Community
When ATM vendors got behind Windows XP as a replacement for IBM’s OS/2 as it neared the end of its shelf life 10 years ago, there was a predictable flurry of concern.
And instinctively, the concerns made sense. Why would you use the most popular and most targeted all-purpose PC operating system to run such a machine with very specific functions and security requirements?
But there were obvious benefits – among them greater user interface flexibility, compatibility with other internal and customer facing applications and banks’ familiarity with securing desktop estates on the same OS. And, banks said, most ATMs operated within very closed networks.
Then in 2003, the Slammer worm affected operations of 13,000 Bank of America ATMs, even though it wasn’t directly infecting ATMs themselves, rather back-end servers that connected to them. This was followed later that year by two US banks confirming the Welchia or Nachi worm had directly affected some ATMs.
Many commentators took these examples, pointed to banks increasingly moving ATM networking to TCP/IP to save money, and predicted a vulnerable future for ATM security.
Security and ATM vendors responded with additional firewalls, hardware devices and software security layers. And since then things have been pretty quiet.
Now, with XP end of support just eight months away, and around 75 per cent of ATMs still running on the operating system, will this change? Probably not.
The ATM vendors have been leisurely pushing Windows 7 upgrades for the past few years, but have also been careful to reassure banks that their additional security layers and removal of superfluous vulnerabilities from XP would protect them if they didn’t get around to the upgrade right away.
In the end, upgrade pace will be determined by how seriously each bank takes PCI DSS compliance, whether their hardware is getting too old to run new ATM applications and Windows 7, and competing priorities.
But if an ATM security threat does emerge after XP stops getting patches in April, upgrading might suddenly seem a bit more urgent.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Tachat Igityan Founder and CFO at destream
03 December
Victor Irechukwu Head, Engineering at OnePipe Services Limited
29 November
Nkahiseng Ralepeli VP of Product: Digital Assets at Absa Bank, CIB.
Francesco Fulcoli Chief Compliance and Risk Officer at Flagstone
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.