snopes.com  

Go Back   snopes.com > Urban Legends > Computers

Reply
 
Thread Tools Display Modes
  #1  
Old 16 April 2014, 10:04 PM
snopes's Avatar
snopes snopes is offline
 
Join Date: 18 February 2000
Location: California
Posts: 109,605
Computer ATMs run on Windows XP

Comment: I have been hearing a lot
about ATMs running on Windows XP and that, now that Microsoft no longer
supports that OS, the ATMs will either begin to fail or that your
information will be stolen since the ATM is no longer secure.
Reply With Quote
  #2  
Old 16 April 2014, 10:37 PM
WildaBeast's Avatar
WildaBeast WildaBeast is offline
 
Join Date: 18 July 2002
Location: Folsom, CA
Posts: 14,232
Default

That makes no sense. Assuming ATMs are running Windows XP, they wouldn't just suddenly fail or suddenly become unsecure as a result of MS no longer supporting the OS. MS will no longer be providing updates, but those updates are for fixing existing problems, meaning if there's a security problem or some other flaw in Windows XP it's one that's always been there.

Also, I would expect that there a lot of additional security added by the ATM manufacturer that has nothing to do Microsoft.
Reply With Quote
  #3  
Old 16 April 2014, 11:07 PM
jimmy101_again jimmy101_again is offline
 
Join Date: 29 December 2005
Location: Greenwood, IN
Posts: 6,373
Default

The vast majority of ATMs apparently do use Windows WP.

While it is true that a future hack would be against a security weakness that is at least as old as the last XP update (not necessarily as old as XP itself) the general consensus I've seen is that there are plenty of hidden flaws in XP that will continue to be discovered by hackers. To put it another way, if all the security flaws have already been identified then updates to XP wouldn't be needed. If you have an XP computer you've probably noticed that is gets security updates pretty regularly and therefore there are still weaknesses being discovered.

Another concern is that Windows 7 and 8 use big chunks of code from XP. If a year from now someone discovers a security hole in Windows 8 there is a fair chance that that same hole exists in XP.

One would hope that banks have added there own security on top of what XP supplied but banks don't really have all that much money to spend creating security software. I'm sure many banks were caught completely exposed by the recently discovered gaping security hole in SSL. The banks didn't find that hole and for perhaps two or three years their computers that used that version of SSL were vulnerable. (XKCD has a basic description of the security flaw.)
Reply With Quote
  #4  
Old 16 April 2014, 11:19 PM
WildaBeast's Avatar
WildaBeast WildaBeast is offline
 
Join Date: 18 July 2002
Location: Folsom, CA
Posts: 14,232
Default

Quote:
Originally Posted by jimmy101_again View Post
One would hope that banks have added there own security on top of what XP supplied but banks don't really have all that much money to spend creating security software.
Do banks write the security software that runs on their ATMs? I would have thought it was supplied by Diebold or NCR or whoever made the ATM.

Quote:
I'm sure many banks were caught completely exposed by the recently discovered gaping security hole in SSL.
Everything I've heard about Heartbleed stated that most major banks don't use OpenSSL and therefore were not affected by the flaw.
Reply With Quote
  #5  
Old 16 April 2014, 11:22 PM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 22,626
Default

Some ATMs run one or another version of XP but it's not as if these machines stop getting patched and suddenly they're vulnerable. Most of the exploits so far to these machines have been ones that require a high level of physical access, something practically no OS can protect against. By contrast, that SSL exploit last week was exposed in thousands of servers on the Internet.

The kind of updates that MS has been providing to consumer users - ones that protect against network exploits - aren't going to make much of a difference in security. Also, MS is still providing support to many of the companies still using these XP devices. With XP they're getting a relatively known risk as XP is now more than a decade old. The risks for updating to other systems are completely unknown and, frankly, not worth it, IMO. So, yes, XP is running some ATMs but, no, the lack of support to consumer XP is not going to make any notable difference in security.
Reply With Quote
  #6  
Old 16 April 2014, 11:29 PM
jimmy101_again jimmy101_again is offline
 
Join Date: 29 December 2005
Location: Greenwood, IN
Posts: 6,373
Default

Quote:
Originally Posted by WildaBeast View Post
Do banks write the security software that runs on their ATMs? I would have thought it was supplied by Diebold or NCR or whoever made the ATM.
That is probably true but even those makers have limited resources for writing software (and building hardware).

Quote:
Everything I've heard about Heartbleed stated that most major banks don't use OpenSSL and therefore were not affected by the flaw.
The point isn't that the bug was in SSL, the point is that virtually all software has bugs, even great big glaring bugs, that often go for years before they are discovered.

In terms of people hacking into ATMs, I wonder if Diebold, or NCR or BofA would be likely to admit that their machines have been hacked. We know about the SSL/openSSL/Heartbleed breach because it is so ubiquitous that it is impossible to hide the breach by simply not telling anyone about it. A big bank, or supplier to a big bank, might not have much incentive to fess up when their security is breached.
Reply With Quote
  #7  
Old 17 April 2014, 12:52 AM
Latiam's Avatar
Latiam Latiam is offline
 
Join Date: 19 June 2005
Location: Ontario, Canada
Posts: 4,461
Default

The ATMs and a lot of other things that run on XP aren't a problem. According to CBC they're paying Microsoft for continued updates.
Reply With Quote
  #8  
Old 17 April 2014, 01:09 AM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 22,626
Icon05

Quote:
Originally Posted by jimmy101_again View Post
In terms of people hacking into ATMs, I wonder if Diebold, or NCR or BofA would be likely to admit that their machines have been hacked.
Well, probably but so what? If no one else has found out about it then it hasn't caused users any major trouble and the banks have covered any losses.
Quote:
We know about the SSL/openSSL/Heartbleed breach because it is so ubiquitous that it is impossible to hide the breach by simply not telling anyone about it.
I don't see what Heartbleed has to to with this. Completely different software, environment, method of development, method of update, connectivity, insurance, business, etc etc. Yes, bugs happen. No, not all bugs are related. (ETA But speaking of Heartbleed, it was an update that caused the problem. So now, without any updates to XP, the likelihood of that kind of problem is way way less than OpenSSL, in addition to all the differences already mentioned.)

Last edited by ganzfeld; 17 April 2014 at 01:14 AM.
Reply With Quote
  #9  
Old 17 April 2014, 01:24 AM
diddy's Avatar
diddy diddy is offline
 
Join Date: 07 March 2004
Location: Plymouth, MN
Posts: 10,850
Default

Quote:
Originally Posted by WildaBeast View Post
Everything I've heard about Heartbleed stated that most major banks don't use OpenSSL and therefore were not affected by the flaw.
I work for a bank and we released a statement. We donít use Open SSL and are not vulnerable. End users might be, but not the Bank.

Quote:
The ATMs and a lot of other things that run on XP aren't a problem. According to CBC they're paying Microsoft for continued updates.
I can tell you for certain that we are most certainly not paying Microsoft to update Windows XP. I know for a fact that we moved to Windows 7 as of a last year (minus stragglers). This is a business requirement.

I donít know if our ATMís use Windows XP, but if they are, they arenít connected to our network. XP isnít allowed to connect to our network and must be upgraded.

The only entity I know that is paying MS to update Windows is the Dutch and UK government, but this wouldnít necessarily apply to other organizations.

The only thing I can find about the CDC saying anything about extending XP support says nothing about ATMís and the only bank they mention is JP Chase (and Canadian banks) and that only talks about desktop computers. Cite. Such support seems to be very limited.

Another cite I found states that ATMs arenít connected to the internet. That tells me that the only vectors of attack are going to be via direct access and given that cameras monitor most ATMís, I donít see that happening.
Reply With Quote
  #10  
Old 17 April 2014, 01:33 AM
Latiam's Avatar
Latiam Latiam is offline
 
Join Date: 19 June 2005
Location: Ontario, Canada
Posts: 4,461
Default

I don't think ATMs are a concern but there are other devices that use XP that are a concern I think. Canadian banks, yes. I am in Ontario. I have a cracking headache so I will try to find the link tomorrow.
Reply With Quote
  #11  
Old 17 April 2014, 01:45 AM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 22,626
Default

Concise summary of the non-problem:
Quote:
Originally Posted by diddy View Post
I donít know if our ATMís use Windows XP, but if they are, they arenít connected to our network.
Reply With Quote
  #12  
Old 17 April 2014, 01:49 AM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 22,626
Default

Quote:
Originally Posted by Latiam View Post
I don't think ATMs are a concern but there are other devices that use XP that are a concern I think.
There are several different kinds of XP. If those devices aren't the ones that are connecting to something on an open network, I don't see what changes this month except that we'll probably see a flurry of well-meaning admins upgrading to less-secure OSs or uselessly wringing their hands about the fact that they can't upgrade embedded XP systems even though, well, they're embedded systems and they aren't all of the sudden going to collapse just because a completely different consumer XP suddenly isn't getting a weekly update.
Reply With Quote
  #13  
Old 17 April 2014, 02:31 AM
diddy's Avatar
diddy diddy is offline
 
Join Date: 07 March 2004
Location: Plymouth, MN
Posts: 10,850
Default

Quote:
Originally Posted by Latiam View Post
I don't think ATMs are a concern but there are other devices that use XP that are a concern I think. Canadian banks, yes. I am in Ontario. I have a cracking headache so I will try to find the link tomorrow.
Most of the concern is going to come from the PCís that are run on a daily basis by employees at the banks (tellers) or at the corporate office running systems that support the related services that the bank operates.

Quote:
Originally Posted by ganzfeld View Post
There are several different kinds of XP. If those devices aren't the ones that are connecting to something on an open network, I don't see what changes this month except that we'll probably see a flurry of well-meaning admins upgrading to less-secure OSs or uselessly wringing their hands about the fact that they can't upgrade embedded XP systems even though, well, they're embedded systems and they aren't all of the sudden going to collapse just because a completely different consumer XP suddenly isn't getting a weekly update.
I doubt that Banks are going to update their ATMís unless they identify something specifically that requires action that involves the ATMís directly. These are dedicated systems that generally have the expectation of working. They arenít doing all that much outside of dedicated services that are limited in operation. Our bank is interested in ATMís not working. And even then, you would never see Windows. You are seeing a front end application that is either directly developed internally or externally.

Now I will say that my position at the bank has nothing to do with ATMís, I do know that Windows updates are very strictly monitored and we donít just run patches unless itís been internally tested and certified as OK. This is mostly for desktop PCís of course but the ATMís undoubtedly go through a similar (if not an even more stringent process) since these are systems that have to have very high availability. I seriously doubt that patches of ATMís go on unless there is a really serious threat since the number of ATMís that would require direct touching is quite large.

Any sort of an updates are likely on the front end of the ATM, not on Windows itself. They keep an approved build that the company has approved that is very locked down and isnít going to be targeted like the banks internal network is (which is where most of the security resources are targeted). Updating Windows embedded (this isnít going to be Windows XP like on your laptop) can create risks of ATM outages and on a large scale can be bad. The most likely scenario I see is the the ATM is running some flavor of Windows XP that is very limited on what it can and cannot run and what is installed on it. It can only do certain functions and those functions are very strictly controlled. The desktop PCís (themselves secure) are a far bigger risk. ATMís are limited utility systems that have very few ways to interact them and their access is very limited. Plus they are monitored. They will get replaced on the normal schedule with another approved system that allows them to comply with support contracts.

There is also the fact that we donít have a record of ATMís being attacked based on past Windows security flaws that we know about speaks volumes. These system are designed to reseat direct fraud by people committing direct fraud or stealing money from the ATM. Not exploiting Windows bugs.
Reply With Quote
  #14  
Old 17 April 2014, 02:43 AM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 22,626
Computer

Quote:
Originally Posted by diddy View Post
There is also the fact that we donít have a record of ATMís being attacked based on past Windows security flaws that we know about speaks volumes. These system are designed to reseat direct fraud by people committing direct fraud or stealing money from the ATM. Not exploiting Windows bugs.
Thanks, that neatly covers the other points I was trying to make.
Reply With Quote
  #15  
Old 17 April 2014, 04:55 AM
Die Capacitrix's Avatar
Die Capacitrix Die Capacitrix is offline
 
Join Date: 03 January 2005
Location: Kanton Luzern, Switzerland
Posts: 3,026
Default

Microsoft is still supporting XP embedded. ZDnet

Quote:
Microsoft will continue making critical patches available for the embedded Windows XP systems running on ATMs until January 2016, compared with full Windows XP versions on desktops, for which there will be no more security fixes beyond April 8 this year.
Reply With Quote
  #16  
Old 17 April 2014, 06:16 AM
Troberg Troberg is offline
 
 
Join Date: 04 November 2005
Location: Borlšnge, Sweden
Posts: 11,580
Default

First of all, XP isn't any less secure than it was a week ago. It's still more proven than Win7 and Win8.

Second, it doesn't matter much for ATM's. It's not like they are on an open network, and the user interface is pretty much locked down. There simply aren't any vulnerable attack points that are exposed to attack.

It's as if you put a crappy safe box in a bank vault. It doesn't matter that the safe box could be lockpicked in seconds, you'll still have to get into the vault first...
Reply With Quote
  #17  
Old 03 August 2014, 08:31 PM
Garnet Jello's Avatar
Garnet Jello Garnet Jello is offline
 
Join Date: 29 July 2011
Location: Western Maryland
Posts: 285
Theme Icon

Seeing that I still (rarely) come across ATMs that operate on IBM OS/2 from time to time and how standard support for that system ended in December 2006, I think that the claim in the OP is a bit silly.
Reply With Quote
  #18  
Old 03 August 2014, 10:15 PM
stoolie stoolie is offline
 
Join Date: 10 February 2006
Location: Christchurch, New Zealand
Posts: 203
Default

Also, there is a Registry setting that can be tweaked to convince your XP installation that it is an ATM (or at least an embedded WinXP instance) and it won't then pester you about being out of support, and will try and load the odd patch if it finds it.
Reply With Quote
  #19  
Old 17 October 2014, 08:59 PM
KiethHoyt's Avatar
KiethHoyt KiethHoyt is offline
 
 
Join Date: 24 September 2014
Location: Las Vegas, NV
Posts: 7
Default

From what I am aware my brother, who used to work as an ATM repair man, would upload the software via a USB port into ATM. The ATM itself was built using Unix as this is pretty much the easiest and most secure way to create a program.

The same type of system is used with some slot machines.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows 7 or Windows 8? Mickey Blue Techno-Babble 17 20 November 2013 03:08 AM
Exploding car windows snopes Automobiles 21 15 July 2010 01:07 PM
Don't press F1 on the Web in Windows XP snopes Snopes Spotting 0 07 March 2010 01:39 AM
Clean Windows snopes Glurge Gallery 6 02 August 2008 02:11 PM
Pennies in windows snopes Old Wives' Tales 12 13 May 2007 03:26 AM


All times are GMT. The time now is 03:34 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.