Cash crash ahead? ‘Death’ of Windows XP could leave 95% of world’s ATMs vulnerable

As many as 95% of ATM machines around the world could be vulnerable from April onwards, when Microsoft cuts off regular security patches for Windows XP on April 8. Most ATM machines in the U.S. and worldwide still run the ageing operating system – and some banks may continue ‘indefinitely’.

The Verge reports that ATM software company KAL estimates that just 15% of American ATMs will upgrade to Windows 7 by April. “That leaves thousands of machines running out-of-date software,” the site said.
A report by Bloomberg Businessweek says that 420,000 ATMs in the U.S. still run Windows XP, according to Robert Johnston, marketing director at NCR, the largest supplier of ATMs in America, and now face a ‘deadline’ to upgrade. After April 8, the machines will be at risk of non-compliance with industry standards, and at increased risk of attacks against the OS.
Speaking to The Verge, NCR said that most ATMs still run the full version of Windows XP, with support ending in April, while a minority run Windows XP Embedded, which will be supported until 2016.
Many banks face costly hardware upgrades to replace ageing machines which cannot support Windows 7 – JP Morgan says 3,000 of its 19,000 ATMs will require “enhancements” to support Windows 7, according to Bloomberg.
The Verge reports that JP Morgan is to buy a custom support contract from Microsoft to extend the life of ATMs running Windows XP.

“The ATM world is not really ready, and that’s not unusual” says Aravinda Korala, chief executive officer of ATM software provider KAL, according to a report by the Daily Mail, which describes XP-powered machines as ‘vulnerable’. “ATMs move more slowly than PCs.”

In a presentation in December, Mr Korala suggested that some banks intended to continue to use XP-powered machines ‘indefinitely’.

Earlier this month, Microsoft affirmed that XP would no longer be “a supported operating system”, but that it would provide assistance to users in the form of antimalware signatures for some months after the April deadline for patches, as reported by We Live Security here. “To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015.”
Despite Microsoft setting April 8, 2014 as the “end of support” date for Windows XP, around a third of PCs worldwide still run the operating system, according to research firm Net Applications.

“We will continue to help our customers complete their migrations as Windows XP end of life approaches,” Microsoft said via its blog post. The company made it clear, though, that Windows XP was a less safe option than newer versions of its OS. “Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.”

Windows XP users already face a higher risk of malware infection, as reported by We Live Security here. Per 1,000 PCs scanned, 9.1 XP machines had been infected – as compared to 1.6 for Windows 8, according to a report by Neowin.

“Microsoft Windows XP was released almost 12 years ago, which is an eternity in technology terms. While we are proud of Windows XP’s success in serving the needs of so many people for more than a decade, inevitably there is a tipping point where dated software and hardware can no longer defend against modern day threats and increasingly sophisticated cybercriminals,” Microsoft wrote in a statement last year.