Your ATM Likely Runs on Windows XP, Which Means It's Vulnerable To Hacking

Microsoft withdrew support for the operating system most of America's ATMs run on this week, leaving them open to new bugs and attacks from hackers. And it will take a while for the industry to catch up.

On April 8, Microsoft officially discontinued support for Windows XP, which also means it will stop patching security issues. If a product runs on Windows XP, it's about to be far more vulnerable to hackers and criminals. That means big headaches for many critical industries that still use the legacy operating system, though perhaps no situation is as startling as this: More than 75% of the world's ATMs run on Windows XP.

That's bad news for banks. Christopher Budd of Trend Micro, a security firm, told Fast Company that banks continuing to run ATMs and internal systems on Windows XP computers exposes consumers to malware attacks. These attacks take place on a relatively common basis in situations where criminals find ATMs with weak security. ATM manufacturers, owners, and leasers are now scrambling to convert their Windows XP machines to more current (and supported) operating systems. In an internal risk assessment report, Mike Lee of the trade group ATM Industry Assocation wrote that the changeover would be "the most important change to the global ATM industry" in 2014.

Banks and ATM operators have been slow to upgrade Windows XP-based ATMs to more current software because of the costs involved. Upgrading an ATM to Windows 7 or newer flavors of Windows CE—a Microsoft operating system designed for consumer devices—takes about an hour of time, and requires physical access to a machine. Many ATMs, which can cost many thousands of dollars, also need hardware upgrades to run the newer operating system. Multiply that by the tens of thousands of ATMs that a bank may have across the country, and you see why the largest institutions kept riding with XP. It's a perfect example of how economies of scale prevent innovation and improved services—and not too different from the inability of American retailers and banks to switch from unsecure magnetic stripe credit cards to safer chip and PIN combos.

Microsoft's decision to abandon Windows XP is driven by equally primal economic concerns: It simply makes no sense for the company to devote resources to maintaining an older, increasingly outdated operating system. And anyway, most enterprise users have already switched to Windows 8 or 7. But ATMs, like industrial control systems and medical devices, tend to lag behind in these transitions because they have longer life-spans than desktop computers, according to Wolfgang Kandek, CTO of compliance and enterprise security firm Qualys.

So what happens now? The answer isn't likely to impress consumers: ATM operators are working at a steady pace to upgrade their terminals, but it'll take a while. Industry publication Computerworld reports that several major ATM operators have worked out arrangements with Microsoft to receive support after the April 8 deadline "at great cost." Diebold, America's largest ATM manufacturer, is running an aggressive campaign to upgrade their ATMs. Other ATM industry figures are also promoting stopgap security packages for XP-based systems. In the meantime, your local ATM will likely continue running an operating system whose defenses are down.

[Image: Flickr user Federico Parodi]

Add New Comment

3 Comments

  • James Roquemore Wilson

    Microsoft has officially extended support for the ATM variant of XP until sometime in 2016. This was announced weeks ago.

  • This article is misleading. ATMs are on closed networks that hackers cannot get into. Also Microsoft is continuing to support Windows XP for many companies on a paid basis. At least some of the ATM manufactures are doing this.

  • Author of the article here.

    I mentioned the Windows XP support on a paid basis in the last paragraph of this story, and I'm very happy MSFT is doing so. As far as ATMS on closed networks... not so happy about that.

    Even closed networks have security flaws. Generally speaking (and, yes, painting these things with a broad brush) a network is only as secure as its administrators let it be. While the delays of many ATM manufacturers and customers in switching from Windows XP is totally understandable given the expense, it's also left them with a big opportunity for fraud--not too dissimilar from the magnetic swipe/chip & pin debate on POS systems.

    Given the nature of these things, where it only takes one flaw in a system to cause massive losses, I do think it's a good think ATM manufacturers are scrambling to fix things now.