On Tue, Mar 18, 2008 at 10:40 AM, der Mouse <[EMAIL PROTECTED]> wrote:
> > If you're simply letting your vendor make all the decisions about > > your ATM's then you're not really doing everything you can to make > > them as secure as they can be. > > If you're using Windows-based ATMs _at all_ you're _already_ "not > really doing everything you can to make them as secure as they can be". > You guys gotta get your feet firmly planted in reality. Everyone can bash Windows all they want. The current set of vendors use Windows for their ATM OS. Yes terrible idea. No one is willing to change at this point. The term doing "everything you can do" is relative at best. The business unit wants ATMs, the customers want ATMs. Everyone develops for Windows. No significant development is being done that I am aware of using a different OS. So we take that baseline of threat and we do "everything we can do" to make the system as secure as it can be. > > There's just no excuse - IMO - for using the most insecure (in > practice) operating system on the planet for an ATM...especially in the > presence of all the alternatives. (Not all the alternatives are really > _good_, but practically anything else is better than Windows.) Great pontification, but certainly Windows is used where the risk is far greater than a lowly ATM. The driver here is that ATM's are not viewed by most banks as profit making applications. Can you imagine the network access required to allow other services like travel planning, purchasing tickets, etc...? I've been thru that battle and so far we've managed to keep the ATM at my bank fairly generic in function. Then having said that, the amount of money that banks are willing to spend on ATM technology is not quite as much as if there were a positive ROI. In turn the vendors dont have unlimited amounts of cash to design and roll out an ATM platform on a more secure OS. In the financial world, there are not many niches where some play and some dont. The industry more or less as a whole responds to legislation, customer demand and regulation. This does vary by country, but I'm only talking about the US. When I use a term commercially reasonably secure, that means that what I'm doing is more or less in line with what legislation, regulators and customers demand. Its not making the case that its holistically secure. As long as I'm doing everything I can to secure the transaction and limit what any device connected to the ethernet cable where the ATM is located can do, as well as apply the list of controls and monitoring that we do, the risk is mitigated to commercially reasonably acceptable levels for the regulators and the company. Sure the risk is not zero as the purists of this list would like, but until it is either required by law, or driven by the market itself, this area of financial services will be fairly static. Dennis
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.