Is the End of Windows XP Support Putting ATMs at Risk?

The impending deadline of the discontinuation of Windows XP support by Microsoft (April 8, 2014) is fast approaching. Quick Heal has proactively warned retail users and enterprise users about the risks involved, but it is now time to understand a very different kind of threat associated with this approaching date.

atm-windows-xp-650x0

Banking operations, especially ATM services, are likely to be affected beyond the EOL (End of Lifetime) date of Windows XP as a majority of the ATMs in India, and the world, still operate on Windows XP. ATM kiosks are powered by mini-computers and these computers require a stable operating system. Hence, Windows XP has been the popular choice for over a decade now.

However, with Microsoft cutting off support for XP, is this going to adversely impact ATMs in India and open them to hackers, malware and other security risks?

ATMs in India – Numbers & Facts at a Glance

While the exact figures for the percentage of ATMs in India that run on XP is not documented, the total number of ATMs in the country has steadily grown. So it would be fair to assume that a majority of these machines would be rendered vulnerable due to support being cut off for XP by Microsoft.

  • As per Reserve Bank of India (RBI) stats for November 2013, the number of operational ATMs in India are as follows:

Type

On-Site ATMs

Off-Site ATMs

Total ATMs

Public Sector Banks

52,311

36,777

89,088

Private Sector Banks

16,598

30,164

46,762

Foreign Banks

270

960

1,230

Grand Total

69,179

67,901

137,080

Link for checking these numbers – https://www.rbi.org.in/scripts/ATMView.aspx

  • The National Payments Corporation of India (NPCI) is an umbrella organization that overlooks retail payments by the RBI and other banks in India. The NPCI also operates the National Financial Switch which is used for inter-connectivity between the ATMs of different banks. As per the NPCI, the total number of ATMs in India as of February 2014 was 155,387.
  • As per the ATM Industry Association (ATMIA), only 38% of the 425,000 ATMs in the United States would have migrated from Windows XP beyond the EOL date. This would leave more than 250,000 ATMs in the US still at risk.
  • ATMs in India are provided by several third-party vendors like NCR, Diebold, Wincor Nixdorf and Vortex.

atm growth india 2005 - 2015

Are the Security Risks Being Exaggerated?

While the dangers of using XP beyond April 8, 2014 are now known, there is a possibility that the security threats against ATMs have been misrepresented and exaggerated. After all, most attacks on ATMs in the past have been physical attacks at the hardware level and not at the software level. However, it is also plausible that this may change after the deadline as ATMs running XP will become more vulnerable.

1T0R2167_610x407

Nonetheless, ATMs are usually too isolated and protected to launch a software attack against. If an attacker can hack into a bank’s system and launch a malicious code in all its ATMs, then the bank has more worrying concerns than upgrading XP on its ATMs.

Some notable points for why these threats may be exaggerated are as follows:

  • Though ATMs run on x86 processors and basic PC architecture, they are very different from standard PCs. They run on an embedded version of XP which vastly differs from the regular version of XP that is found in the market. So the security risks that regular users are exposed to, do not exist in this case.
  • ATMs do not connect to the Internet and pull updates as PCs do.
  • ATMs are also generally protected by heavy Firewalls and antimalware programs. Therefore, infiltrating them is not as easy as PCs.
  • It is also safe to assume that banks and financial institutions possess the awareness and technical expertise to safeguard ATMs against the security threats of running XP on them.

What Could be Stopping Banks from Upgrading?

So while the result of running XP on ATMs is not going to be as devastating as reported by many, upgrading it is still a recommended precaution. There are more stable and secure options available in the market so it would be reckless for banks to stick with systems that have been around for decades but are now obsolete.

RuPayRoadmap

However, here are some factors that may be stopping banks from initiating a migration plan:

  • Since the ATMs that run XP would have been around for many years, they would also need a hardware upgrade while upgrading the software. This would be both expensive and time consuming.
  • Another reason why some banks may be refraining from upgrading their ATMs is the Europay MasterCard Visa (EMV) enforcement that will most likely become mandatory in the next few years. EMV enforcement (known as RuPay in India) requires all debit/credit cards to have an integrated circuit card, or a chip, to avoid card fraud. This enforcement will require most old ATMs to be upgraded anyway. So it may make sense for ATM manufacturers to hold on and solve both these issues together. Read more about EMV here.

While the threat of using Windows XP beyond the EOL date exists for home users and enterprise users, it is perhaps unwise to assume that all the ATMs of the world would also be susceptible to the same risks.

There are several news stories that are doing the rounds about this and they are creating a false sense of panic about the repercussions. We would like to pitch in with our own two bits here and proclaim that ATMs are not going to be afflicted by the removal of XP support by Microsoft to the extent that it is being reported.

Rahul Thadani

Rahul Thadani


65 Comments

Leave a Reply to hemant Cancel reply

Your email address will not be published.

CAPTCHA Image

  1. Avatar Harish BharatiMarch 28, 2014 at 5:44 PM

    Thanks for your valued information………..:-)

    Reply
  2. Thanks for your importanct information

    Reply
  3. Avatar keerthi sreeMarch 28, 2014 at 6:27 PM

    Thanks for your valuable information and it is very helpful to public 🙂

    Reply
  4. Avatar Laxmi Narain ChawlaMarch 28, 2014 at 8:04 PM

    I am lucky having Quick Heal security on my system as this not only saves my computer from the external attacks but I also receive such valuable information time to time.

    Reply
  5. Avatar NIHAR RANJAN PATIMarch 28, 2014 at 8:28 PM

    IF IT IS FACT, THEN IT IS A MATTER OF CONCERN & THEN THERE MUST BE SOME REMEDY FOR IT & TIME IS PASSING AWAY.SO……

    Reply
  6. Avatar SUSHIL TIWARIMarch 28, 2014 at 8:56 PM

    Thanks for the information…. than what to do??// Any solution for this…..

    Reply
    • Rahul Thadani Rahul ThadaniMarch 29, 2014 at 3:19 PM

      Hi Sushil,

      As mentioned, we do not need to worry much about this problem. All we need to do is wait till all the banks upgrade their OS soon and carry on with our transactions in the same manner.

      Regards.

      Reply
  7. sad to say end of Xp,but new information i got thank u……

    Reply
  8. Thanks for valued information

    Reply
  9. Avatar manoj patelMarch 28, 2014 at 11:39 PM

    my antivirous has not update please give me idea

    Reply
  10. Avatar prabhakarMachiwalMarch 28, 2014 at 11:39 PM

    This is a very important and valuable information for all.

    Reply
  11. thank you for sharing the important information, Quick Heal flashed a message on my HP laptop screen which forwarded me to this link….

    you are doing a tremendous job quickheal….

    Reply
  12. it’s vary nice software ,it use u can save u r mobile….

    Reply
  13. Avatar BHAT ARSHIDMarch 29, 2014 at 12:56 AM

    important and valuable information thanking for you

    Reply
  14. gud and useful information. tahnks. should be sharing with others.

    Reply
  15. This is a very important and valuable information for all……

    Reply
  16. Avatar Manoj KumarMarch 29, 2014 at 9:50 AM

    This onecis a very important information. Thnxx a lot for this type of information.

    Reply
  17. Worthy and valuable information..
    Thanks a lot…

    Reply
  18. sad to hear about xp. useful info. thanks

    Reply
  19. Thank u for ur valuable information..

    Reply
  20. give the list of banks those who update their software

    Reply
  21. Valuable information

    Reply
  22. thanks for this information

    Reply
  23. Avatar Rajeev TrivediMarch 29, 2014 at 11:55 AM

    If some one clones the debit card and injects VIRUS in ATM, would than be Microsoft supporting after 8-1-2014?

    Reply
  24. Avatar Ansumay DattaMarch 29, 2014 at 12:06 PM

    Thanks a lot to Quick Heal not only for their preventive measures against antivirus,spyware etc.but also for information on valuable current topics.

    Reply
  25. It’s nice to have such an antivirus, which have protected my system for last seven and half years, thank you u guys are doing a great job, only one thing i like to add which is that soon after this news i upgraded my system to win 7 with xp in dual boot but sadly our antivirus does not allow single copy to run on dual boot system as now i have to purchase one more copy for win 7 too, though its one system but with two os. anyways thanks and keep up the work.

    Reply
  26. Avatar Navnath RodeMarch 29, 2014 at 2:12 PM

    hanks for your importanct information

    Reply
  27. Very useful information. Thanks.

    Reply
  28. verry interesting

    Reply
  29. meney more risk to avoids

    Reply
  30. Avatar Sharad PhadkeMarch 29, 2014 at 5:30 PM

    What is “Onsite” and “Offsite” and how they are affected.
    If onsite is in Bank itself there is less danger of tempering ATM Booth.

    Reply
  31. Avatar TAPAS CHANDRAMarch 29, 2014 at 6:52 PM

    very interesting & also useful information. Thanks.

    Reply
  32. Avatar Rev Dr Rahul UthwalMarch 29, 2014 at 8:18 PM

    Thanks for this information.

    Reply
  33. Avatar K. R. JangidMarch 30, 2014 at 12:54 AM

    This write up has removed much of confusion spread among ATM users by various sources. Thanks a lot.

    Reply
  34. Avatar C.RadhakrishnanMarch 30, 2014 at 6:22 AM

    Very useful information. Thanks.

    Reply
  35. Thank you for very useful information.

    Reply
  36. Dear Sir,

    Before using ATM Machine,how to know it updated for window-7,8 how to know,secondly some safety precautions may pblish for ATM CARD user.

    Reply
    • Rahul Thadani Rahul ThadaniApril 1, 2014 at 10:18 AM

      Hi J P Pawar,

      Unfortunately, when we operate an ATM, we cannot see the OS that is powering that specific machine. This is because the machine is running an embedded version of the OS and this is also why Microsoft removing support for XP will not affect ATMs in a negative way.

      Regards.

      Reply
  37. Thanks for alert relate to Window XP.

    Reply
  38. Avatar Arvind KumarMarch 30, 2014 at 9:19 PM

    Thanks for very usefull informations.

    Reply
  39. Avatar Arvind KumarMarch 30, 2014 at 9:23 PM

    Thanks; I needed this information.

    Reply
  40. Avatar Arvind KumarMarch 30, 2014 at 9:25 PM

    Quick heal is ultimate solution for security.

    Reply
  41. Avatar Anirban ChakrabortyMarch 30, 2014 at 10:28 PM

    Thank You so much Mr. Rahul Thadani for this important discussion. ATMs are the most modernized place to fulfill many banking requirements of people belonging from all classes. Here security is the highest concern for all the stakeholders of an ATM.

    But apart from this issue, there are some other problems still existing in the modern ATMs, irrespective of any bank. Running on embedded version of windows XP some ATMs hangs frequently. Customer’s account is debiting with no cash dispense is a common problem in many ATMs. People from urban ares can resolve this problem by contacting their respective banks immediately, but people from the rural areas are suffering by their loss of money. Because most of them still do not know how to use ATMs.

    I have seen many ATMs which enables the user to use it with three languages. But many ATMs are running only with English. When someone choose some other language, screen becomes blue or dark. Most of rural people cannot understand English and hence they have to take other’s help. It is a serious risk.

    Opening the ATM gate with card swipe is now is like a joke in many public or private bank’s ATM.

    Sometimes Damaged or too old notes are dispensed from ATMs which are likely to unusable. Fear of getting fake notes from ATMs are growing in the minds of general people of remote areas. Some people are totally averse of using any ATMs of any bank.

    I know somehow I not talking on the core subject but these all are some kind of risk. India is still underdeveloped and properly educating people about modern day’s banking and using ATMs is a huge task. We all need and we all demand for SAFE BANKING.

    Yes, security issues at the programming platform of the ATM machines are the major concern. Thank you again for your valuable illustration. But we need to be more cautious especially in the case of internet banking. It still quickest but most dangerous.

    Expecting a good article with some worthy notes from you in coming days about how to make transactions in the safest way though internet banking. Since personal computers and mobile devices are monitored by mostly individuals and many of them are unaware of security precautions.

    Thank you again. Take care.

    Reply
    • Rahul Thadani Rahul ThadaniApril 1, 2014 at 10:11 AM

      Hi Anirban,

      Thank you for your valuable feedback and completely accurate points. All the issues that you have mentioned with regards to ATMs are completely true. Regrettably, this is the state most of our modern banking services and ATMs are in. Unfortunately, this is something we all have to deal with and hope that the situation improves over time.

      For now the best thing to do for people in rural areas, is to locate one ATM which is reliable and stick to using that only. It may not be the closest ATM so it is not a convenient solution. However, it is better to use a reliable ATM that is a bit far, rather than an unreliable one which is extremely close by. Even people in urban areas have to deal with these issues with regards to ATMs, even though there are more ATMs to choose from.

      Your feedback about Internet banking and what steps one should take to be safe while carrying out such transactions, is noted. You will most certainly find a good article about the same in the upcoming days.

      Thank you once again for your insight and feedback. In the meantime, you can also spread the word about such issues and provide people with tips on how to be safe while operating ATMs and Internet banking as you seem to be quite knowledgeable about these matters.

      Best regards.

      Reply
  42. Avatar SURINDER VIRDIMarch 31, 2014 at 10:50 AM

    Few days back I have installed Quick Heal Total security in my computer, but it is opening in the temporary profile only, it does not save any new files.Is it because I have not yet activated the key to avail the 20 days grace period.What should I do to fix this problem.

    Reply
  43. Avatar Parmeshwari PMarch 31, 2014 at 12:03 PM

    Its very important and valuable.Panic created in most of the ATM card holders get sigh of relieve.Thanks.

    Reply
  44. Thank you Rahul Thadani for the info. i have a query! why do we need to upgrade our anti-virus every third day? why cant you’ll provide updates which will last for at-least a week? its just using my data(which i have to spend my pockets on) everytime i start my PC..

    Reply
    • Rahul Thadani Rahul ThadaniApril 1, 2014 at 10:01 AM

      Hi Thiru,

      The reason for the frequent updates is because with each passing day, malware is developed which can infiltrate existing versions of programs on your machine and even the antivirus software itself. To combat this, as soon as a threat is detected by us, it needs to be updated in all versions of Quick Heal software. A delay of even one day can leave machines vulnerable to attacks. It may prove to be a bit inconvenient with constant updates, but in order to avoid this, you can turn automatic updation OFF. But this will leave your machines vulnerable to attacks.

      Thanks.

      Reply
  45. Avatar Gapsh Dingsar RaiMarch 31, 2014 at 1:59 PM

    thanks for important information

    Reply
  46. Avatar Hosen SagarMarch 31, 2014 at 5:19 PM

    Thanks a lots for Such type of information,but how can somebody know about the operating system of a ATM because normally it shows its sbi programme software that asking for inserting card ?

    Reply
    • Rahul Thadani Rahul ThadaniApril 1, 2014 at 9:58 AM

      Hi Hosen,

      When we operate an ATM, we cannot see the OS that is powering that specific machine. This is because the machine is running an embedded version of the OS and this is also why Microsoft removing support for XP will not affect ATMs in a negative way.

      Thanks.

      Reply
  47. Avatar Pranab PainApril 1, 2014 at 2:27 PM

    Thank you for this…

    Reply
  48. Thank you Quick Heal for information. Actually this is the responsibility of RBI or concerned authority to make people aware of this important fact. Let it be. Thanks.

    Reply
  49. Avatar Bidhan DuttasApril 2, 2014 at 12:32 PM

    Thanks for the valuable information.

    Reply
  50. Hi, first of all thanks for the information!
    And one more thing that I had downloaded quick heal total security before one month.after one month it has started showing me that plz activate using product key or “get free extension”.I am still trying to get free extension but I am unable to get because the message is not getting send.(as we know quick heal give free extension if we recommend it to two people). I did all the things to send message but still I can not…plz help..

    Reply
    • Rajiv Singha Rajiv SinghaApril 3, 2014 at 9:31 AM

      Hi Hemant,

      Thank you for choosing Quick Heal. We would request you to kindly contact our support team so that they can provide you with an appropriate solution to this issue. You can contact them at at 0-927-22-33-000.

      You can also raise a query at https://www.quickheal.com/submitticket.asp. Our support team will get back to you to resolve the issue you are facing.

      Regards,

      Reply
  51. Avatar ADITYA V TELIApril 7, 2014 at 11:17 PM

    Thank You So Much Quick Heal. . .

    Reply
  52. Thank you for the information….

    Reply
  53. Avatar s.k. tiwariApril 16, 2014 at 12:35 PM

    hi sir,
    i am working on internet through airtel sim device but past two days i am fascing a problum ( not open any site properly )pl guide me .

    Reply
    • Rahul Thadani Rahul ThadaniApril 18, 2014 at 5:32 PM

      Hi S.K. Tiwari,

      Can you contact our support center on 0-927-22-33-000? If this issue is being caused by a Quick Heal product, they will resolve it immediately for you.

      Thanks.

      Reply