• United States



Windows XP still runs 95 percent of ATMs

Jan 20, 20143 mins
IT LeadershipNetwork Security

With only a few months left until Microsoft support for Windows XP officially expires, almost all bank ATMs still rely on the archaic OS.

There are only 70 days left until Microsoft support for Windows XP expires. While that deadline seems ominously close now, it shouldn’t come as a surprise. The OS is ancient, and Microsoft announced the intent to end support for Windows XP last April, so it’s hard to fathom why 95 percent of the ATMs in the world still run Windows XP, and why banks haven’t made it a higher priority to upgrade.

At the 2010 Black Hat conference in Las Vegas deceased security researcher Barnaby Jack famously demonstrated how to exploit an ATM machine and cause it to spit out cash as if you’d hit the jackpot. Hacking an ATM machine may soon be much easier when Microsoft support for Windows XP expires in April because almost all of the ATMs still run Windows XP, and Microsoft will no longer be issuing updates or security patches for the OS.

Microsoft is offering continued support for a fee, and apparently major banks plan to take advantage of that service to make up for the fact that they’re so far behind the curve. JP Morgan is reportedly buying a one-year extension of support from Microsoft and will begin converting its 19,000 ATMs to Windows 7 in July.

For customers, there probably will not be any significant increase in risk when using ATMs from major banks. Those institutions generally have better security in the first place, and they’ll most likely follow JP Morgan’s lead and purchase extended support from Microsoft to mitigate the risk while they catch up on upgrading their machines.

You might want to avoid the independent standalone ATMs that you typically find at gas stations and small “mom & pop” shops, though. There’s a reasonable chance that the owners of those machines don’t even realize they use Windows XP, and that they’re not aware of the impending doomsday when support for Windows XP expires and open season from cybercriminals begins.

For the most part, though, it’s not the customers who need to be concerned as much as the ATM owners. While it may be possible for an attacker to inject malware that might capture sensitive data and customer PINs, the greater risk is that an attacker could circumvent the system and cause the machine to spit out cash as Barnaby Jack demonstrated in 2010.

ATMs are just the tip of the iceberg, though. There are many kiosk and embedded systems that still run Windows XP, and things could get very interesting once Microsoft stops developing patches.


Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.