Banks Pay Microsoft Big for Securing Windows XP ATMs

CommanderFrank

Cat Can't Scratch It
Joined
May 9, 2000
Messages
75,400
It looks like Microsoft wins either way with the banking industry concerning the status of Windows XP operating the ATM’s. It’s always been a ‘pay me now or pay me later’ situation for Microsoft and it’s looking like the ‘later’ portion of that payoff is about to go into full swing.

They’ve also been very publicly running the XP doomsday clock since 2011. All that time and countless repeated urgings, apparently, still didn’t convince most banks that it was worth upgrading.
 
If you want to hang onto antiquated technology it will cost you, irregardless of whether that technology is your own or a third party's ... for some companies they feel the risk of change outweighs the cost of stasis ... we'll see if the banks were right or wrong on this ... give it another 10 or 20 years and ATMs may just go the way of the phone booth anyway (so a large capital investment might not make as much sense as paying until the transition to e-transactions becomes more prevalent ;) )
 
In all honesty, many banks don't really control their physical ATM's the way you would think they would. At least, not the one i work for anyway. and especially not the smaller ones. All we do is fill them and balance them.

Just look at the back of your card or the front panel on your favorite ATM. You'll typically notice a few nondescript logos there indicating the "Network" the ATM belongs to.

Smaller banks don't have the power to build a big enough network of them to service their customers everywhere. Typically, the benefit of this to a consumer is that you don't get charged a fee at other "in network" ATM's. But we are also at the mercy of the servicing company when it comes down to anything beyond basic maintenance.
 
Last I checked a lot of major hospitals (i.e. Kaiser) are still running on XP with little to no plans to migrate.
 
Damn, I need to look at alternatives to the major banks for handling my money. Why wouldn't you use a hardened embedded OS like QNX for something like an ATM? As a side note that article is wrong about the embedded support, XP embedded is support till 2019. Embedded XP has its advantages, especially for warehouse management application development (think of those handheld scanners... although CE is still pretty prevalent in that market) and similar markets. Linux sounds good, but writing Linux software that can integrate with certain back server software can be problematic or downright impossible.
 
Gotta wonder how many of these folks are just trying to tread water with the old machines as a stop-gap until they upgrade for the chip-n-pin mandate. As was mentioned in an article linked to a previous thread on this, that's gonna cost a small fortune, and I'm sure these banks and ATM networks don't want to shell out cash for upgrades twice. They're probably hoping they can get by until they kill two birds with one stone.
 
Why the FUCK would you ever build ATMs using anything but a proprietary OS whose sole purpose is to do this function. As for hardware, a simple smart phone is capable of handling the task. The control computer should cost all of $50. Linux even Android is way more complex than this function needs to be.

The banking industry is a multi TRILLION $ industry, and they are too lazy to just set a standard and make the devices? WTF. The whole point of ATM's was to replace the teller workforce and be more convenient for consumers, they paid for themselves by the salaries they replace and the "convenience" fees they generate ... so the whole thins is a FREE ROLL and they can't even get that right. Greedy incompetent motherfuckers.
 
Why the FUCK would you ever build ATMs using anything but a proprietary OS whose sole purpose is to do this function. As for hardware, a simple smart phone is capable of handling the task. The control computer should cost all of $50. Linux even Android is way more complex than this function needs to be.

The banking industry is a multi TRILLION $ industry, and they are too lazy to just set a standard and make the devices? WTF. The whole point of ATM's was to replace the teller workforce and be more convenient for consumers, they paid for themselves by the salaries they replace and the "convenience" fees they generate ... so the whole thins is a FREE ROLL and they can't even get that right. Greedy incompetent motherfuckers.

A) Smart phones did not exist as they do today when these systems were developed and built 15 years ago.
B) Even 15 years ago developing your own OS was costly. Unless you were a major corporation (read: already having substantial money for seed) your 'solution' for ATM was at first an experiment and one that made financial sense to build on top of an existing OS.
C) Yes there were other OS available 15 years ago but XP was chosen for practical reasons such as support and a future roadmap including updates and security fixes, etc. I bet if you compared any Linux or Unix flavor from 15 years ago - they simply cannot stack up to XP in those areas if they even exist anymore for serious business (not tinkering).
 
XP for life. The best OS Microsoft has ever created. Withstanding the test of time. A lot of people that are older still are running XP because they are use to it. I'm sure theres going to be Extended Extended Support. It will finally be put to rest most likely by like 2020-2025 possibly. It may live beyond windows 7 extended support. If windows 9 has similar functionality and similarity as XP it could make everyone upgrade but if its like Metro again it will have the same problems as 8.
 
XP for life. The best OS Microsoft has ever created. Withstanding the test of time. A lot of people that are older still are running XP because they are use to it. I'm sure theres going to be Extended Extended Support. It will finally be put to rest most likely by like 2020-2025 possibly. It may live beyond windows 7 extended support. If windows 9 has similar functionality and similarity as XP it could make everyone upgrade but if its like Metro again it will have the same problems as 8.

Sorry, but no. I've done computer support professionally for 13 years, and unprofessionally for 10 years before that, and XP has fallen the same way every other OS has: it can't support newer features and the security model used when it was designed is too old and vulnerable. While XP may have been the best OS had made previously, and even better than its direct successor, it has gotten too old to use today. it is just too easy to hack, and doesn't support newer features that need to be used by newer programs. It's dead. holding onto it won't change that.

Anyone that continues to use it is putting a strain on everyone else on the internet. It's easily hacked, and easily made into a bot for a botnet for hacking, fraud, and theft, within days. Even fully patched with a good antivirus, a WinXP machine can easily be made into a bot by visiting one web site. Heck, there's even a vulnerability in the wireless stack that can make a WinXP machine into a bot just by getting within wireless range. the wireless doesn't even have to be connected and a hacker can use that vulnerability to install a bot program in minutes. Any machine running Windows XP right now is a security risk for everyone on the internet.

Windows 7 does indeed take Windows XP's place as the best they've ever made. I do use Windows 8.1 on my home machine, but I haven't been able to really give any significant advantage to it over Windows 7. I do not see any advantage in switching to Windows 8 or 8.1 for IT. For home use, the only reason to move to it is to keep current and have fewer patches and security vulnerabilities.
 
I must be missing something. :rolleyes:

The ATM is a critical interface between the banking system and the consumer. They wanted it for good reasons and profit, we wanted it for good reasons and convenience. ;)

The Banking Industry had $100's of BILLIONS 30 years ago, and has $10's of TRILLIONS now. The few hundred grand it woul take to design and perfect a baby OS and the hardware to run it on, for the express purpose of being an ATM is ... PEANUTS. They spend more on fucking DONUTS every morning. :confused:

As for Windows. Microsoft has spent $BILLIONS having THOUSANDS of engineers (?) spend MILLIONS OF MAN HOURS and what do they have to show for it? :eek:

An abortion, a joke, an abomination, a putrid pile of slapped together code full of holes that people keep driving trucks through. :rolleyes:

Where is their sense of pride, their self respect? :mad:

If Microsoft were a traditional Japanese company and the employees were believers in Samurai culture .... they'd have long since gutted themselves in ritual suicide. :eek::p
 
XP for life. The best OS Microsoft has ever created. Withstanding the test of time. A lot of people that are older still are running XP because they are use to it. I'm sure theres going to be Extended Extended Support. It will finally be put to rest most likely by like 2020-2025 possibly. It may live beyond windows 7 extended support. If windows 9 has similar functionality and similarity as XP it could make everyone upgrade but if its like Metro again it will have the same problems as 8.

First I was going to say NO FUCKING WAY... but then I realised 2020 is only a little more than 5 1/2 years away.

Holy shit.

XP was still around before I even had a cell phone and I was still using it when I got my first Android phone. Now it really feels like it's been around forever.
 
Sorry, but no. I've done computer support professionally for 13 years, and unprofessionally for 10 years before that, and XP has fallen the same way every other OS has: it can't support newer features and the security model used when it was designed is too old and vulnerable. While XP may have been the best OS had made previously, and even better than its direct successor, it has gotten too old to use today. it is just too easy to hack, and doesn't support newer features that need to be used by newer programs. It's dead. holding onto it won't change that.

Anyone that continues to use it is putting a strain on everyone else on the internet. It's easily hacked, and easily made into a bot for a botnet for hacking, fraud, and theft, within days. Even fully patched with a good antivirus, a WinXP machine can easily be made into a bot by visiting one web site. Heck, there's even a vulnerability in the wireless stack that can make a WinXP machine into a bot just by getting within wireless range. the wireless doesn't even have to be connected and a hacker can use that vulnerability to install a bot program in minutes. Any machine running Windows XP right now is a security risk for everyone on the internet.

Windows 7 does indeed take Windows XP's place as the best they've ever made. I do use Windows 8.1 on my home machine, but I haven't been able to really give any significant advantage to it over Windows 7. I do not see any advantage in switching to Windows 8 or 8.1 for IT. For home use, the only reason to move to it is to keep current and have fewer patches and security vulnerabilities.

Your talking the technical aspects of XP. I am talking about user interface and how successful on how the user likes the OS. There are better operating systems technically but not every OS can boast about being one of the most longest used. They did something right for people to be like it so much for so long.
 
15 years ago they ran OS/2. Then they went to XP, now they will also hold onto that for dear life. Cheap fuckers.

I had an ATM reboot on me mid-transaction about 3 years back that was running OS/2. I had to go in the next day and speak to the manager to get my card back.
 
Its really sad that these companies had plenty of fucking time to work out plans but all they cared about for the most part was making $$ rather then preparing for the inevitable.
 
Damn, I need to look at alternatives to the major banks for handling my money. Why wouldn't you use a hardened embedded OS like QNX for something like an ATM? As a side note that article is wrong about the embedded support, XP embedded is support till 2019. Embedded XP has its advantages, especially for warehouse management application development (think of those handheld scanners... although CE is still pretty prevalent in that market) and similar markets. Linux sounds good, but writing Linux software that can integrate with certain back server software can be problematic or downright impossible.

XP has had a longer support life than most other systems and pretty much every programmer is going to know it. With XP they just needed to test patches and push them to the machines every few months. I'm not saying that QNX or a bsd/linux/unix system wouldn't work. They could work fine. Support comes into play and it is easier to get support in most cases with windows. Linux support has come a long way in the last few years.

As far as embedded hardware as someone else mentioned the reasons for not going to it are easy. The computer controllers are cheap to repair/replace. The hardware is tested more than any embedded system would be. It makes sense to use a desktop computer even if it is overpowered for the job.

Another thing to remember is that these machines are doing 1 specific thing. I'd bet most of them are not exposed to the internet directly and are hidden behind firewalls. They are in a closed system and the computer controllers that run them are locked away.
 
Just about every medical computer is going to run xp, but won't ever be hooked up to anything outside their intranet.

Those specific machines won't get upgrade till a hospital overhauls its entire system or a new hospital gets built with everything being brand new.

ATMs don't get much internet interaction but on a user level they can be pretty vulnerable. I think it was pretty funny how John Conner hacked atm's using a win ce palm device in T2.
 
Your talking the technical aspects of XP. I am talking about user interface and how successful on how the user likes the OS. There are better operating systems technically but not every OS can boast about being one of the most longest used. They did something right for people to be like it so much for so long.

I'm pretty sure the user has no freaking clue if the ATM uses XP or even gives a tinkers damn.
 
Of course the banks don't want to upgrade, because they don't have to.

It doesn't matter to the bank if the ATM gets hacked, all they have to do is go crying to Uncle Sam and FDIC will cover 100% of their losses.

It's like having full coverage insurance on your car that is completely free. You can drive like a total maniac, throwing all caution to the wind, safe in the knowledge that you will be 100% covered no matter what, even if the accident is entirely your fault.

If you want banks to stand up and take security seriously, you have to start holding them accountable for their mistakes first. There can be no responsibility without accountability
 
If you want banks to stand up and take security seriously, you have to start holding them accountable for their mistakes first. There can be no responsibility without accountability
yeah good luck with that :rolleyes:
 
People freaking out about ATM's running XP is a waste of time. The machines are on isolated networks and unless you can get to the USB port, attacking the OS is a waste of time.

The real risk lies in magnetic card skimmers. Those devices don't care what OS you run.
 
Last I checked a lot of major hospitals (i.e. Kaiser) are still running on XP with little to no plans to migrate.

Isn't there some HIPAA mandate to say that they need to use a certified blah blah blah OS to stay in compliance? I am not sure, but I thought I heard something about that (HIPAA, PCI or something similar).
 
Yeah, but most ATMs that run XP aren't running the embedded version. That's because many bank IT manager are too cheap to hire competent programmers who would have used XP embedded.

No, a lot of it is blogs making assumptions, and not realizing how many versions of XP was available for embedded systems.

There's XP Pro embedded, which is what a lot of blogs is mistaking as plain XP. That's supported to 2016. Windows Embedded POS is also supported to 2016. There's also Windows Embedded Standard 2009 and POSReady 2009, and those are supported to 2019. Just getting a brief look at the desktop when they boot and seeing the flag you'll assume it's plain XP but they really aren't.
 
I must be missing something. :rolleyes:

The ATM is a critical interface between the banking system and the consumer. They wanted it for good reasons and profit, we wanted it for good reasons and convenience. ;)

The Banking Industry had $100's of BILLIONS 30 years ago, and has $10's of TRILLIONS now. The few hundred grand it woul take to design and perfect a baby OS and the hardware to run it on, for the express purpose of being an ATM is ... PEANUTS. They spend more on fucking DONUTS every morning. :confused:

As for Windows. Microsoft has spent $BILLIONS having THOUSANDS of engineers (?) spend MILLIONS OF MAN HOURS and what do they have to show for it? :eek:

An abortion, a joke, an abomination, a putrid pile of slapped together code full of holes that people keep driving trucks through. :rolleyes:

Where is their sense of pride, their self respect? :mad:

If Microsoft were a traditional Japanese company and the employees were believers in Samurai culture .... they'd have long since gutted themselves in ritual suicide. :eek::p

You couldn't be more wrong.

Most banks in the US have super ancient systems dating back to the 70s and 80s. Why? because of old accounts that had features that don't officially exist anymore or countless acquisitions. A lot of banks put tons of resources into just keeping their current system running let alone attempt to upgrade it.

As far as I know, one major bank has attempted to modernize their system in the past decade or so, BBVA Compass, and that's been going on for the last five years and has cost over $400 million. They are a top-25 bank. a top-5 bank would probably take a decade and over $1 billion.

As far as Microsoft code quality, even people at Pwn2Own have commented on how Microsoft's code is pretty secure nowadays. It isn't 10 years ago and things have changed. They've taken steps to try to get people to be more secure, and most of us circumvent them. Bet you are the type of person who still disables UAC on your windows PC eh?

Anyhow, over 90% of the exploits they had to deal with in the past couple of years wouldn't have worked if people didn't use admin accounts. But I would be willing to bet money that if say Windows 9 took the plunge and forced everyone to a standard non privileged account every tech blog would complain like they did with UAC and post ways to go back to the old account, instead of calling out developers to write more secure code.
 
Most banks in the US have super ancient systems dating back to the 70s and 80s.

I don't know if they have upgraded since, but as of 10 years ago, the local bank in my home town was still using some sort of VAX-based system with dumb terminals
 
Back
Top