Is ATM security threatened by Windows XP support cutoff? Well, yes, but …

Don't panic! Just try to get a supported OS, m'kay?


Many of the 65,000 ATMs in the UK will become less secure once Microsoft ends extended support for the embedded version of its Windows XP operating system next month, according to security experts.

From January 2016, Microsoft will be issuing no further security patches or updates for flavours of Windows still used by the majority of ATMs in the UK (and in many other countries around the world).

Support has already been wound down but next year it will be discontinued unless banks upgrade or bridge the gap with expensive custom support contracts.

“The desktop version of Windows XP ceased to be supported by Microsoft in July 2014 and while the embedded version was given extended support until January 2016, most ATMs still rely on the old operating system,” said Kerry Davies, chief exec at Abatis, a security software firm that is promoting its technology as a means for banks to protect cash machines.

Abatis warns that the lack of security updates puts the ATM network at greater risk from hacker attacks and malware infection. This warning comes from a firm touting security technology for embedded systems, so there’s a clear self-interest at play, as experts have noted.

Nonetheless, it would be unwise to dismiss the issue of cash machine security on those grounds, not least because malware has already been used to infect ATMs and steal money through various scams.

Many of the cons have cropped up in hotspots such as Mexico and Russia and some have involved assistance from corrupt insiders. Few, if any, have relied on exploiting operating system vulnerabilities, although lack of anti-malware protection has arguably been a factor in some frauds.

Banking customers may still be able to pay for custom premier support from Microsoft, we're told.

UK startup Abatis is marketing what it promotes as a cheaper alternative to defend ATMs, based on its Host Integrity Technology, as a means to defend against malware. The technology is designed to block unauthorised modifications or unwanted write operations or executables in real time, preventing either hacking or malware infection in the process.

Curtain call

El Reg asked Microsoft to comment on Abatis’s warning on Friday. By Monday lunchtime, the best its PR reps could offer was to point us towards a microsite offering general information to customers about Windows XP Embedded on its retirement plan.

This site explains that the curtain comes down on the Extended Support Cycle for Windows XP Embedded on 12 January 2016, 21 months after the desktop version of XP was retired.

Any machine still running Windows XP Embedded Service Pack 3 (SP3) from mid January onwards is therefore at greater risk because software updates and support have been withdrawn. The plug gets pulled on Windows Embedded for Point of Service SP3 slightly later on 12 April 2016.

Windows Embedded Standard 2009 – which is based on Windows XP, and originally released in 2008 – will be supported for three years until January 2019 but running that would require an operating system upgrade for cash machines running the older software.

Other security experts counsel against alarm while urging action to update ageing systems. “The end of support for Windows XP Embedded does not mean that the next day these machines will be hacked into or taken down,” said Ben Herzberg, security research manager at Imperva.

“For any bank that follows information security guidelines, ATMs are behind a layered protection architecture, where the OS is only one of the layers. But the ATMs are on a separate network, with strict firewall rules and several security controls stopping any attacker long before they get to those systems.”

Herzberg compared the situation faced by unpatched ATMs to that faced in industrial control systems environments, where running obsolete operating systems has been common practice for many years.

“A similar situation exists on many ICS (Industrial Control Systems) where old and unsupported operating systems are still being used in production environments, and are not replaced because the cost would be very high,” Herzberg explained.

Despite ATMs having additional layers of protection, even absent of operating system software updates, “having an outdated and unsupported operating system on a machine that is able to hand out cash to clients is still a considerable risk,” Herzberg concluded.

“Bottom line: Don’t panic, but try to update ATMs to a supported OS as soon as possible,” he added. ®

Similar topics


Other stories you might like

  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not.

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading
  • Intel plans immersion lab to chill its power-hungry chips
    AI chips are sucking down 600W+ and the solution could be to drown them.

    Intel this week unveiled a $700 million sustainability initiative to try innovative liquid and immersion cooling technologies to the datacenter.

    The project will see Intel construct a 200,000-square-foot "mega lab" approximately 20 miles west of Portland at its Hillsboro campus, where the chipmaker will qualify, test, and demo its expansive — and power hungry — datacenter portfolio using a variety of cooling tech.

    Alongside the lab, the x86 giant unveiled an open reference design for immersion cooling systems for its chips that is being developed by Intel Taiwan. The chip giant is hoping to bring other Taiwanese manufacturers into the fold and it'll then be rolled out globally.

    Continue reading
  • US recovers a record $15m from the 3ve ad-fraud crew
    Swiss banks cough up around half of the proceeds of crime

    The US government has recovered over $15 million in proceeds from the 3ve digital advertising fraud operation that cost businesses more than $29 million for ads that were never viewed.

    "This forfeiture is the largest international cybercrime recovery in the history of the Eastern District of New York," US Attorney Breon Peace said in a statement

    The action, Peace added, "sends a powerful message to those involved in cyber fraud that there are no boundaries to prosecuting these bad actors and locating their ill-gotten assets wherever they are in the world."

    Continue reading

Biting the hand that feeds IT © 1998–2022