ATM Time Bomb
The clock is ticking down to April 8 when Microsoft will cease to issue security updates for Microsoft XP. The bad news for credit unions is that virtually all of their ATMs run on XP, multiple sources told Credit Union Times.
That raises the jackpot question: Will criminals feast on ATMs come April 8? “Those old ATMs are a time bomb,” said Paul Martini, CEO of iboss Network Security.
The good news: experts doubt that the sky will fall in April. The XP ATM fleet indeed brings worries and issues to confront, but all that changes on that day is that Microsoft ceases to issue new updates.
Understand, too, that not all XP is created equal. Some will sunset in April, some won't.
For now, however, some more good news: Even though conventional XP ceases to be supported in April that does not mean that, necessarily, fresh vulnerabilities that criminals can exploit suddenly appear.
Elaborated Lois Hansen, vice president of product development at CO-OP Financial Services in Rancho Cucamonga, Calif.: “The immediate impact will not be noticeable mainly because there will be no significant change to the environment. The essence of the Microsoft announcement is that after April 8 and for the future, there will not be further application of Microsoft fixes or security patches to the XP operating system.”
That means credit unions can breathe easy in April – but not for long. Experts do warn that most credit unions need to kick up their efforts to upgrade their vulnerable ATMs to ensure long-term security.
A reason for the delay in ATM upgrades, suggested Gary Walston, executive vice president at Dolphin Debit, which owns and manages ATMs for many credit unions, is that many institutions are still chafing over the expenses they incurred just two years ago to make their ATMs ADA compliant.
A further complication is that, in many instances, upgrading an ATM to a more recent and still supported operating system such as Windows 7 will mean investment not only in software but also in beefier hardware. “Older ATMs may need several thousand dollars of hardware upgrades as well as a skilled staff to do an upgrade to Windows 7,” said Martini.
But, eventually, inaction may come with its own price, said Hansen. “In the longer term and with the application of no more Microsoft security patches on the XP operating system, the credit unions who do not upgrade may be exposed to more fraud risk and they may not be able to add new features or functions to their existing ATMs.”
How to avoid that fate? At Dolphin Debit, maybe half of its ATMs run XP, said Walston, but he noted that many of those are running an XP version called XP Pro for Embedded Systems and that that software - specifically created for use in devices such as ATMs - has an end of life of Dec. 31, 2016, according to Microsoft which will continue to issue security patches for it until then.
ATMs running Embedded Pro therefore are fine as is, suggested Walston., who indicated that this exclusion often is missed in discussions about what to do when XP sunsets.
Many other credit union whose ATMs are on standard XP should investigate converting to Pro for Embedded Systems, urged Martini who explained that credit unions could find a safe and inexpensive harbor there. “Where costs are the concern, Embedded is the way to go,” said Martini.
Look further ahead, however, and most credit unions will need to map an upgrade route that gets their ATMs to Windows 7, said Walston. “I believe they will need to be there to be EMV” – chip and PIN – “ready,” he said. That deadline presently is set at October 2016.
The allure of Windows 7 may well convince some credit unions to hopscotch over Embedded mainly because Windows 7 provides a number of real plusses. Robert Johnston, director of software marketing at NCR, said: “NCR actually believes that end of Windows XP support can have a positive impact on credit unions – specifically because it will help spur adoption of Windows 7 as an operating environment.
“Security is the most obvious and talked about advantage to upgrading to Windows 7, but there are other factors that should influence a financial institution's decision related to cost and user experience. Windows 7 is faster and easier to support, helping reduce maintenance costs.
“More dramatically, Windows 7 enables a modern user experience that includes swipe gestures, multi-touch functionality and scroll capabilities that make using an ATM similar to using a mobile phone or tablet computer.”
But what every credit union needs to do now, stressed Walston, is come to grips with the security state of the present ATMs running XP – “Have all the patches been applied? Often the answer is, ‘no’” – and then mapping out a plan for getting to the next level, be that Embedded Pro or Windows 7.
“Credit unions need to understand their risks and they need a plan to lessen them,” said Walston at Dolphin Debit. “And they need to be doing that now.”