Dixons Carphone still has 7.5k Windows XP EPOS systems

Tills 'security posture only as strong as foundation of OS', says infosec specialist


Dixons Carphone is still using thousands of EPOS tills running on Windows XP more than a year after Microsoft’s extended support expired, The Register has learned.

This is not the Embedded flavour of the OS (though even these would present a heightened risk of attack, say security experts) but 7,000-plus bog standard XP systems in branches, visible to customers.

More precisely, these in-store tills are HP PCs, most of them D530s, with the now 14-year-old OS installed on their hard drive.

Sources tell us DixCar has no custom support agreement with Microsoft that would enable the retailer to continue receiving regular patches or firmware updates at $200 per PC for year one, $400 for year two and $800 for year three.

“Whilst there shouldn’t be a price on security, there is a price to a large scale refresh, especially with something as key as an EPOS estate,” one said.

As is commonplace in large organisations, some of the background tech is bespoke and that has trouble running on a modern OS or browser, our insider told us.

“Big companies and state agencies need to get much better with the thought of progressive IT. Too many paid too much years ago for solutions that simply don’t work on modern OSs,” the source added.

Weeks ago it emerged that the Welsh Health Services has 20,000 PCs still running on Windows XP, some months after El Reg revealed the NHS in England and Scotland, along with HMRC and the Met also failed to upgrade since support was pulled in April 2014.

Security experts said that running vanilla XP on point of sale terminals is asking for trouble.

Charles Henderson, VP of managed security testing at cloud and managed security services firm Trustwave, said that operating system issues are often exploited by crooks targeting retail environments.

“A point of sale's security posture is only as strong as the foundation of its operating system," Henderson explained. "If the operating system is compromised, it's game over. In point of sale compromise cases that Trustwave investigates, very often it is operating system level issues and malware that exploits these issues and leads to a compromise. Once a vulnerability is discovered in an operating system, malware authors will leverage this weakness almost immediately in the malware they write."

Point of sale vendors, security professionals, and compliance regimes stress timely patching of point of sale operating systems and continuous security testing to ensure critical systems such as retail terminals are not running outdated operating systems or contain any other vulnerabilities.

"The threat of running an unsupported operating system is not only the known vulnerabilities of today but the vulnerabilities discovered tomorrow," Henderson added.

"Existing in an unsupported state translates to potentially being unable to remediate or mitigate the next big vulnerability without migrating to a newer operating system. Migrations under the risk of immediate compromise do not end well," he added.

Andrew Komarov, president and chief intelligence officer, InfoArmor Enterprise Threat Intelligence, a security experts who has looked into several cases of thefts linked to RAM scraper malware on PoS terminals, agreed that running Win XP in retail environments is dangerous.

"XP is not supported anymore, that's why various patch management and security misconfiguration flaws are highly probable, which may allow external bad actors to use them for targeted remote attack," Komarov, said.

"It allows [them] to exploit many 'internal' attack vectors as well, and as practice showed, professional bad actors use [their] own people to infect POS terminals," he added.

Even systems running Windows XP embedded, which is supported until April 2016, are at a heightened risk of attack, according to Komarov.

Dixons told us that for security reasons it will not comment on specific details about its systems.

“We take the security of our customer data extremely seriously and have appropriate proactive measures in place around our till and store estate,” a spokeswoman said. ®

Similar topics


Other stories you might like

  • Red Hat Kubernetes security report finds people are the problem
    Puny human brains baffled by K8s complexity, leading to blunder fears

    Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.

    The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.

    Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.

    Continue reading
  • Infosys skips government meeting – and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India's Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a "technical glitch" that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use
    Phew!

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading

Biting the hand that feeds IT © 1998–2022