Windows XP lives on in ATMs. Crisis?

Windows XP lives on in ATMs. Crisis?

Summary: An ATM running an unpatched Windows XP is not like your kid's old laptop running XP. It's pretty heavily defended. And lots of new ATM and POS security features are coming in the next few years.

TOPICS: Security, Banking

Recent stories have reminded the public that the leading operating system in ATMs (Automated Teller Machines) in the US is... Windows XP. At first you might think this is grounds for panic and finger-pointing and there's something to that. But it's much less of a crisis than you might think.

I spoke with Dean Stewart, Senior Director, Self-Service Product Management at Diebold, one of the leading manufacturers of ATMs and supporting products and services. Like any one with an appreciation for the potential problems, Stewart wishes that all customers would upgrade to a more current and better-supporter platform. Diebold has been selling ATMs based on current versions of Windows 7 Professional since 2011 and there are many upgrade projects in process. In spite of this, the clear majority of systems, perhaps 80 percent, still run Windows XP, both abroad and in the US.

This is definitely a bad thing, but when you think about ATMs and how they work, it's less of a bad thing than it might at first seem. First, ATMs may run x86 processors and have a basic PC architecture, but they aren't actual PCs and they don't run a plain, standard install of Windows.

As a general rule, ATMs run Windows "with embedded restrictions." What is that? Here are Microsoft's instructions for running How to Implement Windows XP Professional with Embedded Restrictions and How to Implement Windows 7 with Embedded Restrictions. Some of the rules are concerned with making the device look less like a PC to the user (for instance, not showing the Windows banner screen on boot), but many of them are about minimizing the attack surface, as security analysts put it. This means minimizing the number of places the device can be compromised.

Another point worth clarifying: Some recent stories have pointed out that, while Windows XP may reach end of life this April, Windows XP Embedded will continue to receive security updates till January 2016. With Windows 7, Microsoft has added an embedded flavor called "Windows 7 Embedded POSReady," but this is targeted at point of sale systems, not ATMs. Unfortunately, there isn't much good news here. According to Stewart, the large majority of Windows ATMs run the regular Pro edition (although heavily modified and run with the embedded restrictions). The ATM products further harden the systems by controlling the the USB subsystem, network interfaces, and the installation and configuration of software. They strengthen user authentication with two factor authentication.

ATMs aren't like your average corporate desktop where the user can surf music lyrics and pro wrestling sites in their spare time. Even the dumbest bank knows that ATMs have to be secured pretty heavily. Stewart says that internal safeguards for ATMs are often quite strict. Banks do run antimalware and locked-down firewalls and other security systems on them. Nobody uses '12345' as the password.

ATMs are an obvious target for attackers, but almost all successful attacks on ATMs are from the outside: Attackers use skimming to steal card credentials and cameras to capture PINs, and then make duplicate cards. Banks are attacked on the inside too, but through malware that steals user accounts, not via the ATMs, at least not often. In this sense, the angst over ATMs running XP is somewhat overwrought because they are so isolated, heavily protected and not a good target for software attack. An organization that can be hacked to the point that attackers can plant malicious code on ATMs has bigger problems than Windows XP on those ATMs.

(At this point I have to apologize to anti-malware vendors who will continue to support Windows XP after April. In a previous column I intimated that they were doing the wrong thing, but I guess it's better for them to support their customers, mistaken as those customers may be, than to leave them hanging.)

Finally, it is possible, with a special contract, to continue to get security patches from Microsoft. Microsoft will continue to support certain editions of Windows XP until 2016, so they will be doing a lot of this work anyway. Certainly Diebold and large banks would be the sort of companies to pay for this service. Diebold, incidentally, has a service for some customers whereby they evaluate updates from Microsoft for relevance to their products. Customers can install them with their own updating system, but Diebold also has a remote management service whereby they perform those tasks. It's a bigger part of their business in the US than abroad, but it's easy to see why it's appealing.

So ATMs running Windows XP aren't necessarily defenseless. So what, you might ask? Cash registers at Target are also internal and don't have direct Internet access, and obviously they can get hacked. This is a reasonable argument and the main reason why, in the end, banks absolutely have to move off XP on ATMs as soon as possible... make that as soon as practicable.

So why, after all these years, have banks not already moved? I think the biggest reason has to do with all the other changes coming to ATMs. Consider the following infographic from Diebold's Operation 411 site. (Click on the graphic to go to the site and see a larger version with much more information.)

Click here to go to the Diebold operation 411 site for an infographic with key approaching compliance dates for ATMs.

EMV is coming. EMV stands for "EuroPay MasterCard Visa" and is also known some places as Chip and PIN. It's a smart card that has an embedded processor. The point of sale terminal or ATM has to take a PIN from the customer, use that and interact with the card to get a key for submission to the payment processor. It was already April 2013 that all payment processors for point of sale and ATM transactions were required by MasterCard and VISA to support EMV transactions. In the US you wouldn't know because nobody uses EMV cards here. But that will change.

In April of 2015, just 14 months hence, VISA rules state that all ATM acquirer processors, usually meaning the banks that process the transactions for the ATM, must support EMV transactions. The ATMs themselves don't have to at that point. October is when the hammer really falls: "Counterfeit card fraud liability shifts to transaction acquirers that do not accept EMV chip cards at US POS terminals, according to MasterCard and VISA." Acquirers do not want to be liable for those fraudulent transactions, so they certainly have plenty of incentive to roll out EMV support at POS terminals. It's not for another year, October 2016, that EMV becomes a requirement for US ATMs for MasterCard transactions, and October 2017 for VISA.

I had written recently of my doubts that they could get EMV accepted here in the US, but now I believe it's happening. Consumers will have to remember their PINs and retailers will have to get new terminals, although many of the terminals out there already support EMV. Wal-Mart began turning on EMV support in 2011. Visa's CEO has said it himself: we need these new technologies. The Wall Street Journal also wrote about this recently.

Getting back to my main theme: This, I believe, is why so many ATMs still run Windows XP. Banks have a lot of hardware upgrading to do over the next few years. It only makes sense to coordinate it with operating system upgrading. Not all of this means taking out the old ATM and putting it up on eBay. Stewart says that Diebold ATMs are designed to be upgradable in many ways: faster processors, more memory, bulk check acceptance, and so on. He believes that most of their systems in the field, especially those sold since 2006, are capable of running Windows 7, although perhaps they may require a hardware upgrade, such as more memory, to do so.

After learning all this, I'm not so worried about Windows XP on ATMs. I've been around long enough to know not to be optimistic about anything in computer security, but the VISA and MasterCard compliance deadlines for EMV and other requirements seem like good things. I wouldn't count on the government to be helpful. If anyone can order retail and banks to beef up their security it's MasterCard and VISA.

Topics: Security, Banking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • ah, diebold!

    Diebold rings a bell ... wait, isn't that the same company that likes to build election machines?
    Here's a paper on the quality of security in Diebold machines:

    Wait, nobody uses '12345' in such a high-risk environment because policies and governance forbid? The US nuclear forces had the same password for 20 years:

    Wait, embedded XP has restrictions on USB ports? So how come the german CCC could analyze sophisticated malware which attacks ATMs via USB?

    I really feel better now after reading this article to calm down the masses.

    ATMs should have continued being operated with OS/2 instead of Windows.
  • Diebold, lol

    I should just withdraw my money now and stuff it into a mattress. Diebold is not a company that I can trust if their voting machine business is any indicator.
    • You've been using their machines for decades

      At no inconvenience or loss to yourself and now that you just learned that you've been using their machines, you're going to boycott them? Seems a bit irrational. Stupid, even.

      Or maybe, in your rush to post something snarky, you didn't think your position the whole way through.
  • Check out medical equipment

    Is anyone at ZDNet aware that a large majority of medical equipment that is running on "off the shelf" hardware is also still running Windows XP? Some manufacturers have only in the last few years migrated from Windows 2000! I even still have a couple systems that are running on NT 4.0. Might be something to look into.
    • Probably very analogous

      I've seen what you're talking about. I've also seen medical devices with Windows 7 controllers, so it's probably just hospitals taking their time upgrading.

      I will look into it more, thanks.
  • Even Older...

    About two years ago I had the opportunity to see the boot up screen on a McDonald's drive-up window order panel and it wasn't hidden at all: Windows 95. They moved to a new building last year and I'm assuming the OS was upgraded to 98SE. :-)
  • lock these down to just the esential traffic and ports

    It would not be hard to secure a function specific device to just the essentials with input validation rejecting anything out of the ordinary. Require host certificates and limit to only authorized IPs. Firewall with app specific filters.
  • I was wondering

    If the US was ever going to catch up to Europe on smart card technology. I'm glad to learn that it will be only a couple of years when the upgrade happens. A smart chip will go a long way toward preventing the manufacturing of counterfeit credit cards.
    • Just chip & pin the answer to card fraud?

      Chip & pin smart cards are not the be and all of anti card fraud. My wife had a debit and credit card cloned in Italy, the ATM rejected both cards so I said we'll call in Jessello or Venice don't worry. Ha! 2 months later we get letter about unpaid mortgage, councill tax, and her car loan. She rang the bank and they said money had been withdrawn only the previous week in Sofia and the pin had been used. She was put through to someone who asked her very basic questions about the card being declined and said it was fraud and we'll refund you which they did almost immediately and all charges and interest, the bank was HSBC, the mortgage was GMAC and they just put charges on and no refund. The car finance wouldn't listen either, the credit card company wouldn't believe her even when she produced time sheets and HSBC statement and compared with the credit card statement.

      So beware we are not an isolated case, and it was always argued that the card industry only wanted it to be able to apportion blame to the card holders.

      Re the credit card, I devised a payment plan for her original balance ignoring the £2000 plus interest and other charges over 60mths, in 13 mths we are going to ask the courts to strike the debt out as an Iva going to argue that by them not contesting that they've accepted plus a legally arranged Iva would have meant then getting less due to arrangement and processing fees.
      We expect to win
      Kevin Morley
      • You're from UK

        I'm from the US. Rules are different over here, as far as fraudulent use of payment cards goes. And yes, pin & chip is better than the system we currently have in place, your anecdote notwithstanding.
  • The question about Diebold ATMs and voting machines is ...

    If they are secured against OUTSIDERS hacking in, are they secured against DIEBOLD hacking in? Not that Diebold would have much incentive to put malware into machines owned by banks who happen to be their customers (they would lose so much if they got caught, and bank controls and procedures would ensure they would get caught), but they CERTAINLY would have an incentive to hack voting machines.

    After all, their CEO has admitted that he wants one political party to win all elections in this country, and has shown no sign of scruples or honesty or ... what's that word for "losers?" Oh yeah, ETHICS! And there has been much suggestive, anecdotal evidence that Diebold machines have changed votes and thus outcomes, but nothing that could be proven ... yet. And with so many jurisdictions using machines with NO paper ballots, how could it be proven? Perhaps if a voter in the next election is wearing Google Glass, and posts a VIDEO of his vote changing before his eyes as he casts it, and puts that on You Tube ... wait, did I just hear ALEC pushing for a bill to ban video recording equipment from polling places?
  • You totally missed the point

    It's NOT Diebold who is to blame, but the end user companies (banks) who put these terminals in public places. Even where these terminals are owned by non-banks the software is the responsibility of the exploiter of these machines and Diebold can do nothing if the end-user wants to use an outdated or even obsolete OS.

    Even with the CPUs presently in use the systems could be spectacularly enhanced when it comes to security, and all remotely, if the end-user is really thinking about security, and all at NO cost to the customers.

    So put the blame where it really lies. With the end-user companies and banks, NOT with the manufacturers.
  • I do think ATM software does need to be kept up to date

    Keeping it up to date is part of the cost of doing business, because leaving known vulnerabilities exposed when there is substantial money to be stolen is asking for trouble.
    John L. Ries