Leo, I’m an independent computer tech and, as you advise, I’ve been advising all of my customers that their XP systems will be risky to run on the internet after Microsoft drops support for XP in April. However, I just read in Time magazine that 95% of all ATM machines are based on Windows XP. Does this mean that ATM machines are at a high risk of hacking after Microsoft ends support?
Frankly, if I was a hacker, and I’d found a hole in XP that I could exploit at ATMs I’d be really tempted to wait until after Microsoft support ends to use it. Then I could keep using it as well. The vulnerability might have already been discovered and is just waiting for the right day to be used. How can I protect myself? Should I try to shut down ATM access to my accounts and is this even possible?
I was as surprised as you are to hear that such a high percentage of ATMs are using Windows XP. After giving it some thought, I think the problem probably goes a little bit deeper than that. But I don’t think you and I really need to do anything just yet.
Banks, on the other hand, should definitely be on the alert.
Become a Patron of Ask Leo! and go ad-free!
It starts with networking
That may be true for many (if we’re lucky, even most) ATMs. A private network in and of itself reduces the risk of hacking because it’s via the internet that most of these malware attacks would happen. If the ATM is not actually communicating directly on the internet, then that’s not really a vector for those attacks.
If, like a good PC, they at least have a firewall, the problem may also not be as severe as we’re worried about. This could well be a case of a single purpose machine operating in an isolated enough environment to be relatively safe. However, when it comes to banking, I’d expect “relatively safe” to not really be safe enough!
The firewall matters most of all
That’s why I expect that these machines, even if they’re running XP, would not be connected to the global internet in such a way as to be vulnerable. It’s not like somebody’s using them to download and read emails and open attachments, for example.
The firewall that sits between ATMs and the internet is perhaps the single most important part of this equation. If the ATMs are on a private network, then that firewall would, presumably, live in the bank’s own IT center, and as a result the bank’s IT department would be able to keep it up to date.
But let’s, for a moment, assume the worst. Let’s assume that these ATMs, or at least some of them, are more or less exactly like PCs connected directly to the internet.
So, some vulnerability comes along and an ATM gets hacked.
It’s the banks that are going to have to deal with this, particularly if it happens on a large scale. And if there is that kind of vulnerability, it’s of course going to be on a large scale. I’d expect your account and my account to be relatively unaffected, at least after the initial furor dies down.
The banks will be faced with updating the machines and diagnosing problems with and updating XP, perhaps even with Microsoft’s help. My understanding is that large companies can indeed pay for continued support, and perhaps specific updates to Windows XP of some limited nature. This would be a scenario that I assume would get addressed one way or another, and probably pretty darned quickly.
More than ATMs
My deeper concern is really about what machines other than ATMs might be running XP. Banks obviously have a vested interest in keeping their networks as secure as possible. But recently, point of sale software has been a target of hackers. I have to wonder how many point of sale computers out there are still running Windows XP. Or how many computers in doctors’ offices, power stations, or coffee shops, or toy stores… or who knows?
Basically, there’s the potential for a lot of small businesses to be affected. They won’t have the resources or the ability to react as quickly as the banking network might. In my opinion, they are the ones who should be worried, and they’re the ones who should be upgrading.