The Tradeoff in the New Windows-Based ATMs

As financial-services companies begin switching out older ATMs for new ones running on Microsoft Corp.'s Windows operating system, they may at the same time be creating a security problem similar to the one that has long plagued network administrators overseeing fleets of networked computers running the same software. The problem was highlighted by the recent disclosure by North Canton, Ohio-based ATM maker Diebold Inc. that its machines owned by two undisclosed financial-services companies had to be shut down after they were hit by the W32/Nachi worm in August. The companies installed patches and put the machines back into service. Most ATM manufacturers are now selling Windows-based machines and banks and other customers are starting to buy them to replace models that for the most part run on IBM Corp.'s OS/2 software, which IBM has said it will stop supporting by 2006. Windows platforms like NT and XP allow ATM deployers to run more sophisticated functions on the machines, create consistency with other consumer products like home-banking, and provide support for Web access and real-time posting of advanced graphics. They also give smaller deployers a way to compete with larger rivals. Banks are looking at “how to use that new platform in tremendous ways,” says J. Kent Schrock, director of marketing for the Americas at Fujitsu Transactions Solutions Inc., an ATM maker in San Diego that is shipping a new line of machines with Windows XP Embedded. “Banks can control what's on the screen and do it immediately. They can leverage that channel to beat the mega-banks.” But Windows in ATMs carries with it the same vulnerability to viruses that it does in PC networks, as the Diebold case showed. Whereas security expert considered OS/2 relatively safe, they fear the increasing deployment of Windows-based machines will invite trouble, with deployers more and more having to scramble to stay on top of alerts regarding holes in Microsoft's code and to install patches before networks or parts of networks are disabled. They will have to balance the increased flexibility of the new ATMs against the security risk. And the risk is only exacerbated, security experts say, when deployers connect the new machines using TCP/IP (transmission control protocol/Internet protocol), or Web, networks, which facilitate the operating system's functionality but are considered less secure than the standard Systems Network Architecture (SNA) that still hooks up most ATMs. “Bandwidth needs to be made larger to pump all that new data,” says Fujitsu's Schrock. In the end, it will up to deployers to decide whether the new functionality and services possible on Windows-based ATMs are worth the risk.