Microsoft is working furiously to convince users of Windows XP to abandon the venerable operating system before they end support on April 8th, warning of dire consequences when they halt the release of security patches.
Most of this attention has been on individual XP users and small businesses. No large business would still be committed to 13 year old operating system, would they? Well yes, actually. It seems that most of the world’s Automated Teller Machines (ATM) operate on Windows XP.
Given all of the talk about hackers planning an all out assault on XP when support ends, is going to be a problem? Is it time to panic?
Well, yes to the former and no to the later.
First of all, contrary to what you hear from Microsoft they will be producing security patches for XP for at least the next two years. However, they will no longer be free and will only be affordable for large customers, such as banks and financial institutions.
This does give them more time to consider changes. Banks are very reluctant to upgrade critical systems. They are the number one users of Cobol and Network databases, obsolete in most other industries.
On the other hand, a recently reported ATM hack, the so called Ploutus virus, may be a sign that the assault on Windows XP based ATMs is already on the way. A hacker has always had to physically interact with an ATM machine to output cash. With Ploutus, however, the hacker can send a text message to the compromised system and trigger the disbursement of cash. You just need someone there to collect the money.
Spreading malware like Ploutus is still a challenge for hackers. Many exploits that work against the average computer user require the user to visit a compromised web site, which does not apply to an ATM. However, the term Advanced Persistent Threats is apt because hackers are nothing if not persistent.
Reports indicate that the malware used in the Target data breach was not particularly sophisticated, in some ways even amateurish. However, the hackers were very persistent. They worked their way into Target’s network via an isolated connection with a vendor they use for refrigeration. Once inside the network, it must have taken quite a while to locate and infect the POS systems, but they made it.
While there is no need to panic, even with security updates XP is an old operating system that is not as secure as newer versions of Windows or Linux. ATM operators would be wise to start planning migration away from XP.