[bardworx]

Your comment is coming from a good place but it’s rooted in ignorance. Most ATM machines are made by NCR and not financial institutions. Majority are also quite old (runnning windows XP old).

NCR is focused on profits not security, even though they sell POS (point of sale), ATM machines, and airport kiosks.

From my personal dealings with NCR, I can confirm that they care very little for security, regardless of what their corporate line.

To put this in perspective: if you go to a grocery store, restaurant, or quick service (fast food) establishment and use a credit card then your full account number, name, and exp is recorded in their system. This information is accessible by anyone with store level admin (not windows admin, but think a manager with manager card).

This violates PCI but hey, fuck PCI, hard sending the system takes resources and who wants to do that?

On HN, folks keep talking about security and other such nonsense, however, anyone who has seen the other side isn’t very optimistic. Between ease of use, profit margins, and no pushback on insecure systems, all loses are just write offs.

[imglorp]

On a less concrete note, my bank switched from Diebold to NCR and the difference is very apparent to the ATM user. The design is overall clean and bright, and it's much faster. The Diebold has long UI pauses for no apparent reason where the NCR seems not.

[prklmn]

Their losses are just write offs...until they aren't, and something major happens. Maybe it will take a company completely going out of business due to poor security standards for others to wake up.

[jacquesm]

Cough. Equifax.

[ak47-1984]

As one of the engineers initially responsible for achieving PCI compliance on these ATMs, this isn’t strictly true - of course it needs to know your account info, but it’s sent to your bank - it’s not stored on the machine at all - certain digits of your card number are written to a paper log but it’s never written in full - can’t speak for POS machines, but would imagine it’s the same

[bardworx]

Unfortunately, POS is not the same. I’ve worked with NCR (Aloha) POS for 5 years. Can’t speak for ATM machines.

Plain text ... and before two years ago, they also had regional master passwords. As in one password for all systems sold by a particular reseller.