Sunsetting of Windows XP Raises ATM Security Concerns
In April, when Microsoft drops support for the XP operating system used by most ATMs, the sky won't fall on ATM owners and operators. But those that haven't upgraded should be taking other security steps, industry experts warn.
ATMs that run Windows XP will inevitably be a more attractive target to hackers who realize Microsoft is no longer pushing out security patches. And in all likelihood, patches will not be issued for software that runs on XP, either.
"It's like being on the Titanic, but instead of not knowing that the iceberg is around the corner, we do know the iceberg is there," says Terence Devereux, a senior advisor for business line banking at Wincor Nixdorf. "It's called April. And we're driving straight for it, and at the moment we're going full steam."
Yet insiders say the doomsday scenarios portrayed in the media--images of ATMs spitting out stacks of money for hackers or shutting down across an entire country after the April 8 deadline-are far-fetched.
"The bad guys won't show up the next morning," says Andy Mattes, chief executive officer of Diebold. "But with every month that passes, risk will increase. You want to get to this sooner rather than later."
And there are ways ATM owners can mitigate their fraud risk even without upgrading to Windows 7, observes Robert Johnson, software marketing director at NCR Corp.
The ATM Industry Association pegs the worldwide ATM population at about 2.6 million, with 425,000 to 450,000 ATMs in the U.S. Between 90 and 95 percent of the world's ATMs run on Windows systems, and most of those are Windows XP.
In a global September 2013 survey, the ATMIA asked ATM operators if they would have their machines changed over from Windows XP by the April 8 deadline. Only 38 percent of the respondents reported that they would, says David Tente, U.S. executive director for ATMIA. About 20 percent said they would switch over after 2014, with another 20 percent undecided.
Why only 38 percent? More than anything, the costs and time involved in switching out the software and making the required hardware upgrades are daunting, Tente says. Ever since the Microsoft deadline was announced more than two years ago and Windows 7 was made available in early 2012, banks and other ATM operators have been weighing the upsides and downsides of switching to Windows 7.
"This all hit when banks, who deploy a majority of the ATMs, are recovering from some major economic shocks going back five or six years in the banking industry. They're coming out of that very, very cost conscious," Johnson says. "They need to examine very carefully what they spend money on."
Switching operating systems on an ATM fleet is not a trivial task, it's much more complicated than switching them for a company's PCs, partly because of the security ramifications and partly because the ATMs are unattended, which means they have to be thoroughly tested.
The price of switching includes the cost of the Windows software and the software that runs on it. The most significant cost is for building and testing the new software stack in a lab environment and installing the new software on each machine, which requires a small army of IT, software and professional services personnel. On advanced ATM networks, the software can be deployed remotely, but on older networks the switch has to be done physically at each site, says Johnson.
On the other hand, the cost of not upgrading to XP includes not only the security risk introduced by the unprotected operating system, but the danger of falling out of compliance with PCI security standards, which is a big deal, Mattes says. Such banks become more liable for any fraud or theft that occurs on the ATM.
An ATM operator that doesn't meet the deadline can remain in compliance with PCI if it puts on a compensating control while it is working toward a Windows 7 upgrade, Johnson says. One example of a compensating control is software NCR has created to lock down an ATM's software to protect it from malicious code, Johnson says.
ATM operators that know they will miss the Windows XP deadline should also make sure their ATMs are as isolated as possible from the Internet-several layers removed-and that they have the correct processes and controls for managing what should be a closed IT network, Johnson says.
"You can never 100-percent guarantee anything when it comes to security, but you can certainly increase the number of decimal places when you do 99.99999 percent. You can increase the number of nines, if you follow sensible processes," Johnson says.
Wincor Nixdorf also has created security software to protect Windows XP ATMs after the deadline and keep them PCI compliant. The software is already used by more than 10 percent of all self-service ATMs in the world, in 39 countries, according to the company.
There may be another way out, too: While Microsoft will no longer be obligated to produce security patches after April 8, it may continue to do so anyway.
And some owners of XP-laden ATM fleets, especially larger financial institutions, are negotiating extended agreements with Microsoft to cover themselves after the April 8 deadline. Johnson says he's seen little demand with NCR's customers for Microsoft's extended service agreements because the price is so high. Microsoft's offer has been taken up in some cases where a company has a large number of office-bound Windows XP machines in addition to the ATM network, he says.
Many of NCR's customers are in the process of testing and switching their ATMs over to XP, which can take a few months to do properly, Johnson says. Some customers have an absolute view on the deadline, while others are more relaxed.
"At the end of the day, a Windows XP machine will still work on April 9. It's not like the whole world is going to collapse on April 8," Johnson says.
Windows XP, released in 2001, has a 10-year-plus track record with many ATMs, but Microsoft appears to be leaning toward a new seven-year lifecycle for its operating systems. The prospect of having to spend on operating system changeovers every seven years has generated some interest in the industry in developing an alternative operating system, Tente says, most likely based on Linux or another form of Unix because it is stable and open source. But a new operating system probably wouldn't be ready in time for adoption during the transition to Windows 7 from Windows XP.
Those that do upgrade to XP should consider adding biometrics and other new features to their ATMs, Mattes says. For instance, MasterCard and Visa are requiring ATM owners to make their machines EMV chip-and-PIN compatible by October 2016 and October 2017, respectively. Buying new ATMs compatible with both Windows 7 and EMV could kill two birds with one stone.