Quantcast
Hackers will have little interest in breaking into Windows XP computers, Celent analyst Jacob Jegher believes.
Partner Insights

Windows XP Goes Dark; Will Hackers Be Lurking?

Print
Email
Reprints
Comments (3)
Twitter
LinkedIn
Facebook
Google+

As Microsoft finally pulls the plug on its popular Windows XP operating system Tuesday, the computers of millions of online banking users could be more susceptible than ever to fraud.

After April 8, Microsoft will no longer provide regular security patches or technical assistance for Windows XP. Although everyone saw this coming -- Microsoft has been very clear about XP's expiration date since it launched the operating system in 2001 close to a third of all U.S. consumers still have it on their PCs, according to Net Applications. If about half of U.S. consumers bank online, as the Pew Research Center says they do, millions of computers being used to bank online are vulnerable to hackers exploiting any holes they can find in XP.

The demise of XP is no surprise. Microsoft has been issuing warnings about it on a regular basis and even ran a helpful countdown clock. Microsoft supported XP longer than any previous operating system (the next-longest was Windows NT, which it supported for eight years).

Microsoft has also been upfront about the risks to those who don't upgrade. "If you continue to use Windows XP after support ends, your computer will still work but it might become more vulnerable to security risks and viruses," the company states on its website.

In a joint statement in October, the Federal Financial Institutions Examination Council warned banks about the risks of continuing to run XP on their computers. "Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorized additions, deletions, and changes of data," the regulators stated.

But while banks can and presumably have upgraded their own PCs, they have little control over what their customers do. Online banking users still holding onto XP machines due to lack of funds, inertia, a dislike of Windows 8, or lack of awareness, will be easy prey for hackers.

Experts say this is a medium risk for banks. "These consumers will be more vulnerable, but banks should be used to dealing with consumers whose desktops are infected with malware," says Avivah Litan, vice president of Gartner Research. "In this sense, it's business as usual. The banks need to be able to detect malware-based sessions and react accordingly."

Banks also need to have a layered fraud prevention strategy so that if a piece of malware succeeds in logging into an online banking session from a customer's computer, other fraud detection and prevention software and layers can kick in to mitigate the damage, she says.

Jacob Jegher, senior analyst at Celent, believes XP machines are not an alluring target for hackers because the operating system's market share is falling. (According to Net Applications, XP usage dropped from 38% in May 2013 to 28% in March.)

"If XP drops to a very small number, it becomes less interesting," he says.

Jegher also observes that because XP is mature, many of its vulnerabilities have already been discovered. And any exploited weaknesses in the code could be detected by anti-malware and antivirus software, he says.

"I have a computer running Windows XP at home, and I have no issues banking online with it," he says. "A year from now, I'll still be OK with it."

Some of the newer operating systems may be more vulnerable to cybercriminals than XP because the weaknesses have yet to be exposed and, therefore, have yet to be fixed.

"If you're running the latest and greatest Windows 8 computer and you've had it for three months, you're open to all kinds of malware, spyware, and Trojans," Jegher says.

There are a few things banks can do to mitigate the risk of having armies of online banking users entering their sites from potentially infected PCs.

First and foremost, they can encourage their customers to upgrade.

The Bank of Washington in Lynnwood, Wash., for instance, set up a web page alerting customers to the end of XP. "Using Windows XP after April 2014 will be an 'at your own risk' situation," the bank warns. It advises consumers to install a newer version of Windows. "Windows 8 is the latest, but Windows 7 is a very capable and user-friendly operating system," the $123 million-asset bank states. "Windows 7 also has a more traditional Windows user interface, as Windows 8 introduced many design changes."

Some of the largest banks have the technology to identify what operating systems customers are using to access online banking and put additional controls in place for those customers, for instance, by not allowing them to upload files.

Some banks are working with Microsoft and PC manufacturers to provide discounts to encourage people to upgrade. "It sounds a little Big Brotherish, but customers usually think it's great when they get the feedback, because they'd much rather be protected than have their accounts compromised," says Mercedes Tunstall, practice leader of Ballard Spahr's Privacy and Data Security Group.

For most banks, by watching closely and putting appropriate controls in place, XP should not be a problem, Tunstall says.

"It could be a crisis if people are not paying attention," she says.

JOIN THE DISCUSSION

(3) Comments

SEE MORE IN

RELATED TAGS

'I Want a Tom O'Brien Action Figure Doll': Comments of the Week

American Banker readers share their views on the most pressing banking topics of the week. Comments are excerpted from reader response sections of AmericanBanker.com articles and from our social media platforms.

(Image: Bloomberg News)

Comments (3)
I disagree with Mr. Jegher's contention that dwindling numbers of XP machines will lessen the attractiveness as a target for hackers. I've seen statistics which show XP runs 90% of the world's ATMs and a good portion of the POS machines. Because these critical systems run on an underlying XP infrastructure, they will continue to be attractive to cyber-criminals. While I agree that the age of XP may help limit the track hackers can use when developing exploits, history has shown they have no issues with attacking legacy platforms.
Posted by TotalNetworxMN | Tuesday, April 08 2014 at 12:32PM ET
Windows 8 is not more inherently insecure than Windows XP just because it is newer. Mr Jegher's opinion is misinformed. Windows 8 and Windows XP use the same codebase at their core so a Windows 8 has the benefit of most of the lessons learned in Windows XP. Likewise and of the biggest concern, any vulnerability found in Windows 8 most likely applies to Windows XP.
Posted by plmoore78 | Tuesday, April 08 2014 at 2:34PM ET
For a layman, there should be no need to panic.
Posted by maheshchourushi | Wednesday, April 09 2014 at 4:30AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Already a subscriber? Log in here
Please note you must now log in with your email address and password.