As XP nears its own demise, ATMs face potential crisis

As XP nears its own demise, ATMs face potential crisis

Summary: That crisis will depend on how many of the world's ATMs, 95 percent of which have XP on them, can migrate to a newer OS that comes with support

ATM man cash


If some of your worst, paranoid fears involve slotting your ATM card into your neighbourhood machine and then finding out that, lo and behold, every penny in both your Savings and Checkings accounts has mysteriously vanished without a trace—well, that may just become something to take seriously post April 8th say experts. 

For April 8th is the day that Microsoft will stop support service to one of their most popular operating systems in history, Windows XP. While around a third to a quarter of the world's PCs are estimated to house XP, apparently 95 percent of the world’s 3 million ATM machines run on it.

Microsoft has said that it will continue to support security products through July 2015, however it has apparently issued a warning stating that "the effectiveness of antimalware solutions on out-of-support operating systems is limited." India's Reserve Bank (RBI) also issued warnings about the April 8th deadline.

As far as India is concerned, it gets a little confusing as to how many of the country’s 110-140,000 plus machines will be affected. Amrish Goyal Microsoft India General Manager (Windows Business) has been quoted widely saying that the number of ATMs in India needing an upgrade will be higher (as a percentage) than the 35 percent XP installed base amongst computers that proliferate in the financial sector. Other figures put it at around 20 percent.

XP India

In other words, India's situation may not be as dire as those in other parts of the world due to relatively recent adoption of ATMs which translates into newer models and operating systems.

Still, for the machines running XP, at first glance things don't look so rosy. As this article points out, ATMs in India are run by manufacturers such as NCR and Diebold. Navroze Dastur, managing director at NCR India, is of the opinion that less than 25 percent of XP ATMs will be realistically able to migrate before the deadline. "We had reached out to banks about 6-9 months ago and we've been in dialogue with them about upgrading their ATM network. There are a number of issues with upgrading operating systems… Some of the machines' hardware may not be upgradeable and some may need hardware upgrades for the new operating systems," he said.

In India, a preponderance of XP-run machines belong to nationalised banks that have a reputation of being as nimble as an elephant in the summer heat. Which means, if you own a bank account at any of these  institutions, don't count on any speedy changes. If you factor in the cost to upgrade to Windows 7—which could range from a few hundred bucks to a few thousand dollars if the machine needs new hardware—a quick upgrade looks even less likely.

So, how real a security threat is the XP expiration? According to this article two researchers at the Chaos Computing Congress in Hamburg showed how they were able to hack into an ATM in an unspecified European country with a methodology specifically suited to cracking XP using only a pen drive and malware which then gave them complete control of the machine.

On the other hand, here is an excellent, detailed analysis of the issue written by ZDNet columnist Larry Seltzer who thinks that there may be more noise  being made than necessary . In short, Setlzer says that ATMs are generally protected pretty heavily with firewalls and antimalware so getting into one of them may not be as easy as the hackers in the previous paragraph make it appear to be.

Much like the whole 'Y2K' end-of-the-world depiction at the turn of this century, the XP expiry will take some watching to see how things unravel.

Topics: Windows XP and the Future of the Desktop, India

Rajiv Rao

About Rajiv Rao

Rajiv is a journalist and filmmaker based out of New Delhi who is interested in how new technologies, innovation, and disruptive business forces are shaking things up in India.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Well, take into account

    Some of these ATMs (likely a lot of them) are running Windows XP Embedded which will be supported until 2016.
    • Correct!

      And the fact that most (hopefully) banks that aren't running the Windows Embedded XP version are paying for extended support from Microsoft. So this type of article is pure click-bait. ZDNET, please stop this kind of garbage.
      • Indeed

        And in addition to the OS on these ATMs being supported for another 2 years, I wonder which ATM has an easily accessible USB port. Not the ones I use.
      • Now, now from what zdnet tells me

        These machines are definitely going to destroy the web that they don't use and we can only be saved if they are replaced with chrome-deposit-boxes immediately.

        New atms are touch screen... So maybe we've found a use for win rt after all!
    • TY

      Thanks for making that topic the first post. Equating XP on PCs with XP Embedded is a mistake made far too commonly in the past 3 months. It drives FUD, and isn't even accurate.

      I can understand idiot 'journalists' at my local TV news reading the teleprompter to bring me a fraction of the whole story, but tech journalists should know what's what and not just rephrase what they read on AAP.
  • Linux would be perfectly suited....

    Being secure and stable Linux would be the ideal candidate.
    • I would agree Linux is perfect

      However the normal mantra of "secure and stable" isn't the reason. XP Embedded is plenty stable. The reason Linux is ideal for this type of situation is it's highly customizable manner. ATMs don't need all over the overhead of a Linux distro. Heck, they don't even need the overhead of XP Embedded. Unfortunately only large banks would have the resources to do this right.
      • Actually the manufacturer

        The manufacturer would do the customization of the Linux not the bank.
  • Can't these ATMs just physically seal all USB ports, like fill with epoxy.

    Its not like these ATMs are being used like home PCs, browsing and getting malware that way, so what else would be the attack vector? Probably hooking up a truck and driving away with the ATM at that point.
    • Better to disable USB ports with Windows Group Policy

      or IntelliAdmin's USB Disabler Pro, free USB Drive Disabler 2.0 or similar.

      And, then, enable them when needed as USB port access may be required for maintenance.
      Rabid Howler Monkey
    • Can't these ATMs

      Sure they can ... and any knowledgeable person can mitigate the risks of defaults. Just as Target could have prevented their debacle. There's been plenty published on what to do and how to do it.
      Banks who fail to take the steps should pay the full price of any loss and recovery plus penalties.
  • ATMs use Windows Embedded, don't they?

    And isn't that supported until 2016?
    Michael Alan Goff
    • Re: isn't that supported until 2016....

      Thats just prolongs the agony. The answer is to begin implementing Linux now.
      • Linux

        Because Linux does not require any OS upgrades and all versions are supported forever*.

        * where "forever" refers to time spans of 9 months to 3 years:
        • Linux is an OS

          Ubuntu is a distribution, please learn to tell the difference.
          Alan Smithie
          • genuine linux

            Yes, be sure the get the genuine Linux not a bloody distribution.
          • :)

          • LOL!

            Nice. :)
          • @Alan

            Ditto +1
        • Open Source

          Linux is open-source. Even if a particular version were no longer supported by the community, banks or other large companies with deep pockets could theoretically continue to support that version themselves indefinitely.