A research report from RBR in London shows
that 89 percent of European ATMs are still running Windows XP. This is a
larger proportion than in the United States, but what is perhaps even
more shocking is that eight percent of ATMs still run operating systems
older than XP: Windows NT, Windows 2000 and even OS/2.
The report attributes the lack of movement away from old and
unsupported operating systems to a desire for stability on the part of
the banks. Instead of upgrading the operating system, which would likely
require upgrading a good deal of the computing hardware in the ATM, the
banks would rather lock down the devices and practice other risk
mitigation techniques.
I discussed this factor in a recent story on the lesser continued dominance of Windows XP in US ATMs.
ATMs are isolated on the network and have a well-defined and stable
function. They are excellent candidates for lock-down techniques such as
software whitelisting and strong authentication for any user access.
An ATM so-protected is still at greater risk than one running a
modern OS, but it is still heavily defended against software attack.
Getting malicious software to such an ATM and executing it is a daunting
task. This is why nearly all attacks on ATMs are physical attacks, such
as skimming devices and smash-and-grab of the entire ATM.
Furthermore, as the report notes, many banks have opted to purchase
extended support for Windows XP from Microsoft — the report specifically
names JP Morgan Chase as one of these banks, but probably all the
larger banks have. Such support is expensive and available for a maximum
of two years, so banks absolutely need to have a migration plan in
place anyway.
Looked at this light, banks' lazy attitude towards OS upgrades seems
defensible. If ATMs running Windows NT are running without software
attack, there's little reason to fear for Windows XP ATMs after today.
No comments:
Post a Comment