Windows XP lives on in ATMs. Crisis?

An ATM running an unpatched Windows XP is not like your kid's old laptop running XP. It's pretty heavily defended. And lots of new ATM and POS security features are coming in the next few years.
Written by Larry Seltzer, Contributor

Recent stories have reminded the public that the leading operating system in ATMs (Automated Teller Machines) in the US is... Windows XP. At first you might think this is grounds for panic and finger-pointing and there's something to that. But it's much less of a crisis than you might think.

I spoke with Dean Stewart, Senior Director, Self-Service Product Management at Diebold, one of the leading manufacturers of ATMs and supporting products and services. Like any one with an appreciation for the potential problems, Stewart wishes that all customers would upgrade to a more current and better-supporter platform. Diebold has been selling ATMs based on current versions of Windows 7 Professional since 2011 and there are many upgrade projects in process. In spite of this, the clear majority of systems, perhaps 80 percent, still run Windows XP, both abroad and in the US.

This is definitely a bad thing, but when you think about ATMs and how they work, it's less of a bad thing than it might at first seem. First, ATMs may run x86 processors and have a basic PC architecture, but they aren't actual PCs and they don't run a plain, standard install of Windows.

As a general rule, ATMs run Windows "with embedded restrictions." What is that? Here are Microsoft's instructions for running How to Implement Windows XP Professional with Embedded Restrictions and How to Implement Windows 7 with Embedded Restrictions. Some of the rules are concerned with making the device look less like a PC to the user (for instance, not showing the Windows banner screen on boot), but many of them are about minimizing the attack surface, as security analysts put it. This means minimizing the number of places the device can be compromised.

Another point worth clarifying: Some recent stories have pointed out that, while Windows XP may reach end of life this April, Windows XP Embedded will continue to receive security updates till January 2016. With Windows 7, Microsoft has added an embedded flavor called "Windows 7 Embedded POSReady," but this is targeted at point of sale systems, not ATMs. Unfortunately, there isn't much good news here. According to Stewart, the large majority of Windows ATMs run the regular Pro edition (although heavily modified and run with the embedded restrictions). The ATM products further harden the systems by controlling the the USB subsystem, network interfaces, and the installation and configuration of software. They strengthen user authentication with two factor authentication.

ATMs aren't like your average corporate desktop where the user can surf music lyrics and pro wrestling sites in their spare time. Even the dumbest bank knows that ATMs have to be secured pretty heavily. Stewart says that internal safeguards for ATMs are often quite strict. Banks do run antimalware and locked-down firewalls and other security systems on them. Nobody uses '12345' as the password.

ATMs are an obvious target for attackers, but almost all successful attacks on ATMs are from the outside: Attackers use skimming to steal card credentials and cameras to capture PINs, and then make duplicate cards. Banks are attacked on the inside too, but through malware that steals user accounts, not via the ATMs, at least not often. In this sense, the angst over ATMs running XP is somewhat overwrought because they are so isolated, heavily protected and not a good target for software attack. An organization that can be hacked to the point that attackers can plant malicious code on ATMs has bigger problems than Windows XP on those ATMs.

(At this point I have to apologize to anti-malware vendors who will continue to support Windows XP after April. In a previous column I intimated that they were doing the wrong thing, but I guess it's better for them to support their customers, mistaken as those customers may be, than to leave them hanging.)

Finally, it is possible, with a special contract, to continue to get security patches from Microsoft. Microsoft will continue to support certain editions of Windows XP until 2016, so they will be doing a lot of this work anyway. Certainly Diebold and large banks would be the sort of companies to pay for this service. Diebold, incidentally, has a service for some customers whereby they evaluate updates from Microsoft for relevance to their products. Customers can install them with their own updating system, but Diebold also has a remote management service whereby they perform those tasks. It's a bigger part of their business in the US than abroad, but it's easy to see why it's appealing.

So ATMs running Windows XP aren't necessarily defenseless. So what, you might ask? Cash registers at Target are also internal and don't have direct Internet access, and obviously they can get hacked. This is a reasonable argument and the main reason why, in the end, banks absolutely have to move off XP on ATMs as soon as possible... make that as soon as practicable.

So why, after all these years, have banks not already moved? I think the biggest reason has to do with all the other changes coming to ATMs. Consider the following infographic from Diebold's Operation 411 site. (Click on the graphic to go to the site and see a larger version with much more information.)

Click here to go to the Diebold operation 411 site for an infographic with key approaching compliance dates for ATMs.

EMV is coming. EMV stands for "EuroPay MasterCard Visa" and is also known some places as Chip and PIN. It's a smart card that has an embedded processor. The point of sale terminal or ATM has to take a PIN from the customer, use that and interact with the card to get a key for submission to the payment processor. It was already April 2013 that all payment processors for point of sale and ATM transactions were required by MasterCard and VISA to support EMV transactions. In the US you wouldn't know because nobody uses EMV cards here. But that will change.

In April of 2015, just 14 months hence, VISA rules state that all ATM acquirer processors, usually meaning the banks that process the transactions for the ATM, must support EMV transactions. The ATMs themselves don't have to at that point. October is when the hammer really falls: "Counterfeit card fraud liability shifts to transaction acquirers that do not accept EMV chip cards at US POS terminals, according to MasterCard and VISA." Acquirers do not want to be liable for those fraudulent transactions, so they certainly have plenty of incentive to roll out EMV support at POS terminals. It's not for another year, October 2016, that EMV becomes a requirement for US ATMs for MasterCard transactions, and October 2017 for VISA.

I had written recently of my doubts that they could get EMV accepted here in the US, but now I believe it's happening. Consumers will have to remember their PINs and retailers will have to get new terminals, although many of the terminals out there already support EMV. Wal-Mart began turning on EMV support in 2011. Visa's CEO has said it himself: we need these new technologies. The Wall Street Journal also wrote about this recently.

Getting back to my main theme: This, I believe, is why so many ATMs still run Windows XP. Banks have a lot of hardware upgrading to do over the next few years. It only makes sense to coordinate it with operating system upgrading. Not all of this means taking out the old ATM and putting it up on eBay. Stewart says that Diebold ATMs are designed to be upgradable in many ways: faster processors, more memory, bulk check acceptance, and so on. He believes that most of their systems in the field, especially those sold since 2006, are capable of running Windows 7, although perhaps they may require a hardware upgrade, such as more memory, to do so.

After learning all this, I'm not so worried about Windows XP on ATMs. I've been around long enough to know not to be optimistic about anything in computer security, but the VISA and MasterCard compliance deadlines for EMV and other requirements seem like good things. I wouldn't count on the government to be helpful. If anyone can order retail and banks to beef up their security it's MasterCard and VISA.

Editorial standards