The menace represented by thenation's many millions of computers running Windows XP – whichMicrosoft will stop patching April 8 – just may be multiplying.

The issue is not the XP fleet inside credit unions. Mostfinancial institutions, said the experts, know Microsoft is ceasingsupport, they know their regulatorswill be monitoring their transition off XP, and they haveplans.

Some plans are better than others, some credit unions may nothave any plan – but, as a rule, financial institutions are tacklingthis problem.

But there is a huge XP problem they aren't tackling. Thevenerable operating system is running on computers used by creditunion members who will be accessing online banking, possibly otherservices, with machines that may well be infected with malwareexploiting newly discovered vulnerabilities.

XP, understand, is a relic, but a widely used relic. It went onsale to the public in October 2001. Right now, it powers nearlyone-third of computers in use globally. Upgrade paths for thosemany millions of computers are unclear. Most of them also arerelics, many could not run Windows 7, certainly not Windows 8, thelatest version (released in 2012). Bottom line: Come April 9 therestill will be millions of computers running XP.

“What new risks will financial institutions face on April 9th,”asked Tom Hinkel, director of compliance at Safe Systems, anAlpharetta, Ga., IT vendor to the financial services industry.“XPwill enter a life phase where it forever is in a zero day exploit,”meaning that daily new holes may be poked in the system bycriminals, knowing that those holes will remain unplugged as longas Microsoft sticks to its resolve to turn its back on XP.

Some experts ominously say that lately there have been releasesof very few XP exploits. The implication is that cyber criminals have beenstockpiling exploits – counting down to Microsoft's end of support– and they will release them after Microsoft's final patch. Sothere may be an avalanche of exploits coming on the scene inmid-April.

Two big questions have to be asked: How big are the risksmembers running XP represent to credit unions; and also: Is it inthe best interest of credit unions to work with vulnerable membersto educate them about XP risks?

Advised Jason Blackett, a product manager at Utah-based softwaredeveloper Novell, “Financial institutions have to make sure theyare hardened against these attacks on the server side.”

“There really will be no easy way for financial institutions tomitigate risks posed by member computers,” Blackett added.

The first-line threat is simply that the member's computerbecomes riddled with malware, such as the Zeus keylogger and hitherto unidentified malware.

It gets scarier from there. What if hackers concoct a way to usean infected XP machine to infect a credit union's servers?Impossible? Maybe. But maybe not because, suddenly, XP will becomea playground for hackers seeking to launch new kinds of attacks,and there is no saying what they will or won't do.

Next Page: Message to the Members

As for what credit unions can do, Hinkel urged that “thefinancial institution has to reach out, they have to make theeffort to educate the customer. It would be trivial to put a pop upon online banking: 'You May Be Using an Insecure OperatingSystem.'”

That is: As members log into online banking with XP, tell themthey may have risks that need attending to.

Still more needs to be done with the highest-risk members.Hinkel stressed that the savvy credit union will quickly identifyits highest-risk members – in most cases, these will be smallbusinesses using XP for online banking – then “do an outreach.”

That could pay big dividends because many may be unaware thatcontinued use of XP puts them at risk. Few consumers are believedto be aware of XP's scheduled end of support. More businesses know,but many do not. A recent survey by Evolve IP found that 19% ofmid-market companies were unaware of Microsoft's end of support forXP. Thirty percent of C-suite executives in those mid-marketcompanies were unaware of the end of life.

“This poses a significant risk,” said Evolve IP, a Wayne, Pa.,cloud services provider.

Most credit unions, added Hinkel, “could count the number ofhigh-risk members on the fingers of one hand. It's worth the effortto reach out, to educate them.”

Presently, no security expert contacted by CU Timessuggested that credit unions simply cut off access to members usingXP. “They risk the wrath of the customers if they make theirsystems unfriendly to XP,” Blackett said.

Blackett, however, urged credit unions to monitor the XP threatlandscape, staying informed about new threats and keeping tabs onnew releases of any financially focused malware.

That kind of intelligence will help credit unions keep theirhigh-risk members abreast of the changing dangers.

And that just may be enough to help both the credit union andits members dodge the risks continued use of the 13-year-oldoperating system will bring.