[LINK] "Windows XP powers 95% of world ATMs"

Richard rchirgwin at ozemail.com.au
Fri Mar 21 07:12:40 AEDT 2014


Banks are paying for extended support from Microsoft.

Richard Chirgwin

On 20/03/14 9:36 PM, Alan Hargreaves wrote:
> I was under the impression that ATMs ran an embedded version of XP 
> that had another year or so to run.
>
> alan.
>
> On 03/20/14 21:31, Stephen Loosley wrote:
>>
>>
>>
>> Most ATMs will remain on Windows XP after Microsoft's pulls plug on OS
>>
>> By Jaikumar Vijayan  (Computerworld (US))  19 March, 2014
>>
>>   More than six out of 10 ATM machines in the country will be running 
>> on an obsolete operating system when Microsoft pulls the plug on 
>> Windows XP on April 8, raising serious security and compliance issues 
>> for the systems' operators.
>>
>> According to the ATM Industry Association (ATMIA), only about 38% of 
>> the nearly 425,000 ATMs in the U.S. that are powered by Windows XP 
>> will have migrated off the OS by next month's deadline.
>>
>> Operators of the remaining quarter million or more machines will have 
>> an increasingly hard time supporting their systems and ensuring 
>> sufficient software security after that date.
>>
>> The Payment Card Industry Security Standards Council (PCI SSC), which 
>> is responsible for overseeing security standards in the payments 
>> industry, has already noted that ATMs still on Windows XP after April 
>> 8 will need to have certain compensating controls in place to be 
>> considered PCI compliant.
>>
>> The PCI SSC estimates that Windows XP powers 95% of ATMs in the world.
>>
>> Several financial institutions have worked out, and at great cost, 
>> arrangements with Microsoft to keep Windows support available for a 
>> while longer, said David Tente, executive director USA of the ATMIA.
>>
>> In many cases, upgrading an ATM's operating system involves physical 
>> access to the machine and about one hour's worth of labor. Not all 
>> ATMs will be ready to migrate to Windows 7 and may need hardware 
>> upgrades as well, Tente said.
>>
>> According to Tente, independent operators run about half the ATMs in 
>> the U.S., while large financial networks operate the rest. A "fair 
>> number" of installed ATMs are powered by Windows CE and embedded 
>> versions of Windows XP, which are not affected by the April 8 
>> deadline, he said.
>>
>> Microsoft has pointedly noted that PCs running Windows XP after 
>> end-of-support, should not be considered as protected and has urged 
>> users of the operating system to move to a newer version as soon as 
>> possible.
>>
>> According to Tente, it is quite possible that malicious attackers are 
>> waiting until after April 8 to attack ATMs and other systems running 
>> Windows XP. But just because a system remains on Windows XP after 
>> that date does not automatically make it more vulnerable. "An ATM on 
>> April 9th is going to be just as secure as it was on April 7th," if 
>> operators have the proper measures in place for protecting them, 
>> Tente said.
>>
>> The ATMIA earlier this month released a white paper outlining several 
>> of the risks that operators face by choosing to remain on Windows XP. 
>> The paper is available only to registered members of the association.
>>
>> An executive summary provided to Computerworld highlighted several 
>> issues. Since Windows XP was launched, more than 700 vulnerabilities 
>> have been found in the operating system. "After April 8th 2014, 
>> Windows XP will essentially have zero-day vulnerabilities for 
>> perpetuity," the statement noted.
>>
>> Most ATM hacks have been at the hardware level and through the use of 
>> devices like skimmers. Other security risks include attacks on an 
>> ATM's network, local ports, or browser, the summary said.
>>
>> Without Microsoft's technical support and security fixes, ATM 
>> operators also risk falling out of compliance with requirement 6.2 of 
>> the PCI DSS, which stipulates that all system components handling 
>> credit and debit cards are fully supported by a software or hardware 
>> vendor.
>>
>> "If a vendor isn't providing patches due to support having been 
>> discontinued, then by definition that system cannot be PCI DSS 
>> compliant," said Jim Huguelet, an independent retail security 
>> consultant. "As a general rule, retailers would be concerned about 
>> running any systems without access to ongoing security analysis and 
>> patches, but it is PCI DSS requirement 6.2 that brings the issue to 
>> the forefront."
>>
>> A joint statement issued by the PCI SSC and the ATMIA pointed to 
>> several compensation controls that ATM operators can implement to 
>> remain compliant with PCI requirements even while remaining on 
>> Windows XP.
>>
>> "To be effective, the compensating controls must protect the system 
>> from vulnerabilities that may lead to exploit of the unsupported 
>> code," the statement said.
>>
>> Examples of controls that could be used combined to mitigate risk 
>> include active monitoring of system logs and network traffic, 
>> application whitelisting and isolating Windows XP systems from other 
>> systems and networks. Each control by itself is insufficient, but 
>> when combined, could potentially qualify as a compensating control 
>> from a PCI compliance standpoint.
>>
>> "Compensating controls should only be considered a temporary 
>> solution," Troy Leach, CTO of the PCI SSC, said in the statement. 
>> "Organizations should have a migration plan to upgrade in a 
>> reasonable amount of time to a supported operating system as the OS 
>> serves as the foundation for services and other security controls 
>> related to protecting cardholder data."
>>
>> This article, Majority of ATMs will remain on Windows XP after 
>> Microsoft's pulls plug on OS, was originally published at 
>> Computerworld.com. Jaikumar Vijayan covers data security and privacy 
>> issues, financial services security and e-voting for Computerworld.--
>> Cheers,
>> Stephen
>>
>>
>> _______________________________________________
>> Link mailing list
>> Link at mailman.anu.edu.au
>> http://mailman.anu.edu.au/mailman/listinfo/link
>>
>
>
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link




More information about the Link mailing list