Microsoft XP Support Ends, Sparking ATM Security Concerns (April 7, 2014)
Microsoft tomorrow will issue the final security update for Windows XP, a 12-year-old product the software giant says no longer suits the risks of today’s computing environments. But millions of computers worldwide are still running XP, including an estimated 95 percent of U.S. ATMs, experts say. This is causing heartburn for those who worry about hackers exploiting vulnerabilities in cash machines when Microsoft XP security patches go away.
Security firm Avast said Windows XP, introduced in October 2001, is under attack six times more often than Windows 7, which Microsoft released in 2009. After April 8, ATM operators will be responsible for fixing any security bugs themselves. To help cope, JPMorgan Chase & Co. and several other banks reportedly paid Microsoft for a one-year extension of XP tech support.
Experts say ATM systems typically have deeply embedded software programs, posing upgrade challenges. Various reasons including budget, hardware performance and compatibility issues also helped to push ATM upgrades lower on financial institutions’ priority lists.
It could take another year or more for most ATM operators to phase out XP, and in the meantime most view the security risk as relatively low, according to Avivah Litan, vice president and analyst at Gartner Research. “ATM systems typically are very closed, and protected by firewalls and software hardening,” Litan tells Paybefore. “ATM operating systems should certainly be upgraded, but this is not an emergency situation.”