When at a bank machine, making a deposit or taking cash out, it's easy to overlook the finer details of what's going on in the background. Such as, what operating system it's running. Unless you walked up to a machine that had a blue-screen-of-death present, would you have guessed that it was running Windows? According to statistics, there's a 95% chance that it is. What's more, it's almost certain that it's Windows XP.
As we've talked much about here, the support deadline for Windows XP is nearing fast, still set for April 8th, 2014. For end-users, this is an obvious problem - no one likes using an unsupported OS. And while Microsoft is doing a good deed in extending anti-malware support for the OS until July 2015, that means little if a severe OS vulnerability is discovered.
Credit: duncan / Flickr
If that's the reality for regular consumers, take into consideration the fact that these same potential issues would be present in over 400,000 ATMs across the US, and no doubt millions more across the globe. It's not just money being held behind this soon-to-be-weakened barrier, it's our money.
Of course, just because an unsupported OS is used, it doesn't mean that a hacker would be able to walk up to a machine and withdrawal our life savings, but imagine an exploit that can spread across a network and effectively lock-up thousands or even hundreds of thousands of ATMs. That might seem like a stretch, but anything is possible.
Fixing this issue is going to happen slowly. Microsoft is offering customized support contracts to companies that opt for it, but that's an expensive endeavor, and all it does is prolong the inevitable. It's being estimated that about 15% of Windows XP ATMs will be updated to Windows 7 by the April deadline, which really goes to show how slow these companies are in getting things done. The deadline for Windows XP has been known about for a good while, so it seems almost inexcusable that all of the nation's ATMs are not updated by this point.
ATMs running Windows XP CE are supported until 2016
A leading vendor, Diebold, states that ATMs will continue to work fine even if not updated, but that much should be obvious. But if you'll recall, Diebold is the company that was responsible for inaccurate voting machines during the 2004 US election, so I'm not sure how much faith I'd put in its wisdom or product security.
Regardless of how slow this rollout is, or what the true risk is, let's hope this story doesn't need to be followed-up to with one that confirms our fears.