Regulators from the US to the Philippines have issued warnings to ATM firms that they should be cognisant of upgrading their operating systems by 8 April 2014, the date by which support for Windows XP will expire.
Since Sam Woods, director of UK regulator the Prudential Regulation Authority (PRA) condemned technology at UK banks as “antiquated” in January 2014, it has become apparent that globally many run a soon-to-be-outdated Windows XP platform on their ATMs. Despite
the potential to upgrade to Windows 7 it seems that many firms are not making the leap – yet at least.
With industry estimates placing 95% of ATMs running on the XP platform, could this be a chink in the security of banks worldwide?
Q: How come so many ATMs are run on Windows XP?
A: It’s been the operating system of choice for the last decade, having been released in October 2001. At that time banks were considering ATMs to be a vehicle for advertising and value added services with some banks having already begun a shutdown of branches
on the basis that internet banking was taking over as a recruitment vehicle. Having an operating system that could display graphics (and therefore adverts / information) was a step up from the green screen systems used before. Microsoft tried to phase it
out in 2007 but to no avail – it was too popular.
Q: Lots of stories quote the 95% of ATMs figure – is that accurate?
NCR, the ATM provider, says that it was certainly accurate at the start of the upgrade process, however that began in earnest 2 ½ years ago.
According to Andrei Charniauski, and associate at Retail Banking Research, “Even though the ‘upgrade process’ started a few years ago, right now there are very few Win7 ATMs installed. We are currently updating our ATM studies and, provisionally, at the
end of 2013 only around 0.1% of ATMs worldwide were running Win7.”
Q: What effect could this have on ATMs?
A: In theory it could leave them open to attack – without support for Windows XP from Microsoft which ends on 8 April, vulnerabilities might be easily be exploited. Timothy Rains, director of Microsoft Trustworthy Computing has warned that risks will increase
as criminals try to use newly discovered vulnerabilities.
In a statement, Rains said “The importance of upgrading from Windows XP cannot be overstated. We truly want people to understand the risks of running Windows XP after support ends and to recognise the security benefits of upgrading to a more modern operating
system — one that includes the latest in security innovations, provides ongoing support and can in turn better protect them.”
However this warning is primarily concerned with PCs – ATMs are not internet accessible and therefore hacking would need to be via the secure network on which they operate or by hardware attached to the device itself.
Q: Is there a threat from regulators?
A: In the US, the Federal Financial Institutions Examination Council (representing the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency,
Consumer Financial Protection Bureau, State Liaison Committee) has said that banks should follow their risk management processes to address the risk from the continued use of XP, “consistent with the risk management guidance” in which includes “an implementation
plan addressing priorities for changes, ensuring appropriate change management procedures, and monitoring related third parties’ mitigation and migration activities, as warranted.”
Deputy Governor of the The Bangko Sentral ng Pilipinas, Nestor Espenilla has said that, “Under our technology risk management framework, banks should … take action to replace their software.”
However the risks are acknowledged as a ‘cost of doing business’ by most regulators, who are leaving the banks to decide the best way to manage the upgrades.
Q: And are banks making the switch?
A: Only a third are estimated to be moving by the deadline; most are simply paying Microsoft more money to carry on as before.