Windows ( XP ) and ATMs

Regular readers of this blog will know that I’ve ranted about the use of Microsoft Windows by banks in their ATMs, in the past. The idea of using one of the most insecure and targeted OS’ in existence to run what should be a very secure device, just boggles the mind. My own bank does this as well ( despite a number of complaints I’ve sent them in this regard – why aren’t they listening to me? ) and I’ve resorted to not drawing cash if possible from ATMs anymore.

There have been a number of threats to ATMs over the years with the latest being Ploutus, malware that is specifically designed with ATMs in mind.The original version required that a keyboard be hooked up to the ATM but the latest versions only required a mobile-based USB connection and an sms before the ATM spills its guts – literally.

In the past, there was a smidgen of mitigation because Windows XP ( which is the most used version of Windows in ATMs ) still received updates but as of April 8th next month, that will no longer be the case. Microsoft is finally putting XP out to pasture which is a pity as in the last decade, XP has arguably been the most successful version of Windows. Not only is XP support ending, but so is Microsoft Security Essentials, Microsoft’s in-house AV tool which provides some protection against Bad Stuff(tm).

There is talk of using Linux or Windows 7 in ATMs going forward but financial firms are glacial in their migration projects so I don’t expect anything here soon. That means that ATMs using Windows XP will be at a greater security risk than before ( considering it was already bad, this is not good news ).

One of the biggest issues in migrating to newer versions of Windows is application compatibility. There are some options here:

  • rewrite your app to be Windows Vista/7( and above)-compliant
  • run your app in a sandbox like vmWare ThinApp, Citrix XenApp or Microsoft Terminal Services RemoteApp ( not supported for IE-6 apps )
  • migrate to a different platform eg. Linux
  • dump the app and use something else

In all cases, the cost and effort of change is huge for many and so they will keep on running the current systems, possibly to a security detriment. Even upgrading to Windows 7 may not be good enough seeing as main support ends in July 2015 and it becomes end-of-life in 2020 ( which is not that far away ).

It’s a tongue twister but this is one of the issues corporates and others, struggle with as a result of their use of commercial software. Two of the bugbears that many commercial companies accuse Open Source of, fragmentation and large choice, is suddenly a very big pro when it comes to issues like this. EOL for Ubuntu? Switch to Centos … EOL for SugarCRM? Switch to openCRX. And so on.

Suddenly that “too much choice” argument is falling by the wayside ( as if it ever held any water ) and FOSS is looking as attractive as ever. For those running Windows XP in office environments, a standard Linux desktop is quite an adequate replacement for Windows XP. Unless you run some discrete/proprietary apps, Linux should be on your migration radar.