The end of days for Windows XP and impact on bank ATMs

Marc DeCastro

April 8th marks their last day of officially supported Windows XP. Much to the chagrin of those who run an ATM network, today the majority of ATM's out there are still running Windows XP. What will this mean on April 9th?

For the consumer, it will mean very little. In fact, most consumers have no idea that a standard PC based operating system is running the software behind their bank or credit union's ATM. When I was installing ATM's, most of ours were running on a version of OS/2 Warp! The reality is that while this issue needs to be addressed, it is not something that is going to happen overnight and since most of the hacking of ATM's is more around the external components like card skimming, consumers should not be overly concerned.

The ATM's on April 9th will be as secure as they were on April 7th - however with no future upgrades or patches any new possible attack against XP based terminals could prove to be costly. After April 8th 2014, Windows XP will essentially have zero-day vulnerabilities for perpetuity - yikes!

Most individuals who go up to an ATM have no idea if it is running Windows XP or Windows 7. Anyone that at the machine level try to install some sort of a virus or trojan horse into a terminal will be at a disadvantage. All the components to get access to the OS are located inside the secured location of the branch that holds the ATM. It really would not be worthwhile to try and infiltrate the ATM in such a manner. If you get there - you may as well pop open the cash trays.

There are four choices a financial institution can take with regards to XP. The first, and least likely option is to do nothing. By doing nothing, the bank runs the risk of running a non PCI compliant device and could face fines, however it does not mean that once support ends that the ATM's do not run anymore. The next option is to arrange for an upgrade to the operating system while keeping the ATM pretty much in tact. While this strategy will work, it will take some time and expense to visit the numerous non-compliant ATM's.

Another option is to find a middleware solution that allows the bank to keep running the ATM on XP and provide the necessary security parameters required for PCI compliance. This would allow the financial institution to take a more structured approach to their ATM strategy, however does introduce another layer of cost. And the final option is the entire upgrade of the ATM to the latest and greatest applications and operating systems.

1  2  Next Page