RBS ATM's Use Windows

A while back I learned that Microsoft had won a lot of contracts in various countries to supply their banks ATM machines. This sent a shiver down my back that so many people whose primary responsibility is to think about customer security would be stupid enough to sign a contract with Microsoft to have Windows as the underlying OS on their ATM kiosk software. I had hoped (rather naively as it turned out) that these contracts wouldn't be in the UK.

Well, today I saw an error message on an out of service RBS (Royal Bank Of Scotland) ATM with a lovely blue screen, Windows error message about not being able to access some log file on the C: drive. I now no longer trust RBS's ATMs. Unfortunately I didn't have a camera with me to take a snapshot, nor a pen to take a note of the error message itself, so it went undocumented but not unnoticed. In kiosk mode, the application runs full screen. There are no telltale signs of anything outside of that application. The kiosks the customers use have buttons hardwired to commands so they can't access anything beyond the kiosk software itself. This means it's impossible to tell what's running it until it breaks and you see an error message.

I did wonder if there was a way to find out which banks in the UK were stupid enough to use Windows for something that needs to be secure. Obviously banks would consider this to be sensitive information that they'd want to keep to themselves for security purposes. Now knowing it's Windows I can understand why they'd be even more paranoid about not letting people know. The last thing you want to announce is that you have an army of paper tanks on the battlefield. I keep mentioning RBS here as they are the bank I am currently with. This may change now, or at least how I interact with them will.

Since this is information which will be very hard to get from any bank, I thought I'd crowd source it. I've set up a photobucket group called Banking On Windows ATMs for everyone to upload pictures of Windows error messages on ATMs they see and use. As I had no camera with me today I couldn't take one of the message I spotted so the group album is currently empty (at time of writing). When you upload a picture, remember to name and shame the bank in question too.

We do have a choice to some degree in that we can opt not to pay that bill from a Windows PC at work, school, university etc and wait until we get home to use a secure PC like Linux to do that. Now I know RBS uses Windows I'll seek to use a different bank's ATM machines, or go to the teller directly rather than use the ATM. Tesco use Windows kiosks for their self service checkouts which kinda work for the most part, but I wouldn't trust my card to them. We can only make that choice if we know what OS the PC we're using has. The very fact that we (the customers) have to think about security because the banks themselves have abandoned us is very worrying. It's the same mindset as Chip & Pin.

Profit always comes before the customers, while the propaganda tells us that our money is in safe hands. The corporate deals the banks make with other contractors always affect their customers. On the error itself, at a guess it looked like the space had run out for the log file so it wouldn't start up (or restart after a power fluctuation). I can't imagine even Microsoft developers being so lax that they didn't put a function in to monitor disc space and take actions if it gets to a certain point. The ATM had a sign covering the screen and keypad all day on Saturday which was obviously removed sometime on Saturday night where I (and everyone else who thought it was working until they saw the screen) saw it.

I know CEOs are more concerned with lining their own pockets than actually running the business to look after their customers, something which has led them down the path of now being partly owned by the British government. So I ask the shareholders (and since that now also includes UK taxpayers) how much business does an ATM with an "out of order" do? If one is out of order, it puts the queue onto the remaining ATMs on that wall, slowing stuff down. If the banks are open it forces some inside to queue and take the time of human staff for a transaction that could easily be done by ATM. It was the rationality behind the creation of ATMs in the first place. An ATM is like an employee in that regard. Would you tolerate a downtime shown by some ATM software if it was an employee randomly calling in sick for hours at a time with no real fix? My guess is that it'd be seen eventually for what it is, a drain on resources and a blockage to making more money. It's already stuck in the hole, there's no replacement for it ready to kick in when it goes down. It's out of order until an engineer gets notified and turns up to fix it. It's also already been paid for on the basis that it'll make X amount of profit for the investment.