UK's CASH POINTS to MISS Windows XP withdrawal date
Fear of fine trumps fear of breach for banks
Tens of thousands of ATMs will be running Windows XP long after Microsoft’s deadline to abandon the operating system ahead of a potential hacker storm.
Just a third of the UK’s 60,000 ATMs will be upgraded from Windows XP before the end of this year, according to the biggest supplier of those machines - NCR.
But it will be 8 April when Microsoft actually stops releasing security patches for Windows XP and when systems still running the OS will be open to hackers writing new malware and devising fresh attacks.
NCR – which supplies 60 per cent of the UK’s cash points – believes 95 per cent of Britain’s ATMs are today still running Windows XP with less than a month to go.
NCR told The Reg it has been working with Microsoft for nearly three years through workshops and sales camps to persuade banks to upgrade their ATMs.
NCR is selling a version of its ATM software that runs on Windows 7.
But the banks are dragging their feet because of the cost and are only moving as part of an overall business strategy because of the substantial cost involved in buying the new cash machines needed.
The price of an ATM runs to $40,000 per machine for the latest fully specified touchscreen machines with an average start price of $8,000.
The banks are reluctant to move over until they’ve realised the capital cost of paying for the existing ATMs that are running Windows XP, according to NCR.
That differs to the pace of Windows XP upgrades on the PC.
There, many in financial services are understood to have already migrated their corporate desktops and laptops off Windows XP in advance of the April cut-off.
But then, a PC can be bought for as little as a few hundred pounds.
“We’ve done a lot of work trying to educate banks to move early,” enterprise software global marketing director Robert Johnson told The Reg in an interview, “but the majority are going at the pace that suits their business.”
We'll move when we're ready...
Institutions are working to their own timetable and not Microsoft’s, he said.
“The interesting dynamic is getting customers to be ready to do an upgrade. Most customers are looking at this with some reluctance because they don’t appreciate being driven to a decision by Microsoft. They want to work to their own dates.”
“What we will probably see is one third of the install base move off Windows XP by the end of 2014,” he said.
The cost comes from paying for the Windows licence, upgrading the software stack, testing and configuring the new software and in deployment. The software stack consists of a basic platform that connects Windows to the application modules that provide different services.
Modules vary by bank, but include security and the ability to insert and recognise the ATM card and withdraw money. Options on top of that include the ability to recognise the customer by name to promote advertising, goods and services, mobile phone top-ups and bill payments. Touchscreen also being offered instead of keyboard input.
Johnson predicts there will patchy upgrades across the sector and within companies’ ATM networks.
“Lots of companies will take time to migrate and some will not migrate in one go because they have thousands of ATMs,” he said.
Extended support? You must be joking
Johnson also reckoned hardly any banks have paid Microsoft additional money to provide extended security cover for the cash machines.
Windows XP laggards in the public and private sector have swallowed rather than continue to run vulnerable PCs without protection from Microsoft.
“Only a few have taken extended support and that’s on the back of large PC estate migrations – 20 to 30,000 PCs,” Johnson said.
Microsoft is charging users who want extended support for custom agreements $200 per PC in the first year of a contract, $400 in year two and $800 for year three.
The chances of an ATM being hacked are relatively small, as cash-machine providers have locked down or disabled large parts of the standard Windows OS. Also, the banks themselves prevent them from directly accessing the internet.
Physical attack is an option: NCR’s newest self-service ATMs have a USB slot for engineers, but NCR reckons this is an encrypted slot that’s hard to access.
Banks are less concerned about money lost in an attack than about the related financial consequences of an attack being successful.
Banks adhere to data security requirements under the Payment Card Industry Data Security Standard, administered by the Payment Card Industry Security Standards Council that was created by the World’s global payment providers - American Express, Discover Financial Services, JCB International, MasterCard, and Visa International.
The PCI DSS states operating systems must be protected against known vulnerabilities using vendors’ latest security patches.
A loss of data or a breach resulting from failure to follow PCI DSS standards could result in whopping fines.
Banks can be fined $5,000 to $100,000 per month for PCI compliance violations.
“One of the things banks are worried about is the risk of compliance, with things like PCI standards, so if there’s a breach they are wide open to the consequences commercially,” Johnson told The Reg. “If they suffer fraud and are not PCI compliant, they are open to being sued by various interested parties.”
The PCI has cut the banks some slack when it comes to Windows XP, saying they can implement “compensating controls” - but only as a temporary measure.
“The eventual solution is to upgrade to a supported operating system, and the entity should have an active migration plan for doing so,” the PCI says.
Compensation controls are no easy option. They mandate the bank regularly conduct “exhaustive reviews” of all known exploits with appropriate updates to the operating system configurations, antivirus protection, network and firewall rules. PCI also mandates use of IP address whitelisting.
NCR is re-selling banks its McAfee’s Solidcore IP whitelisting suite, bought by the AV company in 2009 for $33m, that NCR reckons it has “adapted” for ATMs. ®