ATMs run on Windows XP

[snopes]

Comment: I have been hearing a lot
about ATMs running on Windows XP and that, now that Microsoft no longer
supports that OS, the ATMs will either begin to fail or that your
information will be stolen since the ATM is no longer secure.

[WildaBeast]

That makes no sense. Assuming ATMs are running Windows XP, they wouldn't just suddenly fail or suddenly become unsecure as a result of MS no longer supporting the OS. MS will no longer be providing updates, but those updates are for fixing existing problems, meaning if there's a security problem or some other flaw in Windows XP it's one that's always been there.

Also, I would expect that there a lot of additional security added by the ATM manufacturer that has nothing to do Microsoft.

[jimmy101_again]

The vast majority of ATMs apparently do use Windows WP.

While it is true that a future hack would be against a security weakness that is at least as old as the last XP update (not necessarily as old as XP itself) the general consensus I've seen is that there are plenty of hidden flaws in XP that will continue to be discovered by hackers. To put it another way, if all the security flaws have already been identified then updates to XP wouldn't be needed. If you have an XP computer you've probably noticed that is gets security updates pretty regularly and therefore there are still weaknesses being discovered.

Another concern is that Windows 7 and 8 use big chunks of code from XP. If a year from now someone discovers a security hole in Windows 8 there is a fair chance that that same hole exists in XP.

One would hope that banks have added there own security on top of what XP supplied but banks don't really have all that much money to spend creating security software. I'm sure many banks were caught completely exposed by the recently discovered gaping security hole in SSL. The banks didn't find that hole and for perhaps two or three years their computers that used that version of SSL were vulnerable. (XKCD has a basic description of the security flaw.)

[WildaBeast]

Quote:

Originally Posted by jimmy101_again

One would hope that banks have added there own security on top of what XP supplied but banks don't really have all that much money to spend creating security software.

Do banks write the security software that runs on their ATMs? I would have thought it was supplied by Diebold or NCR or whoever made the ATM.

Quote:

I'm sure many banks were caught completely exposed by the recently discovered gaping security hole in SSL.

Everything I've heard about Heartbleed stated that most major banks don't use OpenSSL and therefore were not affected by the flaw.

[ganzfeld]

Some ATMs run one or another version of XP but it's not as if these machines stop getting patched and suddenly they're vulnerable. Most of the exploits so far to these machines have been ones that require a high level of physical access, something practically no OS can protect against. By contrast, that SSL exploit last week was exposed in thousands of servers on the Internet.

The kind of updates that MS has been providing to consumer users - ones that protect against network exploits - aren't going to make much of a difference in security. Also, MS is still providing support to many of the companies still using these XP devices. With XP they're getting a relatively known risk as XP is now more than a decade old. The risks for updating to other systems are completely unknown and, frankly, not worth it, IMO. So, yes, XP is running some ATMs but, no, the lack of support to consumer XP is not going to make any notable difference in security.

[jimmy101_again]

Quote:

Originally Posted by WildaBeast

Do banks write the security software that runs on their ATMs? I would have thought it was supplied by Diebold or NCR or whoever made the ATM.

That is probably true but even those makers have limited resources for writing software (and building hardware).

Quote:

Everything I've heard about Heartbleed stated that most major banks don't use OpenSSL and therefore were not affected by the flaw.

The point isn't that the bug was in SSL, the point is that virtually all software has bugs, even great big glaring bugs, that often go for years before they are discovered.

In terms of people hacking into ATMs, I wonder if Diebold, or NCR or BofA would be likely to admit that their machines have been hacked. We know about the SSL/openSSL/Heartbleed breach because it is so ubiquitous that it is impossible to hide the breach by simply not telling anyone about it. A big bank, or supplier to a big bank, might not have much incentive to fess up when their security is breached.

[Latiam]

The ATMs and a lot of other things that run on XP aren't a problem. According to CBC they're paying Microsoft for continued updates.

[ganzfeld]

Quote:

Originally Posted by jimmy101_again

In terms of people hacking into ATMs, I wonder if Diebold, or NCR or BofA would be likely to admit that their machines have been hacked.

Well, probably but so what? If no one else has found out about it then it hasn't caused users any major trouble and the banks have covered any losses.

Quote:

We know about the SSL/openSSL/Heartbleed breach because it is so ubiquitous that it is impossible to hide the breach by simply not telling anyone about it.

I don't see what Heartbleed has to to with this. Completely different software, environment, method of development, method of update, connectivity, insurance, business, etc etc. Yes, bugs happen. No, not all bugs are related. (ETA But speaking of Heartbleed, it was an update that caused the problem. So now, without any updates to XP, the likelihood of that kind of problem is way way less than OpenSSL, in addition to all the differences already mentioned.)

[diddy]

Quote:

Originally Posted by WildaBeast

Everything I've heard about Heartbleed stated that most major banks don't use OpenSSL and therefore were not affected by the flaw.

I work for a bank and we released a statement. We don’t use Open SSL and are not vulnerable. End users might be, but not the Bank.

Quote:

The ATMs and a lot of other things that run on XP aren't a problem. According to CBC they're paying Microsoft for continued updates.

I can tell you for certain that we are most certainly not paying Microsoft to update Windows XP. I know for a fact that we moved to Windows 7 as of a last year (minus stragglers). This is a business requirement.

I don’t know if our ATM’s use Windows XP, but if they are, they aren’t connected to our network. XP isn’t allowed to connect to our network and must be upgraded.

The only entity I know that is paying MS to update Windows is the Dutch and UK government, but this wouldn’t necessarily apply to other organizations.

The only thing I can find about the CDC saying anything about extending XP support says nothing about ATM’s and the only bank they mention is JP Chase (and Canadian banks) and that only talks about desktop computers. Cite. Such support seems to be very limited.

Another cite I found states that ATMs aren’t connected to the internet. That tells me that the only vectors of attack are going to be via direct access and given that cameras monitor most ATM’s, I don’t see that happening.

[Latiam]

I don't think ATMs are a concern but there are other devices that use XP that are a concern I think. Canadian banks, yes. I am in Ontario. I have a cracking headache so I will try to find the link tomorrow.

[ganzfeld]

Concise summary of the non-problem:

Quote:

Originally Posted by diddy

I don’t know if our ATM’s use Windows XP, but if they are, they aren’t connected to our network.

[ganzfeld]

Quote:

Originally Posted by Latiam

I don't think ATMs are a concern but there are other devices that use XP that are a concern I think.

There are several different kinds of XP. If those devices aren't the ones that are connecting to something on an open network, I don't see what changes this month except that we'll probably see a flurry of well-meaning admins upgrading to less-secure OSs or uselessly wringing their hands about the fact that they can't upgrade embedded XP systems even though, well, they're embedded systems and they aren't all of the sudden going to collapse just because a completely different consumer XP suddenly isn't getting a weekly update.

[diddy]

Quote:

Originally Posted by Latiam

I don't think ATMs are a concern but there are other devices that use XP that are a concern I think. Canadian banks, yes. I am in Ontario. I have a cracking headache so I will try to find the link tomorrow.

Most of the concern is going to come from the PC’s that are run on a daily basis by employees at the banks (tellers) or at the corporate office running systems that support the related services that the bank operates.

Quote:

Originally Posted by ganzfeld

There are several different kinds of XP. If those devices aren't the ones that are connecting to something on an open network, I don't see what changes this month except that we'll probably see a flurry of well-meaning admins upgrading to less-secure OSs or uselessly wringing their hands about the fact that they can't upgrade embedded XP systems even though, well, they're embedded systems and they aren't all of the sudden going to collapse just because a completely different consumer XP suddenly isn't getting a weekly update.

I doubt that Banks are going to update their ATM’s unless they identify something specifically that requires action that involves the ATM’s directly. These are dedicated systems that generally have the expectation of working. They aren’t doing all that much outside of dedicated services that are limited in operation. Our bank is interested in ATM’s not working. And even then, you would never see Windows. You are seeing a front end application that is either directly developed internally or externally.

Now I will say that my position at the bank has nothing to do with ATM’s, I do know that Windows updates are very strictly monitored and we don’t just run patches unless it’s been internally tested and certified as OK. This is mostly for desktop PC’s of course but the ATM’s undoubtedly go through a similar (if not an even more stringent process) since these are systems that have to have very high availability. I seriously doubt that patches of ATM’s go on unless there is a really serious threat since the number of ATM’s that would require direct touching is quite large.

Any sort of an updates are likely on the front end of the ATM, not on Windows itself. They keep an approved build that the company has approved that is very locked down and isn’t going to be targeted like the banks internal network is (which is where most of the security resources are targeted). Updating Windows embedded (this isn’t going to be Windows XP like on your laptop) can create risks of ATM outages and on a large scale can be bad. The most likely scenario I see is the the ATM is running some flavor of Windows XP that is very limited on what it can and cannot run and what is installed on it. It can only do certain functions and those functions are very strictly controlled. The desktop PC’s (themselves secure) are a far bigger risk. ATM’s are limited utility systems that have very few ways to interact them and their access is very limited. Plus they are monitored. They will get replaced on the normal schedule with another approved system that allows them to comply with support contracts.

There is also the fact that we don’t have a record of ATM’s being attacked based on past Windows security flaws that we know about speaks volumes. These system are designed to reseat direct fraud by people committing direct fraud or stealing money from the ATM. Not exploiting Windows bugs.

[ganzfeld]

Quote:

Originally Posted by diddy

There is also the fact that we don’t have a record of ATM’s being attacked based on past Windows security flaws that we know about speaks volumes. These system are designed to reseat direct fraud by people committing direct fraud or stealing money from the ATM. Not exploiting Windows bugs.

Thanks, that neatly covers the other points I was trying to make.

[Die Capacitrix]

Microsoft is still supporting XP embedded. ZDnet

Quote:

Microsoft will continue making critical patches available for the embedded Windows XP systems running on ATMs until January 2016, compared with full Windows XP versions on desktops, for which there will be no more security fixes beyond April 8 this year.

[Troberg]

First of all, XP isn't any less secure than it was a week ago. It's still more proven than Win7 and Win8.

Second, it doesn't matter much for ATM's. It's not like they are on an open network, and the user interface is pretty much locked down. There simply aren't any vulnerable attack points that are exposed to attack.

It's as if you put a crappy safe box in a bank vault. It doesn't matter that the safe box could be lockpicked in seconds, you'll still have to get into the vault first...

[Garnet Jello]

Seeing that I still (rarely) come across ATMs that operate on IBM OS/2 from time to time and how standard support for that system ended in December 2006, I think that the claim in the OP is a bit silly.

[stoolie]

Also, there is a Registry setting that can be tweaked to convince your XP installation that it is an ATM (or at least an embedded WinXP instance) and it won't then pester you about being out of support, and will try and load the odd patch if it finds it.

[KiethHoyt]

From what I am aware my brother, who used to work as an ATM repair man, would upload the software via a USB port into ATM. The ATM itself was built using Unix as this is pretty much the easiest and most secure way to create a program.

The same type of system is used with some slot machines.