Feeds

UK's CASH POINTS to MISS Windows XP withdrawal date

Fear of fine trumps fear of breach for banks

Intelligent flash storage arrays

Extended support? You must be joking

Johnson also reckoned hardly any banks have paid Microsoft additional money to provide extended security cover for the cash machines.

Windows XP laggards in the public and private sector have swallowed rather than continue to run vulnerable PCs without protection from Microsoft.

“Only a few have taken extended support and that’s on the back of large PC estate migrations – 20 to 30,000 PCs,” Johnson said.

Microsoft is charging users who want extended support for custom agreements $200 per PC in the first year of a contract, $400 in year two and $800 for year three.

The chances of an ATM being hacked are relatively small, as cash-machine providers have locked down or disabled large parts of the standard Windows OS. Also, the banks themselves prevent them from directly accessing the internet.

Physical attack is an option: NCR’s newest self-service ATMs have a USB slot for engineers, but NCR reckons this is an encrypted slot that’s hard to access.

Banks are less concerned about money lost in an attack than about the related financial consequences of an attack being successful.

Banks adhere to data security requirements under the Payment Card Industry Data Security Standard, administered by the Payment Card Industry Security Standards Council that was created by the World’s global payment providers - American Express, Discover Financial Services, JCB International, MasterCard, and Visa International.

The PCI DSS states operating systems must be protected against known vulnerabilities using vendors’ latest security patches.

A loss of data or a breach resulting from failure to follow PCI DSS standards could result in whopping fines.

Banks can be fined $5,000 to $100,000 per month for PCI compliance violations.

“One of the things banks are worried about is the risk of compliance, with things like PCI standards, so if there’s a breach they are wide open to the consequences commercially,” Johnson told The Reg. “If they suffer fraud and are not PCI compliant, they are open to being sued by various interested parties.”

The PCI has cut the banks some slack when it comes to Windows XP, saying they can implement “compensating controls” - but only as a temporary measure.

“The eventual solution is to upgrade to a supported operating system, and the entity should have an active migration plan for doing so,” the PCI says.

Compensation controls are no easy option. They mandate the bank regularly conduct “exhaustive reviews” of all known exploits with appropriate updates to the operating system configurations, antivirus protection, network and firewall rules. PCI also mandates use of IP address whitelisting.

NCR is re-selling banks its McAfee’s Solidcore IP whitelisting suite, bought by the AV company in 2009 for $33m, that NCR reckons it has “adapted” for ATMs. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.