Sign In

Communications of the ACM

ACM News

Windows XP: The Millennium Bug for ATMs?


An ATM running Microsoft Windows XP, still the operating system of most ATMs.

Nearly 30% of personal computers, and more than 75% of ATMs, still run on Windows XP, despite Microsoft ending support for the operating system.

Credit: Digital Trends

Nearly three years ago, Microsoft announced its intention to end support for Windows XP, officially retiring the 12-year-old operating system. While the tech-savvy may think it is about time the venerable operating system was put out to pasture, the fact is that XP is still widely used on both personal and business computers.

Worldwide, Windows XP is still the operating system of choice for nearly 30% of personal computers, according to NetMarketShare data. Since April 8, however, Microsoft no longer supplies security fixes or updates for XP (outside of a patch it recently released to "fix a critical bug"), which means millions of PCs worldwide will be increasingly vulnerable to new exploits to which Microsoft will not respond.

While the security and stability of many personal computers are at stake, there may be no industry more impacted by the retirement of XP than banking. Industry experts estimate between 75% and 95% of all ATMs run Windows XP. The software we see every time we withdraw cash or make a deposit at an ATM is built on XP. This leaves as many as 400,000 ATMs in the United States alone—and a million more around the globe—open to new XP exploits. One such exploit was uncovered by Symantec as recently as March, so the risk remains high.

The ATM Industry Association expected only 38% of ATMs would be upgraded by the April 8 deadline, even though the retirement of Windows XP was no surprise to anyone; Microsoft has a published lifecycle for its operating systems, generally providing about 10 years of support for each. The company gave 1,000 days’ notice to XP users of the impending phase-out of the operating system – a nearly three-year window for owners to upgrade to an alternative OS.

There are some similarities in this situation to the Millennium Bug that had banks, governments and consumers scrambling to update their software in advance of the calendar flipping to January 1, 2000. Why, then, are ATM operators just now getting around to upgrading their software, with the deadline having just passed? Didn’t they learn anything from Y2K? In fact, many banks have been planning on the XP phase-out for several years, but a number of coinciding deadlines have actually slowed their process.

Patricia Henneke, senior vice president of ATM Banking at U.S. Bank, the country's 10th largest bank, says that organization had been working on a migration plan for nearly three years, but Americans with Disabilities Act (ADA) accessibility rules, Payment Card Industry (PCI) security compliance, and preparation for next-generation EMV chip-based credit cards were also important upgrades that needed to happen at the same time. As the bank was updating hardware and software to comply with these other rules, it also installed software that would allow it to remotely update its ATMs to Windows 7 as the XP deadline approached. By preparing in advance and enabling remote updates, the bank was able to visit each of its ATMs just once during the migration period; this helped U.S. Bank become the first major bank to completely migrate its entire ATM fleet—all 5,000 machines—to Windows 7.

Yet, the migration path is not necessarily a clear one for everyone. Prior to the banking industry adopting Windows XP as the de facto standard OS for ATMs in the early- and mid-2000s, most ATMs ran on OS/2, until IBM phased out that operating system. Banks now have the option of migrating to Windows 8, the latest version of Microsoft’s operating system.

However, according to Sam Ditzion, CEO of Tremont Capital Group and an expert on self-service technology, "Windows 8 is a non-starter for banks. Banks are typically a full version behind." This is actually by choice, he says, as financial services companies prefer to rely on systems that are "proven, stable, and respectable operating systems." Ditzion calls Windows 7 the "logical" operating system to which banks should upgrade.

Now that the April 8 deadline has passed, many banks that were slow to act have negotiated agreements with Microsoft to keep their software safe. Mr. Ditzion says upgrading individual ATMs is actually a less-expensive option than paying for support on the outdated operating system, but some institutions have no choice but to maintain their XP ATMs as they work through their own migration plans. Ultimately, each bank must decide on a path to follow, and most will rely on the expertise of suppliers like Diebold and NCR that manufacture ATMs. It could be a year or more before they fully migrate to Windows 7, and in the meantime will try to keep their ATMs machines safe through support agreements with Microsoft and other vendors.

U.S. Bank’s Henneke says moving to the new operating system will enable more innovation. "Windows 7 will bring new technology to ATMs, which is good for the industry. It will enable a new generation of features that couldn’t happen with XP." One such technology allows a customer to initiate a transaction via a mobile phone, scanning a QR code at the ATM—without ever taking out an ATM card or entering a PIN on the machine.

Mark Broderick is a Tampa, FL-based senior research analyst covering the financial services and payments industries for ORC International.


 

No entries found