Banking Blog

Finance Blogs » Banking Blog » ATMs face deadline on Windows XP

ATMs face deadline on Windows XP

By Allison Ross ·
Monday, March 17, 2014
Posted: 3 pm ET

Banks across the country are facing an April 8 deadline to update or further protect their ATMs before Microsoft cuts off tech support for its Windows XP operating system.

If your eyes just glazed over from all the tech-y words, let's break it down:

1. An estimated 95 percent of the ATMs in this country run on an old operating system called Windows XP. (Windows XP debuted 12 years ago, which is ancient in tech terms.)

2. Microsoft has been saying for a while that it will stop offering support to Windows XP on April 8.

3. This means that after that date, Microsoft will no longer issue security updates when it discovers a vulnerability in Windows XP.

4. Therefore, any ATMs that don't upgrade their operating systems by April 8 could be more vulnerable to hacker attacks.

"After end of support, attackers will have an advantage over defenders who continue to run Windows XP," Tim Rains, director of Microsoft's Trustworthy Computing Division, said in a blog post in October.

Hacker heaven?

It's unclear just what will happen after the April 8 deadline, but some experts predict the situation could be a major liability headache for companies whose ATMs run on that system.

Rains says in that blog post that the infection rate on systems running Windows XP is likely to jump after April 8. He notes that the last version of Windows XP to go out of support, Service Pack 2, saw a jump of 66 percent in malware infections in the two years after Microsoft discontinued its support. (The current version that's about to go out of support is Windows XP Service Pack 3.)

Jason Fossen, a trainer for SANS Institute and an expert on Microsoft security, says the price of an exploitable vulnerability generally goes from $35,000 to $160,000, depending on whether it's a newly discovered vulnerability and how well it works, among other factors.

"Now, imagine you have recently discovered a new vulnerability in Windows XP," Fossen says. "If you hold off selling the vulnerability until after April 8, when Microsoft will stop releasing any new XP security patches, then that vulnerability should be useful longer (theoretically, forever) and the price should go up.

"I wouldn't be surprised to see the price of some types of XP vulnerabilities double," Fossen says. "And as the price of XP vulnerabilities goes up, this motivates hackers to work harder to find new ones."

Not many ATMs will be ready

A spokesman with NCR Corp., one of the largest ATM suppliers in the U.S., says it expects only about a third of ATM deployers to meet Microsoft's deadline for upgrading. However, others will come up with different ways to protect themselves.

For instance, JPMorgan Chase bought a one-year extension from Microsoft to continue offering updates while it works to upgrade its ATMs, according to Business Insider. Other companies are buying security packages or making other changes to boost ATM security and stay compliant with the regulations of the PCI Security Standards Council.

Waiting and watching

Consumers should know that ATMs will continue to function after the April 8 deadline, the NCR spokesman says. Plus, consumers have protections in place if their account information is attacked. (See some of Bankrate's recent blogs about this here and here.)

"There is nothing practical consumers can do about ATMs running Windows XP other than to make sure they are customers to banks which will reimburse them for any losses related to ATM hacking," Fossen says. He says banks are the ones who should be more concerned about the deadline.

"For banks with ATMs running Windows XP, the biggest risk will probably be to their reputations if an ATM hacking story hits the media," Fossen says.

Banks, consumers and others using Windows XP have known for a while that the end-of-support deadline was coming, Fossen says. However, upgrading ATMs can be a lengthy, expensive process, experts say.

Terence Devereux with Wincor Nixdorf, which provides services, hardware and software to retailers and retail banks, said in a recent webinar that even if banks "had got their act together and placed orders" for all the necessary equipment to upgrade the ATMs, "it would have been a tough bet for the ATM vendors to supply it."

The NCR spokesman says expenses could include a license for the newer Windows 7 operating system and the cost of buying, testing and distributing new software. He says that older ATMs also may require hardware upgrades or need to be replaced completely.

Have you received any communications from your bank about ATM upgrades?

Follow me on twitter: @allisonsross.

Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.
April 07, 2014 at 7:21 pm

Part of the problem with old operating systems like Windows XP is new technology will not work with it. Any web software utilizing Microsoft .NET Framework 4.5 will not work with XP. So you update your OS or you get left behind.

March 20, 2014 at 1:07 pm

I want to know how they're still finding security holes in the software AFTER TWELVE YEARS!

March 19, 2014 at 12:48 am


March 19, 2014 at 12:26 am

It's a lot more than just ATMs. Many large retailers still use XP as the heart of their point-of-sale cash register and credit/debit card processing.

Target may have just been the tip of the iceberg.

March 18, 2014 at 8:19 pm

Sounds like the same kind of panic stories were everywhere back at the end of 1999. Anybody else remember the Y2K panic? I worked in computer security since there were punch cards and well into the Internet and Web era. There are MANY things banks can do to mitigate the risk of still having ATM's that are XP based. In fact those things should have been done anyway. In any case large companies, such as banks, can get extended support for XP for some time to come while they transition. All it takes is lots of money and Microsoft will support XP for some time longer.

March 18, 2014 at 7:57 pm

I think all the computers that were sold in the last two years should have or get a free OS upgrade to 7 if they had XP sold on them knowing this instead of leaving many with this dilemma

March 18, 2014 at 7:29 pm

How will we know if ATM's have been updated?

March 18, 2014 at 7:28 pm

Well if billy hadn't put all those back doors in to XP the problem wouldn't be there. Now I'm just curious if billy uses ATM's?

Asdf McAsdf
March 18, 2014 at 6:15 pm

Yes, especially when pretty much everyone who was alive when XP was released now has an XP computer, and as everyone knows, the normal computers can't update their OS! (Maybe. I'm not sure about that last bit.)

Tom Kowalski
March 18, 2014 at 4:59 pm

Sounds like another Y2K alarmist. Would Microsoft license XP to someone to continue support? There are just to many XP users out there to consider dropping support of it completely. Heck, there are still a lot of COBOL programs running out there!!!