![]() |
#1
|
||||
|
||||
![]()
Comment: I have been hearing a lot
about ATMs running on Windows XP and that, now that Microsoft no longer supports that OS, the ATMs will either begin to fail or that your information will be stolen since the ATM is no longer secure. |
#2
|
||||
|
||||
![]()
That makes no sense. Assuming ATMs are running Windows XP, they wouldn't just suddenly fail or suddenly become unsecure as a result of MS no longer supporting the OS. MS will no longer be providing updates, but those updates are for fixing existing problems, meaning if there's a security problem or some other flaw in Windows XP it's one that's always been there.
Also, I would expect that there a lot of additional security added by the ATM manufacturer that has nothing to do Microsoft. |
#3
|
|||
|
|||
![]()
The vast majority of ATMs apparently do use Windows WP.
While it is true that a future hack would be against a security weakness that is at least as old as the last XP update (not necessarily as old as XP itself) the general consensus I've seen is that there are plenty of hidden flaws in XP that will continue to be discovered by hackers. To put it another way, if all the security flaws have already been identified then updates to XP wouldn't be needed. If you have an XP computer you've probably noticed that is gets security updates pretty regularly and therefore there are still weaknesses being discovered. Another concern is that Windows 7 and 8 use big chunks of code from XP. If a year from now someone discovers a security hole in Windows 8 there is a fair chance that that same hole exists in XP. One would hope that banks have added there own security on top of what XP supplied but banks don't really have all that much money to spend creating security software. I'm sure many banks were caught completely exposed by the recently discovered gaping security hole in SSL. The banks didn't find that hole and for perhaps two or three years their computers that used that version of SSL were vulnerable. (XKCD has a basic description of the security flaw.) |
#4
|
||||
|
||||
![]() Quote:
Quote:
|
#5
|
||||
|
||||
![]()
Some ATMs run one or another version of XP but it's not as if these machines stop getting patched and suddenly they're vulnerable. Most of the exploits so far to these machines have been ones that require a high level of physical access, something practically no OS can protect against. By contrast, that SSL exploit last week was exposed in thousands of servers on the Internet.
The kind of updates that MS has been providing to consumer users - ones that protect against network exploits - aren't going to make much of a difference in security. Also, MS is still providing support to many of the companies still using these XP devices. With XP they're getting a relatively known risk as XP is now more than a decade old. The risks for updating to other systems are completely unknown and, frankly, not worth it, IMO. So, yes, XP is running some ATMs but, no, the lack of support to consumer XP is not going to make any notable difference in security. |
#6
|
|||
|
|||
![]() Quote:
Quote:
In terms of people hacking into ATMs, I wonder if Diebold, or NCR or BofA would be likely to admit that their machines have been hacked. We know about the SSL/openSSL/Heartbleed breach because it is so ubiquitous that it is impossible to hide the breach by simply not telling anyone about it. A big bank, or supplier to a big bank, might not have much incentive to fess up when their security is breached. |
#7
|
||||
|
||||
![]()
The ATMs and a lot of other things that run on XP aren't a problem. According to CBC they're paying Microsoft for continued updates.
|
#8
|
||||
|
||||
![]() Quote:
Quote:
Last edited by ganzfeld; 17 April 2014 at 01:14 AM. |
#9
|
||||
|
||||
![]() Quote:
Quote:
I don’t know if our ATM’s use Windows XP, but if they are, they aren’t connected to our network. XP isn’t allowed to connect to our network and must be upgraded. The only entity I know that is paying MS to update Windows is the Dutch and UK government, but this wouldn’t necessarily apply to other organizations. The only thing I can find about the CDC saying anything about extending XP support says nothing about ATM’s and the only bank they mention is JP Chase (and Canadian banks) and that only talks about desktop computers. Cite. Such support seems to be very limited. Another cite I found states that ATMs aren’t connected to the internet. That tells me that the only vectors of attack are going to be via direct access and given that cameras monitor most ATM’s, I don’t see that happening. |
#10
|
||||
|
||||
![]()
I don't think ATMs are a concern but there are other devices that use XP that are a concern I think. Canadian banks, yes. I am in Ontario. I have a cracking headache so I will try to find the link tomorrow.
|
#11
|
||||
|
||||
![]()
Concise summary of the non-problem:
|
#12
|
||||
|
||||
![]()
There are several different kinds of XP. If those devices aren't the ones that are connecting to something on an open network, I don't see what changes this month except that we'll probably see a flurry of well-meaning admins upgrading to less-secure OSs or uselessly wringing their hands about the fact that they can't upgrade embedded XP systems even though, well, they're embedded systems and they aren't all of the sudden going to collapse just because a completely different consumer XP suddenly isn't getting a weekly update.
|
#13
|
||||
|
||||
![]() Quote:
Quote:
Now I will say that my position at the bank has nothing to do with ATM’s, I do know that Windows updates are very strictly monitored and we don’t just run patches unless it’s been internally tested and certified as OK. This is mostly for desktop PC’s of course but the ATM’s undoubtedly go through a similar (if not an even more stringent process) since these are systems that have to have very high availability. I seriously doubt that patches of ATM’s go on unless there is a really serious threat since the number of ATM’s that would require direct touching is quite large. Any sort of an updates are likely on the front end of the ATM, not on Windows itself. They keep an approved build that the company has approved that is very locked down and isn’t going to be targeted like the banks internal network is (which is where most of the security resources are targeted). Updating Windows embedded (this isn’t going to be Windows XP like on your laptop) can create risks of ATM outages and on a large scale can be bad. The most likely scenario I see is the the ATM is running some flavor of Windows XP that is very limited on what it can and cannot run and what is installed on it. It can only do certain functions and those functions are very strictly controlled. The desktop PC’s (themselves secure) are a far bigger risk. ATM’s are limited utility systems that have very few ways to interact them and their access is very limited. Plus they are monitored. They will get replaced on the normal schedule with another approved system that allows them to comply with support contracts. There is also the fact that we don’t have a record of ATM’s being attacked based on past Windows security flaws that we know about speaks volumes. These system are designed to reseat direct fraud by people committing direct fraud or stealing money from the ATM. Not exploiting Windows bugs. |
#14
|
||||
|
||||
![]() Quote:
|
#15
|
||||
|
||||
![]()
Microsoft is still supporting XP embedded. ZDnet
Quote:
|
#16
|
|||
|
|||
![]()
First of all, XP isn't any less secure than it was a week ago. It's still more proven than Win7 and Win8.
Second, it doesn't matter much for ATM's. It's not like they are on an open network, and the user interface is pretty much locked down. There simply aren't any vulnerable attack points that are exposed to attack. It's as if you put a crappy safe box in a bank vault. It doesn't matter that the safe box could be lockpicked in seconds, you'll still have to get into the vault first... |
#17
|
||||
|
||||
![]()
Seeing that I still (rarely) come across ATMs that operate on IBM OS/2 from time to time and how standard support for that system ended in December 2006, I think that the claim in the OP is a bit silly.
|
#18
|
|||
|
|||
![]()
Also, there is a Registry setting that can be tweaked to convince your XP installation that it is an ATM (or at least an embedded WinXP instance) and it won't then pester you about being out of support, and will try and load the odd patch if it finds it.
|
#19
|
||||
|
||||
![]()
From what I am aware my brother, who used to work as an ATM repair man, would upload the software via a USB port into ATM. The ATM itself was built using Unix as this is pretty much the easiest and most secure way to create a program.
The same type of system is used with some slot machines. |
![]() |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
Windows 7 or Windows 8? | Mickey Blue | Techno-Babble | 17 | 20 November 2013 03:08 AM |
Exploding car windows | snopes | Automobiles | 21 | 15 July 2010 01:07 PM |
Don't press F1 on the Web in Windows XP | snopes | Snopes Spotting | 0 | 07 March 2010 01:39 AM |
Clean Windows | snopes | Glurge Gallery | 6 | 02 August 2008 02:11 PM |
Pennies in windows | snopes | Old Wives' Tales | 12 | 13 May 2007 03:26 AM |