ATMs at risk after Microsoft ends support to Windows XP

18 Mar 2014

Banks around the world risk missing a deadline for the upgradation of outdated software for automated teller machines (ATMs), preoccupied as they are with a regulatory crackdown. The failure would expose transactions to hackers and malware - unless banks paid extra to Microsoft to keep them secure.

Microsoft had warned that it would be ending support for Windows XP in 2007. However, only around 30 per cent of the world's 2.2 million ATMs using the system would have been upgraded to a new platform such as Windows 7 by the April deadline, according to ATM maker NCR.

In the interests of the security of customers, many lenders had reached deals with Microsoft to continue supporting the machines until they could be upgraded, while many others had not.

Meanwhile, Microsoft said, the cost would depend on both the specific needs of the customer and what support they already had in place, so it was different for every customer.

The five biggest banks in the UK - Lloyds, Royal Bank of Scotland, HSBC, Barclays and Santander UK - either had or were in the process of negotiating, extended support contracts with Microsoft, for instance.

Israel's Haartez newspaper quoted London-based Sridhar Athreya at financial technology advisers SunGard Consulting Services as saying that banks had neglected to upgrade security systems, after being overwhelmed by new regulatory demands in the wake of the 2007-08 financial crisis.

They were probably not very serious about the directive that came in from Microsoft, he said, adding that there was a lot of change going on at these banks at this moment in time and they would have seen Windows XP as one more change.

It was now less than a month to go for a large portion of the world's ATMs and a large portion of its computer-based industrial control systems to become a lot more vulnerable to hackers and viruses.

On 8 April, Microsoft would stop issuing updates and patches for bugs in its Windows XP operating system, which was released in 2001. However, the software continued to be in use as companies put off the costly and complex task of system upgrades.

The delay would help make it easier for hackers to break into the main systems still running XP, according to security experts.

Timothy Rains, Microsoft's director of trustworthy computing, told a recent computer security conference in San Francisco, ''The probability of attackers using security updates for Windows 7, Windows 8, Windows Vista to attack Windows XP is about 100 per cent.''

About 40 per cent of personal computers still used Windows XP, data from research group Netmarketshare show. In addition to PCs, Windows XP also powered ATMs, medical devices, industrial control systems and some of the hardware used for swiping credits cards, Financial Times quoted Jaime Blasco, malware researcher at AlienVault, as saying.