ATMs Will Still Run Windows XP with Increased Security

[CommanderFrank]

With the end of support looming for Windows XP, we’re guessing it’s really a bad time to remind bank ATM customers that the majority of the world’s ATMs are still running XP; the same XP that will be losing all support, including security updates, in several weeks.

So why are banks sticking with XP with its demise so clearly imminent? Part of the problem can be attributed to the reluctance of bank executives to throw good money after old technology.

 

[Wolf_Tech]

I'm not surprised at all Big Banks are the worst for security and protection. Most of them use old 128 bit ecryption and for enhanced security offer software like trustee BS to protect you. Most of the big banks in canada do the same thing. The one exception is the credit unions which are not Big banks and Yet they use the highest grade of ecryption on there websites and last week I noticed they upgraded all there ATM to unix based.

I switched to a credit union 10 years ago and never looked back. Big Banks were good at only one thing taking my money.

 

[DragonNOA1]

Are those XP machines even patched? Sure XP patches are available but I could see them setting up an ATM and then never touching it again. They do it with medical devices in healthcare.

 

[maxius]

its not a normal win xp its a specialized embedded version and has a different eol http://www.bluechiptechnology.co.uk/windows-xp-embedded-eol support will continiue for some forms of xp embedded till 2020 so the use of it is not a concern

 

[player-x]

Are those XP machines even patched? Sure XP patches are available but I could see them setting up an ATM and then never touching it again. They do it with medical devices in healthcare.

They do patch them, but actually most of the security patches from MS they dont install, as they run a striped down version of XP that dose look noting like the one you run on your desktop.

Everything is stripped out off it, that has no function, and all services and ports that are not needed are closed or shut-down.

Its like braking in to a house ware all the doors and windows are bricked up and the only way in is true the mailbox (read true a VPN connection).

Next to that, they removed the biggest security risk from any computer system, the one that 20'' away from the screen, and only gave him a keypad and some dumb buttons to access the system.


So even do it sounds worse, its actually not as bad as it sounds in the real world.

 

[dpeters11]

its not a normal win xp its a specialized embedded version and has a different eol http://www.bluechiptechnology.co.uk/windows-xp-embedded-eol support will continiue for some forms of xp embedded till 2020 so the use of it is not a concern

NCR has said about 400,000 ATMs in the US use full XP, not embedded.

 

[mynamehere]

The only way this kind of thing will ever change is if they're held accountable for loss due to this sort of thing. As in it coming out of pocket, not covered by FDIC if it's due to poor security/was preventable, but proper measures weren't taken. Take those losses straight out of executive bonuses/bank accounts/property, starting at the top and trickling down, and things will change quick and in a hurry. Customers loose = execs lose. No more bailouts.

Other business and government need to be treated the same way. This "no accountability" mentality needs to stop. Examples need to be made.

 

[Tuthmose]

My first thought when reading this was “well, honestly, how much of a hacking threat do ATMs really face?”

Since you don’t hear about it much, I assumed it was either so difficult or so low “return on investment”, so to speak, that it just wasn’t much of an issue. The vast majority of the ATM thefts that make the news either involve skimmers and cameras, or some fools hooking up to the machine with chains and a pickup truck and ripping it out of the wall. You just don't hear about hacking attacks. After looking at some of the links from in the article, though, I’m left thinking that it’s a lot more of a threat than I’d thought, at least in theory.

So . . . anybody with more knowledge than me (which, in this case, ain’t much) know how often this happens in real life? Are these demos of ATM hacking just “perfect-scenario examples”, or are they really that vulnerable to electronic (rather than physical) attack? I’m kinda curious . . .

 

[pervert]

my old credit union (and related networks) went linux a while ago. there was a physical trick that would crash the software while spitting out $20 bills years ago, and it was kept hush for a few weeks after it was discovered, and it was patched, but it led to greater discussions at their IT department about security and it was a couple year transition but any atms they owned were moved to linux with new custom atm software designed from the ground up for better security. i cant believe xp is honestly used. you have to pay for it, and its at the end of its life cycle. linux or some bsd or something is oss, notably easier to patch vulnerabilities, etc. it seems absurd

 

[xX_Jack_Carver_Xx]

Failure of regulators. Of course the BANK doesn't want to spend a dime on anything, it is all about PROFIT not costs.

The Regulator aka The Federal Reserve needs to .... insist, and force it across the board.

That way it STILL doesn't cost the banks anything, since they all pass it on to the customer, but at least the consumer only pays a bit more in fees and not all the costs associated with Identity Theft because they left the ATM's unsecured.

 

[cyclone3d]

Pretty sure it has been at least 5 years since I have even used an ATM.

What exactly are ATMs good for anymore? If you need cash and your bank is closed, just go to a store, buy a pack of gum, and get cash back.

 

[Twisted Kidney]

We'll just wait until something catastrophic happens before we get too carried away with that little issue. Either insurance companies pay the loss and bill the middle class or governments bail them out and tax the middle class. Either way the middle class gets DP without so much as a kiss to say hello.

The profits are private, the losses are public, there is not risk in fucking up for these people.

 

[McFry]

Pretty sure it has been at least 5 years since I have even used an ATM.

What exactly are ATMs good for anymore? If you need cash and your bank is closed, just go to a store, buy a pack of gum, and get cash back.

Stores usually limit cash back to $50, whereas an ATM is usually limited to $600. You can also deposit cash into an ATM. Finally there's that whole parking thing, getting out of your car thing, walking into the store thing, having to buy something thing, walking back to the car thing, and driving away thing. If an ATM is nearby it is clearly a more convenient choice.

 

[Zarathustra[H]]

Two comments on this:

1.) ATM's are presumably running XP Embedded, which is on a different and longer support schedule than desktop XP. According to Microsoft's lifecycle page XP Embedded has support until 1/12/2016, so they have some time.

2.) Are ATM's even on the public internet? I was under the impression they reside primarily on private networks, and as such are not as vulnerable to external attacks.

 

[dgz]

Pretty sure it has been at least 5 years since I have even used an ATM.

What exactly are ATMs good for anymore? If you need cash and your bank is closed, just go to a store, buy a pack of gum, and get cash back.

I am pretty sure I don't want my purchases tracked, so yeah... either ATM or bank office for me.