Leo, I’m an independent computer tech and, as you advise, I’ve been advising all of my customers that their XP systems will be risky to run on the internet after Microsoft drops support for XP in April. However, I just read in Time magazine that 95% of all ATM machines are based on Windows XP. Does this mean that ATM machines are at a high risk of hacking after Microsoft ends support?
Frankly, if I was a hacker, and I’d found a hole in XP that I could exploit at ATMs I’d be really tempted to wait until after Microsoft support ends to use it. Then I could keep using it as well. The vulnerability might have already been discovered and is just waiting for the right day to be used. How can I protect myself? Should I try to shut down ATM access to my accounts and is this even possible?
I was as surprised as you are to hear that such a high percentage of ATMs are using Windows XP. After giving it some thought, I think the problem probably goes a little bit deeper than that. But I don’t think you and I really need to do anything just yet.
Banks, on the other hand, should definitely be on the alert.
Become a Patron of Ask Leo! and go ad-free!
It starts with networking
I always figured that bank ATMs would be connected to some kind of a private network. I expected that even if ATMs connected over the interent, at least a VPN (Virtual Private Network) would be used.
That may be true for many (if we’re lucky, even most) ATMs. A private network in and of itself reduces the risk of hacking because it’s via the internet that most of these malware attacks would happen. If the ATM is not actually communicating directly on the internet, then that’s not really a vector for those attacks.
If, like a good PC, they at least have a firewall, the problem may also not be as severe as we’re worried about. This could well be a case of a single purpose machine operating in an isolated enough environment to be relatively safe. However, when it comes to banking, I’d expect “relatively safe” to not really be safe enough!
The firewall matters most of all
That’s why I expect that these machines, even if they’re running XP, would not be connected to the global internet in such a way as to be vulnerable. It’s not like somebody’s using them to download and read emails and open attachments, for example.
The firewall that sits between ATMs and the internet is perhaps the single most important part of this equation. If the ATMs are on a private network, then that firewall would, presumably, live in the bank’s own IT center, and as a result the bank’s IT department would be able to keep it up to date.
But let’s, for a moment, assume the worst. Let’s assume that these ATMs, or at least some of them, are more or less exactly like PCs connected directly to the internet.
ATM doomsday?
So, some vulnerability comes along and an ATM gets hacked.
It’s the banks that are going to have to deal with this, particularly if it happens on a large scale. And if there is that kind of vulnerability, it’s of course going to be on a large scale. I’d expect your account and my account to be relatively unaffected, at least after the initial furor dies down.
The banks will be faced with updating the machines and diagnosing problems with and updating XP, perhaps even with Microsoft’s help. My understanding is that large companies can indeed pay for continued support, and perhaps specific updates to Windows XP of some limited nature. This would be a scenario that I assume would get addressed one way or another, and probably pretty darned quickly.
More than ATMs
My deeper concern is really about what machines other than ATMs might be running XP. Banks obviously have a vested interest in keeping their networks as secure as possible. But recently, point of sale software has been a target of hackers. I have to wonder how many point of sale computers out there are still running Windows XP. Or how many computers in doctors’ offices, power stations, or coffee shops, or toy stores… or who knows?
Basically, there’s the potential for a lot of small businesses to be affected. They won’t have the resources or the ability to react as quickly as the banking network might. In my opinion, they are the ones who should be worried, and they’re the ones who should be upgrading.
Wow this could get serious really quick, I see you said doctors offices i was at mine the other day and i could not believe they were still using windows XP, i about had a heart attach all my personal information on a windows XP wow.
My doctor runs a Mac.
It’s mind-boggling to me that systems such as ATMs and cash registers would use Windows XP (or any commercial OS) anyway. Linux seems like a better fit for those type of applications. Now, I’m not a Windows hater; I choose it over Linux for my home computers. But the reasons to choose Windows for desktop use do not at all apply to dedicated one-application computer system such as an ATM, cash register, industrial control machine, etc.
On these types of machines, the advantages of Windows fly right out the window. On a special purpose machine, there is no benefit to having access to a wide range of software, or drivers for a wide range of hardware. You already have a team of computer and software engineers working full-time, so having them design for an open-source platform should be no more expensive:
– You already need a bunch of special custom drivers, might as well write them for Linux.
– You already need a special custom application, might as well write it for Linux.
– You don’t need a familiar or easy-to-use interface for the OS, nobody ever sees it anyway.
– You already need to stand up a sustainment team of smart engineers to support the product, that won’t change by using a commercial OS. Free OS updates will offer you savings that you then spend trying to fix your application, which breaks after each OS update.
– When your OS support goes away, there is no panic, just business as usual. You are already accustomed to supporting it yourself.
I would bet that Leo (and others) have the necessary background to either corroborate or poke holes in my theory.
No matter the OS, the network is the main vulnerability. It’s bothersome to me that people will automatically say, Linux/Apple okay, Windows bad because those who wish to exploit a system simply do not CARE…they are not limited in knowledge when creating malicious code.
Code is code and if you know it you can tear anything to shreds if you are so criminally inclined. There is no ‘magic OS’ and complacency breeds victims.
I think the 95% figure you were quoted was hyperbole and propaganda though. If you are convinced there is a fullblown Windows on that point of sale terminal it’s likely not that simple nor would the entire OS be there…more like a stripped version made of these terminals. The anti-virus programs we use won’t be what they use at the grocery store but vendor provided I suspect. What retail outlets and we get are not going to be the same.
And do think about this-Microsoft’s new CEO has stated that he wants to dominate the aspects of computing they are great at…why would they leave so many installations in the cold or even leave them in the lurch? Not a very effective strategy for maintaining market share I think.
Computergeddon is no more due than the Y2K bug for ruining our lives. If you are this concerned about the problem perhaps you should learn to plan your financial transactions around a few minimal branch visits and use cards less, concentrating on paying bills and debts at the same arranged times of the month. Those of us on limited budgets have to do this already.
Planning, not panic.
Nope I agree with you. In fact I’d take it further – I’d want my dedicated task machines to not be based on a commonly available general purpose OS to begin with. There are other operating systems that might also be a much better fit for things like banking – particularly with the added security requirements that such applications should demand. One thing that might drive selection and adoption, however, might be the available labor pool to pull from – there are probably many more Windows programmers out there than Linux, and many more of those than for any obscure OS more closely targeted to this type of task. Similarly I’m sure that there are more available development tools for Windows. I’m certainly not saying that the problem can’t be solved for Linux or an obscure OS, just that it’s probably easier, and cheaper, to pull from the greater pool of resources available for Windows.
The ATMs, anyway, are not a big deal. Most use embedded XP which will be supported until December 31, 2016.
Ding ding, yes, it’s those other businesses Leo mentions that have the odd backdoor that’s not covered that’s of much more concern; but they would ALWAYS be of concern regardless of OS; we have Mitnik to thank for putting us on to how well social engineering can end around multiple layers of security.
I was commenting on the specific issue of XP EOL. The banks have two more years before XP embedded EOLs
I am no longer surprised by the use of old technology. I have seen Garages and even Electronic stores using old DOS screen type programs to run their business (even have seen a few that still use those old monochrome monitors). If it works, why invest in new software? If the hardware breaks down, they can still usually run on newer systems in compatibility mode. I understand that banks are a little different animal, but many companies only want to keep using what they know – they aren’t IT people and don’t really care that much about the aspects of security that they don’t understand. Big companies don’t want to go through the cost and hassle to upgrade all of their machines, and Mom and Pop small businesses see no reason to invest in newer software. We finally upgraded our Office from 97 to 2007 last year (around 500 computers). For most is was just a training issue and they were happy, some we couldn’t upgrade because they had software that wouldn’t work with newer versions – but just about everybody complained at first! Upgrades are hardly ever as easy or go as smooth as expected.
ATMs and similar systems would be running Windows Embedded (in this case Windows XP Embedded) which is a derivative version of Windows especially for things like ATM and other standalone kiosk type systems. Issues found in desktop Windows XP may or may not exist in Windows XP Embedded, likewise it may have its own issues not present in other versions of Windows XP.
http://en.wikipedia.org/wiki/Windows_XP_editions#Windows_XP_Embedded
Aside from ATMs, what about using my own computer at home to make bank transactions? My wife worries that our accounts are not safe whereas I’m of the opinion that surely the banks must have thought about all that in the earliest stages! (However, every time a change is made to anything, it’s never an improvement and all sorts of cracks show up which were never there at the beginning. So maybe I worry a little too, even if I don’t say so.)
Using the internet is safe if you are operating with common sense and have all security precautions in place. Here’s Leo’s most important article on that: http://askleo.com/internet_safety_8_steps_to_keeping_your_computer_safe_on_the_internet/
Here’s something I found:
http://support.microsoft.com/lifecycle/?p1=3220
after all, machines like ATM typically do run Windows XP embedded.