Hmmm... Should I Patch My ATM Machines?

I subscribe to quite a few RSS feeds and mailing lists… but the following thread on Shavlik’s Patch Management list really takes the cake.  Be afraid – be very afraid:

Post Subject: Patch Management for Automated Teller Machines (ATM)

Hi All,

The company that I work with will be rolling out ATM's with WinXP Operating system. These ATM's will be connected to our Backend system thru TCP/IP. I am just wondering how members of this list from the Banking Industry deploy patches to these ATM's.

Do you employ automated patch deployment using WSUS, BigFix, Shavlik, Patchlink etc...? Or do you do manual deployment of patches? Or do you apply patch at all?

Is hardening the OS and limiting the ports open will suffice not to install patches?

I ask this because during deployment of patches there will be downtime which may affect the business. On the other hand if the ATM is infected with a virus due to absence of a patch this will also affect the business.

I hope that you can help me on this. Thanks in advance for your replies.

** Name withheld to protect this guy (and his employer)

…And an Interesting Reply

I'm in the banking field. We have 11 new ATMs that run XP... Our first concern was patching. We were told by the service provider that we were responsible for patching, but that if we "broke" something in the process that they wouldn't fix the ATM. So if a patch causes an incompatibility with the ATM software we would have to fix it ourselves.

What's our approach? We don't have one yet.

** Name withheld

…Finally, a Voice of Reason

For Diebold Automated Teller Machines we test all announced MS patches and post advisories on our Diebold Customer Internet Support (DCIS) site.

Diebold Customer Internet Support (DCIS) is a system designed by Diebold to keep you current on software updates for Microsoft Windows(r) operating systems deployed on your Diebold ATMs.

This valuable system provides:

Custom user profile to view Windows software updates specifically for your deployed Diebold ATMs
Microsoft bulletin link for each Windows software update
Direct link to the Windows software download sites
Downloads Windows software update tracking
Secure customer administrator access and option to add 4 additional customer users to access DCIS

This service is available to all Diebold customers with a current service contract free of charge. You can register at the following site https://patchaccess.diebold.com/DCIS/DCISLogon.asp

Donn Bohn
Diebold Global Software and Services

Jeff’s Thoughts

  • ATM machines shouldn’t run XP (sorry, Microsoft).  Seriously, when XP launched it was all about the ‘eXPerience’.  What kind of ‘eXPerience’ do you need on an ATM?  I get frustrated enough when people decide to use the ATM for all their banking (deposits, stamps, etc.) while I’m just wanting a quick cash fix.  I can’t even imagine waiting in line behind some customer watching streaming video, or synchronizing their iPod. :P
  • Regardless of what OS is being used on said ATMs – your IT security policy must include patch management.  Yes, that includes you too Mr. Linux Zealot.
  • If your vendor isn’t supportive of security best practices, spend your money elsewhere.  Otherwise, your customers will!