Around 95 percent of the world’s ATMs are currently supported by Microsoft’s Windows XP, but come Tuesday, security updates will no longer be issued by the U.S. software giant.
Only one-third of the world’s 2.2 million ATMs, which use the system, will have been upgraded to a new platform by the deadline. Microsoft first warned that it was planning to end support for Windows XP in 2007.
To ensure the machines are protected against viruses and hackers, many banks like JPMorgan Chase, Bank of America, Citibank and Wells Fargo, have made deals with Microsoft to continue supporting their ATMs until they are upgraded.
“They’re probably pretty safe, it’s not a crisis for most banks,” said Steven Bellovin, professor of computer science at Columbia University’s School of Engineering and Applied Science. “This is a controlled network. The banks don’t want people on this network anyway. If the attacker can’t get to the network, the ATMs are safe.”
Dan Guido, hacker in residence in the department of computer science and engineering at NYU Polytechnic School of Engineering, said that the problem lies in the 12-year-old Windows XP software that is easily hacked even without Microsoft ending its security support. Guido said it was time for a complete upgrade to a more secure platform like Windows 7 or Windows 8. A common misconception, according to Guido, is that support and security patches fix the issue, but he sees this approach as a last resort.
“After everybody else has been hacked already, now you’ve got a patch,” said Guido. “You have to think about defense in depth and all the other security measures you could implement to contain that incident. To detect it, to contain it and to recover from it. If you rely on a patch to rely on that security then you’re already doing it wrong.”
Guido recommended using an application control platform like Bit9 to protect against hackers.
“We take a snapshot of what the computer runs right now, and we make sure that it can’t change in the future,” said Guido. “So no matter if new applications that get introduced to it that are good or bad or viruses or not, they won’t be able to run, and that can make it very frustrating for a hacker to break in.”
Another threat that consumers may have to worry about is that Windows XP inside an ATM is an embedded computer. Embedded computers can even be in things like thermostats, coffee pots, televisions and cars, and even these be at risk if there’s internet connectivity. Bellovin said it’s often an old version of a piece of software that’s been installed once and has never been updated.
“The Target attack, the data breach that we all know and come to love, that point of sale system actually had an embedded Windows XP operating system,” said Carl Herberger, vice president of security solutions at Radware, a provider of application delivery and application security solutions. “So was that the fault of the attack? I don’t believe it was, it was known to have come through some other way. But the tool itself was a Windows XP tool, an embedded software tool.”
The 19-day breach of Target’s computer networks over the 2013 holiday shopping period resulted in the theft of an estimated 40 million credit and debit card records and 70 million other records with customer information, such as addresses and telephone numbers.
Currently there’s no way of knowing just by looking at it if an ATM from a bank or from the corner grocery store has been hacked.
About 440,000 – or one-fifth of the world’s ATMs – are located in the United States and many of the banks operating them will still be running their ATMs with Windows XP for a while after the Tuesday deadline.