[LINK] "Windows XP powers 95% of world ATMs"

Stephen Loosley stephen at melbpc.org.au
Fri Mar 21 13:36:55 AEDT 2014 











Alan and Richard write, 
> Banks are paying for extended support from Microsoft.
> 
> Richard Chirgwin
> 
> On 20/03/14 9:36 PM, Alan Hargreaves wrote:
> > I was under the impression that ATMs ran an embedded version of XP 
> > that had another year or so to run.> >> > alan.


ATM operators eye Linux as alternative to Windows XP
By Jaikumar Vijayan  (Computerworld (US))  20 March, 2014

Some financial services companies are looking to migrate their ATM fleets from Windows to Linux in a bid to have better control over hardware and software upgrade cycles

Many have already moved, or are in the process of moving, to Windows 7, the next available Windows upgrade for ATM systems. But others are considering Linux as an alternative, Tente said.

Before turning to Windows XP, a majority of ATMs ran IBM's OS/2 operating system.

A new ATM can cost anywhere from $15,000 to $60,000 and operators typically like to have at least a seven- to 10-year lifecycle for each one. In some cases, ATMs remain in place for 10 to 15 years, Tente said.

Gray Taylor, executive director of the Petroleum Convenience Alliance for Technology Standards (PCATS), said that almost 30% of installed point of sale systems at convenience stores and petroleum retailers already are Linux-based.

"It makes sense to move to a bespoke, but open, platform like Linux -- even from a data security sense," Taylor said. "Microsoft's Achilles heel is data security."

Windows XP and embedded XP has been the cornerstone of Microsoft's presence in the retail sector during the past several years, he said. The embedded version especially allowed operation on very low-level hardware.

"If I were Microsoft, I would have kept XP embedded alive for a few more years, and charged an escalating support fee" for it, he said. 

> > On 03/20/14 21:31, Stephen Loosley wrote:> >>
> >>
> >>
> >> Most ATMs will remain on Windows XP after Microsoft's pulls plug on OS
> >>
> >> By Jaikumar Vijayan  (Computerworld (US))  19 March, 2014
> >>
> >>   More than six out of 10 ATM machines in the country will be running 
> >> on an obsolete operating system when Microsoft pulls the plug on 
> >> Windows XP on April 8, raising serious security and compliance issues 
> >> for the systems' operators.
> >>
> >> According to the ATM Industry Association (ATMIA), only about 38% of 
> >> the nearly 425,000 ATMs in the U.S. that are powered by Windows XP 
> >> will have migrated off the OS by next month's deadline.
> >>
> >> Operators of the remaining quarter million or more machines will have 
> >> an increasingly hard time supporting their systems and ensuring 
> >> sufficient software security after that date.
> >>
> >> The Payment Card Industry Security Standards Council (PCI SSC), which 
> >> is responsible for overseeing security standards in the payments 
> >> industry, has already noted that ATMs still on Windows XP after April 
> >> 8 will need to have certain compensating controls in place to be 
> >> considered PCI compliant.
> >>
> >> The PCI SSC estimates that Windows XP powers 95% of ATMs in the world.
> >>
> >> Several financial institutions have worked out, and at great cost, 
> >> arrangements with Microsoft to keep Windows support available for a 
> >> while longer, said David Tente, executive director USA of the ATMIA.
> >>
> >> In many cases, upgrading an ATM's operating system involves physical 
> >> access to the machine and about one hour's worth of labor. Not all 
> >> ATMs will be ready to migrate to Windows 7 and may need hardware 
> >> upgrades as well, Tente said.
> >>
> >> According to Tente, independent operators run about half the ATMs in 
> >> the U.S., while large financial networks operate the rest. A "fair 
> >> number" of installed ATMs are powered by Windows CE and embedded 
> >> versions of Windows XP, which are not affected by the April 8 
> >> deadline, he said.
> >>
> >> Microsoft has pointedly noted that PCs running Windows XP after 
> >> end-of-support, should not be considered as protected and has urged 
> >> users of the operating system to move to a newer version as soon as 
> >> possible.
> >>
> >> According to Tente, it is quite possible that malicious attackers are 
> >> waiting until after April 8 to attack ATMs and other systems running 
> >> Windows XP. But just because a system remains on Windows XP after 
> >> that date does not automatically make it more vulnerable. "An ATM on 
> >> April 9th is going to be just as secure as it was on April 7th," if 
> >> operators have the proper measures in place for protecting them, 
> >> Tente said.
> >>
> >> The ATMIA earlier this month released a white paper outlining several 
> >> of the risks that operators face by choosing to remain on Windows XP. 
> >> The paper is available only to registered members of the association.
> >>
> >> An executive summary provided to Computerworld highlighted several 
> >> issues. Since Windows XP was launched, more than 700 vulnerabilities 
> >> have been found in the operating system. "After April 8th 2014, 
> >> Windows XP will essentially have zero-day vulnerabilities for 
> >> perpetuity," the statement noted.
> >>
> >> Most ATM hacks have been at the hardware level and through the use of 
> >> devices like skimmers. Other security risks include attacks on an 
> >> ATM's network, local ports, or browser, the summary said.
> >>
> >> Without Microsoft's technical support and security fixes, ATM 
> >> operators also risk falling out of compliance with requirement 6.2 of 
> >> the PCI DSS, which stipulates that all system components handling 
> >> credit and debit cards are fully supported by a software or hardware 
> >> vendor.
> >>
> >> "If a vendor isn't providing patches due to support having been 
> >> discontinued, then by definition that system cannot be PCI DSS 
> >> compliant," said Jim Huguelet, an independent retail security 
> >> consultant. "As a general rule, retailers would be concerned about 
> >> running any systems without access to ongoing security analysis and 
> >> patches, but it is PCI DSS requirement 6.2 that brings the issue to 
> >> the forefront."
> >>
> >> A joint statement issued by the PCI SSC and the ATMIA pointed to 
> >> several compensation controls that ATM operators can implement to 
> >> remain compliant with PCI requirements even while remaining on 
> >> Windows XP.
> >>
> >> "To be effective, the compensating controls must protect the system 
> >> from vulnerabilities that may lead to exploit of the unsupported 
> >> code," the statement said.
> >>
> >> Examples of controls that could be used combined to mitigate risk 
> >> include active monitoring of system logs and network traffic, 
> >> application whitelisting and isolating Windows XP systems from other 
> >> systems and networks. Each control by itself is insufficient, but 
> >> when combined, could potentially qualify as a compensating control 
> >> from a PCI compliance standpoint.
> >>
> >> "Compensating controls should only be considered a temporary 
> >> solution," Troy Leach, CTO of the PCI SSC, said in the statement. 
> >> "Organizations should have a migration plan to upgrade in a 
> >> reasonable amount of time to a supported operating system as the OS 
> >> serves as the foundation for services and other security controls 
> >> related to protecting cardholder data."
> >>
> >> This article, Majority of ATMs will remain on Windows XP after 
> >> Microsoft's pulls plug on OS, was originally published at 
> >> Computerworld.com. Jaikumar Vijayan covers data security and privacy 
> >> issues, financial services security and e-voting for Computerworld.--
> >> Cheers,
> >> Stephen
> >>
> >>
> >> _______________________________________________
> >> Link mailing list
> >> Link at mailman.anu.edu.au
> >> http://mailman.anu.edu.au/mailman/listinfo/link
> >>
> >
> >
> >
> > _______________________________________________
> > Link mailing list
> > Link at mailman.anu.edu.au
> > http://mailman.anu.edu.au/mailman/listinfo/link
> 
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

More information about the Link mailing list