A research report from RBR in London shows that 89 percent of European ATMs are still running Windows XP. This is a larger proportion than in the United States, but what is perhaps even more shocking is that eight percent of ATMs are still run operating systems older than XP: Windows NT, Windows 2000, and even OS/2.
The report attributes the lack of movement away from old and unsupported operating systems to a desire for stability on the part of the banks. Instead of upgrading the operating system, which would likely require upgrading a good deal of the computing hardware in the ATM, the banks would rather lock down the devices and practice other risk mitigation techniques.
I discussed this factor in. ATMs are isolated on the network and have a well-defined and stable function. They are excellent candidates for lock-down techniques such as software whitelisting and strong authentication for any user access.
An ATM protected in this way, while still at greater risk than one running a modern OS, is still heavily defended against software attack. Getting malicious software to such an ATM and executing it is a daunting task. This is why nearly all attacks on ATMs are physical attacks, such as skimming devices and smash-and-grab of the entire ATM.
Furthermore, as the report notes, many banks have opted to purchase extended support for Windows XP from Microsoft — the report specifically names JP Morgan Chase as one of these banks, but probably all the larger banks have. Such support is expensive and available for a maximum of two years, so banks absolutely need to have a migration plan in place anyway.
Looked at things in this light, banks' lazy attitude towards OS upgrades seems defensible. If ATMs running Windows NT are running without software attack, there's little reason to fear for Windows XP ATMs after today.