Windows XP deadline puts bank ATMs at risk

When it comes to operating systems, how old is too old? Banks across the U.S. and around the world are about to find out.

As Microsoft continues its campaign to convince customers to finally shut off PCs running the old Windows XP operating system and transition to something a little newer, the largest ATM provider in the U.S. has released data that suggests breaking the XP habit may be more difficult than anticipated.

NCR says 95 per cent of the world’s ATMs still run on XP. The operating system was released in 2001, and the Redmond, Washington-based software vendor had set April 8, 2014 as the end of support date for computers and devices running the full version of XP. After that date, the company said it would no longer issue security updates or non-security hotfixes designed to improve performance or address problems or errors. It would also stop all free and paid support services, and cease providing online technical content updates.

Customers who continue to use Windows XP after support runs out will be at increased risk of online attack and infection. While most ATMs are not directly connected to the Internet, they remain vulnerable to other forms of attack.

Although an embedded version of XP will be supported until 2016, NCR says most of the 420,000 ATMs currently in use in the U.S. run the full version. With Microsoft’s upgrade campaign failing to get everyone off of XP in time, the company last week quietly announced an extension of sorts: While the original deadline stands, Microsoft will continue to provide anti-malware updates through July 14, 2015 to ensure the old machines remain protected against newly emerging threats.

Software in transition

Old operating systems have long been a thorn in Microsoft’s side. The company’s revenue models were traditionally based on customers buying updates for Windows and Office. As mobile technology has sapped the PC’s dominance – IDC says sales were down 10 per cent in 2013 and are expected to tumble again this year – and software has increasingly shifted online, Microsoft has followed suit. Its subscription-based Office 365 product has tallied 2 million subscribers and last year became the company’s latest billion-dollar business. Unlike traditional shrinkwrap offerings, online services generate regular subscription-based revenues, and aren’t subject to falling behind the times if customers decide what they’re using is simply good enough.

Windows XP has stubbornly clung to the back of Microsoft’s technology treadmill because the product that replaced it, Windows Vista, was late, bloated and flawed when it finally bowed in 2006. While Windows 7 subsequently fixed most of Vista’s problems, customers satisfied with XP saw no reason to rock the boat. And as long as Microsoft was providing support and protection against ever-evolving online threats, there was no compelling reason for that to change.

A complex upgrade

As much as banks appreciate the risks of using an unsupported operating system underneath some of their most critical customer-facing infrastructure, switching to anything else will be an expensive proposition. ATMs are customized environments, with a sophisticated interface, security and network layers running on top of the basic operating system. Shifting to a new OS foundation is a far more involved than simply reinstalling the ATM code on a newer version of Windows. The system must be either recompiled or rebuilt from scratch, then extensively tested to ensure it can survive in the real world.

It’s a capital investment that financial institutions have been able to avoid as long as XP wasn’t going away. Now that it is, they have no choice. As the clock ticks down toward a Y2K-like deadline, expect the cost of compliance to continue to rise as the programmers who will bring the XP-based ATMs up-to-date become ever more scarce. As banks ponder their post-XP future, don’t assume the natural successor will be Windows-based, as this is a cycle their CFOs won’t want to repeat.

Carmi Levy is a London, Ont.-based independent technology analyst and journalist. The opinions expressed are his own. carmilevy@yahoo.ca

Search