Your ATM Likely Runs on Windows XP, Which Means It’s Vulnerable To Hacking

Microsoft withdrew support for the operating system most of America’s ATMs run on this week, leaving them open to new bugs and attacks from hackers. And it will take a while for the industry to catch up.

Your ATM Likely Runs on Windows XP, Which Means It’s Vulnerable To Hacking
[Image: Flickr user Federico Parodi]

On April 8, Microsoft officially discontinued support for Windows XP, which also means it will stop patching security issues. If a product runs on Windows XP, it’s about to be far more vulnerable to hackers and criminals. That means big headaches for many critical industries that still use the legacy operating system, though perhaps no situation is as startling as this: More than 75% of the world’s ATMs run on Windows XP.

That’s bad news for banks. Christopher Budd of Trend Micro, a security firm, told Fast Company that banks continuing to run ATMs and internal systems on Windows XP computers exposes consumers to malware attacks. These attacks take place on a relatively common basis in situations where criminals find ATMs with weak security. ATM manufacturers, owners, and leasers are now scrambling to convert their Windows XP machines to more current (and supported) operating systems. In an internal risk assessment report, Mike Lee of the trade group ATM Industry Assocation wrote that the changeover would be “the most important change to the global ATM industry” in 2014.

Banks and ATM operators have been slow to upgrade Windows XP-based ATMs to more current software because of the costs involved. Upgrading an ATM to Windows 7 or newer flavors of Windows CE–a Microsoft operating system designed for consumer devices–takes about an hour of time, and requires physical access to a machine. Many ATMs, which can cost many thousands of dollars, also need hardware upgrades to run the newer operating system. Multiply that by the tens of thousands of ATMs that a bank may have across the country, and you see why the largest institutions kept riding with XP. It’s a perfect example of how economies of scale prevent innovation and improved services–and not too different from the inability of American retailers and banks to switch from unsecure magnetic stripe credit cards to safer chip and PIN combos.

Microsoft’s decision to abandon Windows XP is driven by equally primal economic concerns: It simply makes no sense for the company to devote resources to maintaining an older, increasingly outdated operating system. And anyway, most enterprise users have already switched to Windows 8 or 7. But ATMs, like industrial control systems and medical devices, tend to lag behind in these transitions because they have longer life-spans than desktop computers, according to Wolfgang Kandek, CTO of compliance and enterprise security firm Qualys.

So what happens now? The answer isn’t likely to impress consumers: ATM operators are working at a steady pace to upgrade their terminals, but it’ll take a while. Industry publication Computerworld reports that several major ATM operators have worked out arrangements with Microsoft to receive support after the April 8 deadline “at great cost.” Diebold, America’s largest ATM manufacturer, is running an aggressive campaign to upgrade their ATMs. Other ATM industry figures are also promoting stopgap security packages for XP-based systems. In the meantime, your local ATM will likely continue running an operating system whose defenses are down.

About the author

Based in sunny Los Angeles, Neal Ungerleider covers science and technology for Fast Company. He also works as a consultant, writes books, and does other things.



More Stories