ATMs will still run Windows XP -- but a bigger shift in security looms

Banks caught in a major transition to embedded chip cards are sticking with XP and uninterested in upgrading to Windows 8

The vast majority of bank ATMs around the world currently run on Windows XP. Come April 8, when Microsoft cuts off support for Windows XP, the vast majority of those bank ATMs will still be running XP. While there's some cause for concern, it's much too early to cut up your debit card. That said, Microsoft's hell-bent determination to kill off the operating system will encourage many banks to consider non-Windows solutions.

In January there was a rash of hand-wringing stories about the coming demise of Windows XP and how that would affect the many hundreds of thousands of ATMs -- somewhere between 80 percent and 95 percent of all ATMs, depending on what source you believe -- still running XP and being swapped out at a snail's pace. Lately I've seen more articles that raise red flags. For example, CNN Money says:

If banks fail to upgrade their ATMs to a newer version of Windows by April, customers might be at risk. If hackers discover new flaws in Windows XP, those bugs will go unaddressed, leaving attackers free to exploit them.

While true, it's also nothing new -- Windows zero days crop up all the time, as InfoWorld readers will readily attest. The confounding factor lies in the delivery mechanism: Bank ATMs by and large aren't out surfing the Internet, they aren't downloading questionable programs, and they don't have unprotected connections to exposed networks. Their isolation doesn't mean they're impenetrable -- just look at the clever way Stuxnet propagated. But as Larry Seltzer described in his ZDNet article last month, bank ATMs are locked down and bunkered. Pwning an ATM isn't as simple as handing out infected USB drives and waiting, swiping a specially crafted credit card, or tapping the right key combination on the number pad. At least it shouldn't be -- whether the ATM is running XP or not, whether XP is patched or not.

Yes, ATMs certainly can be hacked with malware, as demonstrated remarkably (and anonymously) at the Chaos Communications 30c3 conference late last year. The crackers in that case managed to pry out the metal casing of the ATM itself, put a USB drive into a running ATM computer, and reboot it. There's much to be said for physical access, and why an ATM processor has a USB slot is anybody's guess.

The MIT Technology Review crack by Barnaby Jack three years ago relied on an open wireless connection direct to the ATM's processor -- Jack got the user name and password, logged on, and hacked the machine. XP was merely a minor inconvenience.

So why are banks sticking with XP with its demise so clearly imminent? Part of the problem can be attributed to the reluctance of bank executives to throw good money after old technology. Spending a few thousand bucks to swap out a 386-based XP box for a new i3 Windows 7 box doesn't result in much of an ROI, particularly when customers can't tell the difference. Windows XP customers everywhere can identify with that. But there's another force at work.

Credit/debit cards are in the middle of a massive transition. Everybody and their brother, it seems, testified before the U.S. Senate last month promising that swipe-and-sign credit cards -- currently the staple of ATM transactions -- will disappear by October 2015. In their stead, the whole industry will shift to embedded chip cards (called EMV cards, from the names of the three payment companies that created the standard: Europay, MasterCard, and Visa). Banks can swap out XP, but unless their machines can read and understand the new cards, the swapped-out machines will be dumb bricks by the end of next year. It makes a whole lotta sense to kill the two birds simultaneously.

Much of the developed world has moved on to EMV. The United States lags woefully behind.

The forced upgrade sword cuts both ways: By summarily ending support for XP, the banking industry has been backed into a corner and forced to look at new solutions -- which may or may not include Windows. While researching this story, I was surprised to see very little mention of Windows 8. Just about everyone in the ATM business, it seems, refers to the death of XP in terms of upgrading to Windows 7, not 8. That's not a good sign, because Windows 7 itself is well on its way to euthanasia -- and ATM people are keenly aware of its old age.

Linux pops up occasionally in discussions about ATM software, but its use is limited. Indian ATM manufacturer Vortex offers a low-power Linux based system called Ecoteller, for example, that's being used in developing countries. The 2013 ATM Software Trends and Analysis report from ATM Marketplace (sponsored by ATM software heavyweight KAL) expresses strangely little interest in moving to Linux. Where the survey asks organizations' opinions about the future direction of ATM operating systems, only 9 percent of respondents showed an interest in using a non-Microsoft operating system such as Linux.

Many banks are cutting deals with Microsoft to extend XP support beyond the cutoff date. Given the hunkered-down nature of the systems, it's likely banks are negotiating to pay less than the often-quoted $200 to $400 per machine per year for extended support. But there are still hundreds of thousands of machines out there that'll become a little more vulnerable next month.

If there were ever an industry ripe for disruption, this is it.

This story, "ATMs will still run Windows XP --but a bigger shift in security looms," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies