Security Sidebar: End of Support for Windows XP...and ATMs?
The End of Windows XP
Security flaws in operating systems are discovered all the time. For operating systems that are still supported, the manufacturer releases a security update or patch that takes care of the flaw (make sure you install the patch). Well guess what? People still find security flaws after a manufacturer stops supporting an operating system. In fact, some hacker types will look even harder after they know the security patches are not released any more because they can exploit the new vulnerabilities indefinitely.
On April 8, 2014 Microsoft will no longer support the Windows XP operating system (meaning no more patches, security updates, etc). I guess you can't blame them too much. After all, they've supported it for almost 13 years. For those who absolutely, positively must have support beyond April 8, you are in luck...but it's gonna cost you. Microsoft will allow companies to purchase a Premier Support Agreement and still receive critical security updates along with technical support through the end of their paid contract.
You would think this "end of support" for a 13-year-old operating system would not be that big a deal, but as it turns out, up to 15% of companies in the United States still use Windows XP for their daily business needs. Many of these companies have critical, custom-built applications that require Windows XP. So, if you take away Windows XP from these companies, you take away their apps which means you take away their ability to do business. So for many people out there, this is a pretty big deal.
Will My ATM Still Work?
One of the "users" of Windows XP might very well be your local ATM. According to the World Bank, there were about 2 million ATMs worldwide in 2012, and approximately 95% of them run on Windows XP. If you are like me, you never really thought about this. I guess I knew something was running that ATM; I just didn't realize it was Windows XP.
Now that Microsoft will no longer be supporting Windows XP, should we all panic about the possible security vulnerabilities in our local ATMs? Not so fast. Here's the rest of the story. While many ATMs run on Windows XP, they typically run a stripped-down embedded version, and Microsoft will continue to support embedded versions of Windows XP until January 2016. In addition, ATMs still have to meet Payment Card Industry (PCI) standards in order to operate, and these standards require strict technical and security configurations for each ATM.
One way to fix this impending problem is to upgrade the ATM software (for example, install Windows 7). You can probably guess pretty quickly why this isn't at the top of the "to do" list for bank CEOs. Each ATM would need to be upgraded individually, and each would cost between $1,000 and $3,500 when you factor in software, possible hardware, and labor costs. To put this in perspective, Bank of America operates around 16,000 ATMs in the United States. If 95% of these ATMs had to be upgraded, even at the lower estimate of $1,000 per upgrade, it would still cost a cool $15 million. Alas, it looks like ATMs probably won't be upgraded any time soon.
Should an older ATM running embedded Windows XP cause concern? The short answer is no. The fact of the matter is that ATMs are not the easiest target for a thief wanting to stealing money or account information. To be fair, ATMs are targeted for this kind of nefarious activity, but there are much simpler ways to go about it. An attacker could plant malware on a victim's home computer and then steal money from the comfort of his own thieves den. If someone is going to attack an ATM, it's probably going to happen physically from the outside. Thieves will typically steal card credentials, use cameras to capture PINs, make duplicate cards, etc. These types of ATM attacks have nothing to do with the security posture of Windows XP running the ATM itself. Further, if an attacker can penetrate the security of a bank to the point of planting malware on the ATM, that bank probably has much bigger issues than the possible vulnerabilities of Windows XP not being patched any more.
With all that said, here are some quick tips on what you can do to protect your hard-earned money:
- Stay informed on these issues (by reading my blogs, of course)
- As a business, plan ahead and have a good transition strategy
- As an individual, check your accounts often and notify your bank or credit card company if anything looks wrong. Most banks and credit card companies will not hold you liable if someone stole from you.
The world of technology continues to change whether you like it or not...let's change with it!