The impending deadline of the discontinuation of Windows XP support by Microsoft (April 8, 2014) is fast approaching. Quick Heal has proactively warned retail users and enterprise users about the risks involved, but it is now time to understand a very different kind of threat associated with this approaching date.
Banking operations, especially ATM services, are likely to be affected beyond the EOL (End of Lifetime) date of Windows XP as a majority of the ATMs in India, and the world, still operate on Windows XP. ATM kiosks are powered by mini-computers and these computers require a stable operating system. Hence, Windows XP has been the popular choice for over a decade now.
However, with Microsoft cutting off support for XP, is this going to adversely impact ATMs in India and open them to hackers, malware and other security risks?
ATMs in India – Numbers & Facts at a Glance
While the exact figures for the percentage of ATMs in India that run on XP is not documented, the total number of ATMs in the country has steadily grown. So it would be fair to assume that a majority of these machines would be rendered vulnerable due to support being cut off for XP by Microsoft.
- As per Reserve Bank of India (RBI) stats for November 2013, the number of operational ATMs in India are as follows:
|
Type |
On-Site ATMs |
Off-Site ATMs |
Total ATMs |
|
Public Sector Banks |
52,311 |
36,777 |
89,088 |
|
Private Sector Banks |
16,598 |
30,164 |
46,762 |
|
Foreign Banks |
270 |
960 |
1,230 |
|
Grand Total |
69,179 |
67,901 |
137,080 |
- The National Payments Corporation of India (NPCI) is an umbrella organization that overlooks retail payments by the RBI and other banks in India. The NPCI also operates the National Financial Switch which is used for inter-connectivity between the ATMs of different banks. As per the NPCI, the total number of ATMs in India as of February 2014 was 155,387.
- As per the ATM Industry Association (ATMIA), only 38% of the 425,000 ATMs in the United States would have migrated from Windows XP beyond the EOL date. This would leave more than 250,000 ATMs in the US still at risk.
- ATMs in India are provided by several third-party vendors like NCR, Diebold, Wincor Nixdorf and Vortex.
Are the Security Risks Being Exaggerated?
While the dangers of using XP beyond April 8, 2014 are now known, there is a possibility that the security threats against ATMs have been misrepresented and exaggerated. After all, most attacks on ATMs in the past have been physical attacks at the hardware level and not at the software level. However, it is also plausible that this may change after the deadline as ATMs running XP will become more vulnerable.
Nonetheless, ATMs are usually too isolated and protected to launch a software attack against. If an attacker can hack into a bank’s system and launch a malicious code in all its ATMs, then the bank has more worrying concerns than upgrading XP on its ATMs.
Some notable points for why these threats may be exaggerated are as follows:
- Though ATMs run on x86 processors and basic PC architecture, they are very different from standard PCs. They run on an embedded version of XP which vastly differs from the regular version of XP that is found in the market. So the security risks that regular users are exposed to, do not exist in this case.
- ATMs do not connect to the Internet and pull updates as PCs do.
- ATMs are also generally protected by heavy Firewalls and antimalware programs. Therefore, infiltrating them is not as easy as PCs.
- It is also safe to assume that banks and financial institutions possess the awareness and technical expertise to safeguard ATMs against the security threats of running XP on them.
What Could be Stopping Banks from Upgrading?
So while the result of running XP on ATMs is not going to be as devastating as reported by many, upgrading it is still a recommended precaution. There are more stable and secure options available in the market so it would be reckless for banks to stick with systems that have been around for decades but are now obsolete.
However, here are some factors that may be stopping banks from initiating a migration plan:
- Since the ATMs that run XP would have been around for many years, they would also need a hardware upgrade while upgrading the software. This would be both expensive and time consuming.
- Another reason why some banks may be refraining from upgrading their ATMs is the Europay MasterCard Visa (EMV) enforcement that will most likely become mandatory in the next few years. EMV enforcement (known as RuPay in India) requires all debit/credit cards to have an integrated circuit card, or a chip, to avoid card fraud. This enforcement will require most old ATMs to be upgraded anyway. So it may make sense for ATM manufacturers to hold on and solve both these issues together. Read more about EMV here.
While the threat of using Windows XP beyond the EOL date exists for home users and enterprise users, it is perhaps unwise to assume that all the ATMs of the world would also be susceptible to the same risks.
There are several news stories that are doing the rounds about this and they are creating a false sense of panic about the repercussions. We would like to pitch in with our own two bits here and proclaim that ATMs are not going to be afflicted by the removal of XP support by Microsoft to the extent that it is being reported.