In April, when Microsoft drops support for the XP operating system used by most ATMs, the sky won't fall on ATM owners and operators. But those that haven't upgraded should be taking other security steps, industry experts warn.
ATMs that run Windows XP will inevitably be a more attractive target to hackers who realize Microsoft is no longer pushing out security patches. And in all likelihood, patches will not be issued for software that runs on XP, either.
"It's like being on the Titanic, but instead of not knowing that the iceberg is around the corner, we do know the iceberg is there," says Terence Devereux, a senior advisor for business line banking at Wincor Nixdorf. "It's called April. And we're driving straight for it, and at the moment we're going full steam."
Yet insiders say the doomsday scenarios portrayed in the media--images of ATMs spitting out stacks of money for hackers or shutting down across an entire country after the April 8 deadline-are far-fetched.
"The bad guys won't show up the next morning," says Andy Mattes, chief executive officer of Diebold. "But with every month that passes, risk will increase. You want to get to this sooner rather than later."
And there are ways ATM owners can mitigate their fraud risk even without upgrading to Windows 7, observes Robert Johnson, software marketing director at NCR Corp.
The ATM Industry Association pegs the worldwide ATM population at about 2.6 million, with 425,000 to 450,000 ATMs in the U.S. Between 90 and 95 percent of the world's ATMs run on Windows systems, and most of those are Windows XP.
In a global September 2013 survey, the ATMIA asked ATM operators if they would have their machines changed over from Windows XP by the April 8 deadline. Only 38 percent of the respondents reported that they would, says David Tente, U.S. executive director for ATMIA. About 20 percent said they would switch over after 2014, with another 20 percent undecided.
Why only 38 percent? More than anything, the costs and time involved in switching out the software and making the required hardware upgrades are daunting, Tente says. Ever since the Microsoft deadline was announced more than two years ago and Windows 7 was made available in early 2012, banks and other ATM operators have been weighing the upsides and downsides of switching to Windows 7.
"This all hit when banks, who deploy a majority of the ATMs, are recovering from some major economic shocks going back five or six years in the banking industry. They're coming out of that very, very cost conscious," Johnson says. "They need to examine very carefully what they spend money on."
Switching operating systems on an ATM fleet is not a trivial task, it's much more complicated than switching them for a company's PCs, partly because of the security ramifications and partly because the ATMs are unattended, which means they have to be thoroughly tested.
The price of switching includes the cost of the Windows software and the software that runs on it. The most significant cost is for building and testing the new software stack in a lab environment and installing the new software on each machine, which requires a small army of IT, software and professional services personnel. On advanced ATM networks, the software can be deployed remotely, but on older networks the switch has to be done physically at each site, says Johnson.
On the other hand, the cost of not upgrading to XP includes not only the security risk introduced by the unprotected operating system, but the danger of falling out of compliance with PCI security standards, which is a big deal, Mattes says. Such banks become more liable for any fraud or theft that occurs on the ATM.
An ATM operator that doesn't meet the deadline can remain in compliance with PCI if it puts on a compensating control while it is working toward a Windows 7 upgrade, Johnson says. One example of a compensating control is software NCR has created to lock down an ATM's software to protect it from malicious code, Johnson says.
ATM operators that know they will miss the Windows XP deadline should also make sure their ATMs are as isolated as possible from the Internet-several layers removed-and that they have the correct processes and controls for managing what should be a closed IT network, Johnson says.
"You can never 100-percent guarantee anything when it comes to security, but you can certainly increase the number of decimal places when you do 99.99999 percent. You can increase the number of nines, if you follow sensible processes," Johnson says.
Wincor Nixdorf also has created security software to protect Windows XP ATMs after the deadline and keep them PCI compliant. The software is already used by more than 10 percent of all self-service ATMs in the world, in 39 countries, according to the company.
There may be another way out, too: While Microsoft will no longer be obligated to produce security patches after April 8, it may continue to do so anyway.