Many of the UK’s 70,000 cash machines face major security risks next year as Microsoft is set to withdraw support for the Windows XP Embedded system in use on many ATMs.
The support cut-off will take place on 16 January and means that no more security updates are due for the software. As such, banks and other ATM owners will need to upgrade their systems before this deadline.
“Windows XP Embedded Service Pack 3. This is the original toolkit and componentised version of Windows XP. It was originally released in 2002, and Extended Support will end on 12 January 2016,” said Microsoft’s support page.
However, as the end of support for Windows XP demonstrated, many organisations are slow to act on such warnings, and numerous Windows XP machines are still in operation on corporate networks, often at great cost.
The situation is likely to be the same for ATMs, which security firm Abatis said will pose serious security risks.
“This presents major problems for the banks and puts their customers’ cash at risk, which is the last thing anyone wants as they check their accounts after a costly Christmas and early sales,” said Abatis CEO Kerry Davies.
V3 contacted Link, the trade association responsible for cash machines in the UK, for its response to these concerns.
It said it has been working with members to transition from Windows XP Embedded ever since Microsoft first announced the support deadline.
“All Link members have fully considered this issue, and have plans in place for dealing with the withdrawal of Windows XP support,” it said.
“A number of Link members have already migrated to Windows 7 while a number of others are well advanced with their migrations and will complete early 2016. Others are performing their changes along with much bigger platform change projects and their implementations will be later in 2016.”
Despite the fact some migrations won’t be ready Link said those organisations should take out the necessary additional cover from Microsoft to avoid any issues.
“We are unaware of any problems related to ATMs continuing to run on Windows XP due to affected cash machine operators having extended maintenance agreements that have in place with commercial providers to continue receiving patches and updates for these machines.”
ATMs are often targeted by criminals. A successful breach can net thousands of pounds for very little effort because ATM software security is given little thought, as Kaspersky’s David Emm explained to V3 last year.
“One of the problems [with ATMs] is they are closed systems. So once they are put in place the mindset is to not mess with them again. This means they won’t be patched or updated,” he said at the time.
The end of support for Windows XP Embedded is not the only security problem Microsoft has warned about for the new year. The firm issued a reminder ealier this month that companies need to be running Internet Explorer 11 as support for all older versions of the browsers will end in January.