I opened my inbox on April 8, 2014 to an email titled “ATMs More Vulnerable to Cyber Attacks Starting Today”. This piqued my interest and frustration as it was in my personal email and not the email for my ATM 
company. As the owner of a small ATM company (located in Maryland), I was aware that Microsoft was ending their support for Windows XP today (April 8, 2014). I was also aware that this does not affect function any of my machines since they are running versions of Windows CE that will be supported for at least a few more years.
The email came from Recorded Future, a software company that specializes in web intelligence and predictive analytics, which I follow based on my personal interests in data and the internet. Anyway, they did an analysis and a white paper on the proliferation of open source references to ATM malware that has been used in Mexico, Columbia, the Ukraine , and other parts of Europe. I don’t know what an “open source reference” is, but I assume it’s something their technology can read and quantify. They then deduce that with Microsoft ending support for XP this malware will start affecting machines in the US. I also want to point out that to spread the malware a person has to physically open the machine and upload using a CD or USB.
The data they provide could be correct, but the reason I’m writing this post is because this article and many I’ve seen up until today are written to garner fear with headlines that would make you think someone will steal all of your money tomorrow (some have labeled it the “XP-ocalypse”). They include very little information on who this affects (although this particular article does specify that mostly banks have to deal with this problem) and don’t provide much information on what this really means for consumers or businesses with ATMs.
There is also plenty of good information out there, so I wanted to take a second and share some of the facts to help people find the signal through all of the noise.
So what is really happening?
As of April 8, 2014 Microsoft will no longer release security updates/patches for Windows XP now that Windows 7 has been formally adopted by the PC community. These security updates/patches fixed ongoing security vulnerabilities, bugs, and other issues with XP that arose over time. Now that these have stopped any existing bugs or vulnerabilities could be easier targets for hackers to exploit. Keep in mind that a hacker also has to hack into the system (potentially a bank with lots of cyber security) or walk up to and open a machine to physically upload these exploits.
Who does this affect?
Institutionally this mostly affects banks and ATM operators that provide machines with higher level functions such as stamps, checking deposits, and other banking functions. Most machines that just give you cash and let you check your balance are running on Windows CE (an operating system that Microsoft licenses out to that can be optimized for devices with minimal storage and does not allow for end user access) and these are the machines you see in most gas stations, convenience stores, and bars. Banks and operators of these higher process machines will now have to decide how to update the machines. As reported by coindesk, “ATMs need to meet Payment Card Industry Security Standards (PCI SSC) in order to get a green light. Microsoft has said XP users will be considered “unprotected” after it cuts off support next month. However, that’s just part of the story. In fact, Windows XP ATMs will still be able to meet the requirements even without a new OS. The industry had plenty of time to prepare for the cut-off. The PCI SSC clearly states that Windows XP devices will be able to meet its standards after the cut-off, provided their operators make the necessary adjustments. In essence, ATM operators will know what to do when the time comes, as they had plenty of time to prepare. Even regular consumers and small businesses don’t need to be overly concerned. Lack of official support does not mean that XP boxes will turn into malware-ridden botnet zombies overnight. Apart from the promised official anti-malware releases, security firms will also be offering vendors third-party protection. Malwarebytes has launched an updated version of its Anti-Malware Premium suite this week, and the company says it will support XP users for life. As many as 20% of Malwarebyte users are still running XP.”
No need to panic
This really won’t affect general consumers at all. If machines are exploited, it will affect the operators and not the customers, so it behooves them to make sure there are plans in place to keep their machines safe. If you have an ATM in your business it may be worth checking with your operator to see if your machine will be affected, but in most cases you have a kiosk machine running Windows CE you have nothing to worry about.
Summary
The bottom line is that even if ATMs with XP are more vulnerable today than yesterday (per the Recorded Future article), there is little need to panic. Many media outlets are blowing this whole thing out of proportion. Yes a large amount of the machines in the US run XP; however they won’t just start spilling money into the street tomorrow. Banks and ATM operators with affected machines have had time and have options to enable them to keep their machines safe, secure, and spitting out cash for their customers. So don’t let the fear mongers get to you. And if you are still really worried, just use my machines, I promise they work!
References/More Information
- The Death of Windows XP Won’t Kill the ATM Industry, or Help Bitcoin – Coindesk
- Six Things You Need to Know About ATMs and the Windows XP-ocalypse – Bloomburg
- The case for converting ATMs to Windows CE – instead of Windows 7 – ATM Marketplace