Blog article
See all stories »

An article relating to this blog post on Finextra:

Discontinuation of support for Microsoft XP poses operational risks to banks - FFIEC

The Federal Financial Institutions Examination Council (FFIEC) has warned that plans by Microsoft to discontinue support for the XP operating system pose operational risks for banks that still use it.

See article

Is that a worm in my ATM?

When ATM vendors got behind Windows XP as a replacement for IBM’s OS/2 as it neared the end of its shelf life 10 years ago, there was a predictable flurry of concern.

And instinctively, the concerns made sense. Why would you use the most popular and most targeted all-purpose PC operating system to run such a machine with very specific functions and security requirements?

But there were obvious benefits – among them greater user interface flexibility, compatibility with other internal and customer facing applications and banks’ familiarity with securing desktop estates on the same OS. And, banks said, most ATMs operated within very closed networks.

Then in 2003, the Slammer worm affected operations of 13,000 Bank of America ATMs, even though it wasn’t directly infecting ATMs themselves, rather back-end servers that connected to them. This was followed later that year by two US banks confirming the Welchia or Nachi worm had directly affected some ATMs.

Many commentators took these examples, pointed to banks increasingly moving ATM networking to TCP/IP to save money, and predicted a vulnerable future for ATM security.

Security and ATM vendors responded with additional firewalls, hardware devices and software security layers. And since then things have been pretty quiet.

Now, with XP end of support just eight months away, and around 75 per cent of ATMs still running on the operating system, will this change? Probably not.

The ATM vendors have been leisurely pushing Windows 7 upgrades for the past few years, but  have also been careful to reassure banks that their additional security layers and removal of superfluous vulnerabilities from XP would protect them if they didn’t get around to the upgrade right away.

In the end, upgrade pace will be determined by how seriously each bank takes PCI DSS compliance, whether their hardware is getting too old to run new ATM applications and Windows 7, and competing priorities.

But if an ATM security threat does emerge after XP stops getting patches in April, upgrading might suddenly seem a bit more urgent. 



Comments: (0)

Now hiring