ATMs Will Still Run Windows XP with Increased Security

Discussion in 'HardForum Tech News' started by MajorDomo, Mar 9, 2014.

  1. MajorDomo

    MajorDomo [H]ard as it Gets

    Messages:
    75,270
    Joined:
    May 9, 2000
    With the end of support looming for Windows XP, we’re guessing it’s really a bad time to remind bank ATM customers that the majority of the world’s ATMs are still running XP; the same XP that will be losing all support, including security updates, in several weeks.

     
  2. Wolf_Tech

    Wolf_Tech Limp Gawd

    Messages:
    226
    Joined:
    Sep 19, 2010
    I'm not surprised at all Big Banks are the worst for security and protection. Most of them use old 128 bit ecryption and for enhanced security offer software like trustee BS to protect you. Most of the big banks in canada do the same thing. The one exception is the credit unions which are not Big banks and Yet they use the highest grade of ecryption on there websites and last week I noticed they upgraded all there ATM to unix based.

    I switched to a credit union 10 years ago and never looked back. Big Banks were good at only one thing taking my money.
     
  3. DragonNOA1

    DragonNOA1 [H]ardness Supreme

    Messages:
    4,302
    Joined:
    Aug 15, 2004
    Are those XP machines even patched? Sure XP patches are available but I could see them setting up an ATM and then never touching it again. They do it with medical devices in healthcare.
     
  4. maxius

    maxius 2[H]4U

    Messages:
    3,370
    Joined:
    Dec 17, 2001
  5. player-x

    player-x Limp Gawd

    Messages:
    299
    Joined:
    Oct 22, 2007
    They do patch them, but actually most of the security patches from MS they dont install, as they run a striped down version of XP that dose look noting like the one you run on your desktop.

    Everything is stripped out off it, that has no function, and all services and ports that are not needed are closed or shut-down.

    Its like braking in to a house ware all the doors and windows are bricked up and the only way in is true the mailbox (read true a VPN connection).

    Next to that, they removed the biggest security risk from any computer system, the one that 20'' away from the screen, and only gave him a keypad and some dumb buttons to access the system.


    So even do it sounds worse, its actually not as bad as it sounds in the real world.
     
  6. dpeters11

    dpeters11 n00b

    Messages:
    51
    Joined:
    May 21, 2009
    NCR has said about 400,000 ATMs in the US use full XP, not embedded.
     
  7. mynamehere

    mynamehere [H]ard|Gawd

    Messages:
    1,762
    Joined:
    Jun 30, 2007
    The only way this kind of thing will ever change is if they're held accountable for loss due to this sort of thing. As in it coming out of pocket, not covered by FDIC if it's due to poor security/was preventable, but proper measures weren't taken. Take those losses straight out of executive bonuses/bank accounts/property, starting at the top and trickling down, and things will change quick and in a hurry. Customers loose = execs lose. No more bailouts.

    Other business and government need to be treated the same way. This "no accountability" mentality needs to stop. Examples need to be made.
     
  8. Tuthmose

    Tuthmose Limp Gawd

    Messages:
    178
    Joined:
    Nov 4, 2009
    My first thought when reading this was “well, honestly, how much of a hacking threat do ATMs really face?”

    Since you don’t hear about it much, I assumed it was either so difficult or so low “return on investment”, so to speak, that it just wasn’t much of an issue. The vast majority of the ATM thefts that make the news either involve skimmers and cameras, or some fools hooking up to the machine with chains and a pickup truck and ripping it out of the wall. You just don't hear about hacking attacks. After looking at some of the links from in the article, though, I’m left thinking that it’s a lot more of a threat than I’d thought, at least in theory.

    So . . . anybody with more knowledge than me (which, in this case, ain’t much) know how often this happens in real life? Are these demos of ATM hacking just “perfect-scenario examples”, or are they really that vulnerable to electronic (rather than physical) attack? I’m kinda curious . . .
     
  9. pervert

    pervert n00b

    Messages:
    25
    Joined:
    May 2, 2009
    my old credit union (and related networks) went linux a while ago. there was a physical trick that would crash the software while spitting out $20 bills years ago, and it was kept hush for a few weeks after it was discovered, and it was patched, but it led to greater discussions at their IT department about security and it was a couple year transition but any atms they owned were moved to linux with new custom atm software designed from the ground up for better security. i cant believe xp is honestly used. you have to pay for it, and its at the end of its life cycle. linux or some bsd or something is oss, notably easier to patch vulnerabilities, etc. it seems absurd :)
     
  10. xX_Jack_Carver_Xx

    xX_Jack_Carver_Xx 2[H]4U

    Messages:
    2,542
    Joined:
    Jun 6, 2005
    Failure of regulators. Of course the BANK doesn't want to spend a dime on anything, it is all about PROFIT not costs.

    The Regulator aka The Federal Reserve needs to .... insist, and force it across the board.

    That way it STILL doesn't cost the banks anything, since they all pass it on to the customer, but at least the consumer only pays a bit more in fees and not all the costs associated with Identity Theft because they left the ATM's unsecured. :eek::rolleyes:
     
  11. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    13,194
    Joined:
    Aug 16, 2004
    Pretty sure it has been at least 5 years since I have even used an ATM.

    What exactly are ATMs good for anymore? If you need cash and your bank is closed, just go to a store, buy a pack of gum, and get cash back.
     
  12. Twisted Kidney

    Twisted Kidney 2[H]4U

    Messages:
    3,500
    Joined:
    Mar 18, 2013
    We'll just wait until something catastrophic happens before we get too carried away with that little issue. Either insurance companies pay the loss and bill the middle class or governments bail them out and tax the middle class. Either way the middle class gets DP without so much as a kiss to say hello.

    The profits are private, the losses are public, there is not risk in fucking up for these people.
     
  13. McFry

    McFry [H]ard|Gawd

    Messages:
    1,715
    Joined:
    Oct 25, 2011
    Stores usually limit cash back to $50, whereas an ATM is usually limited to $600. You can also deposit cash into an ATM. Finally there's that whole parking thing, getting out of your car thing, walking into the store thing, having to buy something thing, walking back to the car thing, and driving away thing. If an ATM is nearby it is clearly a more convenient choice.
     
  14. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    29,272
    Joined:
    Oct 29, 2000
    Two comments on this:

    1.) ATM's are presumably running XP Embedded, which is on a different and longer support schedule than desktop XP. According to Microsoft's lifecycle page XP Embedded has support until 1/12/2016, so they have some time.

    2.) Are ATM's even on the public internet? I was under the impression they reside primarily on private networks, and as such are not as vulnerable to external attacks.
     
  15. dgz

    dgz [H]ardness Supreme

    Messages:
    5,607
    Joined:
    Feb 15, 2010
    I am pretty sure I don't want my purchases tracked, so yeah... either ATM or bank office for me.