Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security Retail banking

Group

Future Finance
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

An article relating to this blog post on Finextra:

Discontinuation of support for Microsoft XP poses operational risks to banks - FFIEC

The Federal Financial Institutions Examination Council (FFIEC) has warned that plans by Microsoft to discontinue support for the XP operating system pose operational risks for banks that still use it.

See article

Is that a worm in my ATM?

When ATM vendors got behind Windows XP as a replacement for IBM’s OS/2 as it neared the end of its shelf life 10 years ago, there was a predictable flurry of concern.

And instinctively, the concerns made sense. Why would you use the most popular and most targeted all-purpose PC operating system to run such a machine with very specific functions and security requirements?

But there were obvious benefits – among them greater user interface flexibility, compatibility with other internal and customer facing applications and banks’ familiarity with securing desktop estates on the same OS. And, banks said, most ATMs operated within very closed networks.

Then in 2003, the Slammer worm affected operations of 13,000 Bank of America ATMs, even though it wasn’t directly infecting ATMs themselves, rather back-end servers that connected to them. This was followed later that year by two US banks confirming the Welchia or Nachi worm had directly affected some ATMs.

Many commentators took these examples, pointed to banks increasingly moving ATM networking to TCP/IP to save money, and predicted a vulnerable future for ATM security.

Security and ATM vendors responded with additional firewalls, hardware devices and software security layers. And since then things have been pretty quiet.

Now, with XP end of support just eight months away, and around 75 per cent of ATMs still running on the operating system, will this change? Probably not.

The ATM vendors have been leisurely pushing Windows 7 upgrades for the past few years, but  have also been careful to reassure banks that their additional security layers and removal of superfluous vulnerabilities from XP would protect them if they didn’t get around to the upgrade right away.

In the end, upgrade pace will be determined by how seriously each bank takes PCI DSS compliance, whether their hardware is getting too old to run new ATM applications and Windows 7, and competing priorities.

But if an ATM security threat does emerge after XP stops getting patches in April, upgrading might suddenly seem a bit more urgent. 

 

5458

Channels

Security Retail banking

Group

Future Finance
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (0)

Join the discussion
Elton Cane

Elton Cane

Digital product delivery

News Corp Australia

Member since

16 Feb 2007

Location

Brisbane

Blog posts

116

Comments

54

More from Elton

Community
See all blogs »
Information Security 

What D.O.R.A means for your security team

Andrew Kays

Andrew Kays

API 

Financial Organizations Can’t Stop at Security Frameworks to Protect Their APIs

Will Glazier

Will Glazier

Financial Services Regulation 

How FS organisations can navigate the ever-evolving compliance landscape

Mark Nutt

Mark Nutt

Artificial Intelligence  

Navigating Personal Data in LLMs: A GDPR Perspective

Erica Andersen

Erica Andersen

Now hiring

See more