about virus problems with ATMs,” he said. The many different security systems built-in to cash machines meant there was no chance that a virus could cause them to start spitting out cash spontaneously, he said. Banks were more likely to be worried about internal networks being overwhelmed by worms and viruses and customers not being able to get cash out at all, he added. A spokesman for the Association of Payment and Clearing Services (Apacs) which represents the UK’s payments industry said the risk from viruses was minimal. “There’s no concern that there’s going to be any type of virus hitting the UK networks,” he said. Risks of infection were small because the data networks that connect UK cash machines together and the operators of the ATMs themselves were a much smaller and tightly-knit community than in the US where viruses have struck.