by Aravinda KoralaCEO, KAL ATM Software
Microsoft ends Windows XP support tomorrow, leaving many of the world's 2.6 million bank ATMs without software support. How did the ATM industry get itself into such a mess?
It's not like we did not have ample notice — Microsoft has a product lifecycle of 10 years. XP was first launched in 2001, but its end-date was subsequently extended due to the missteps of Windows Vista. So we have always known that this date was coming ...
But firstly — what does end of support really mean? The XP license itself does not expire — it remains valid. The crucial missing piece after tomorrow is the end of security patches — there will be no further releases of patches for any new vulnerabilities that might be found in XP.
Will ATM Armageddon befall us tomorrow? The answer is no. Or, at least, not yet. Most bank ATMs are very well protected. They are connected on a private network with no Internet access. They are locked down tightly so that only the minimum functionality necessary for the ATM to operate is allowed.
Onboard firewalls ensure that the ATM communicates only with its designated server, anti-virus software and whitelisting ensure that no unfriendly software can run. And of course ATMs do not have an email client that can receive emails with infected attachments, nor does the ATM's Web browser visit dodgy websites. This means that 99.9 percent of the usual attack routes are blocked.
There are, however, two significant problems after tomorrow.
The first of these is compliance. Bank internal rules, as well as PCI regulations, require that no unsupported software run on ATMs or on other IT infrastructure. Indeed, any unsupported software on the network results in instant loss of PCI certification unless "compensating controls" have been put in place.
Large Western banks woke up to this requirement a year ago and have mostly cobbled together a transition plan that allows them to buy time so that their networks can be migrated safely to Windows 7. However Asian banks, for instance, have mostly ignored the deadline waiting to see whether this is just another Y2K-like scare.
This could be a costly mistake due to the second significant risk that unsupported ATMs face from something called "zero-day" vulnerabilities. Basically these are security defects that Microsoft does not yet know about, but that a hacker somewhere out there has already found.
The chilling fact is that there is an underground market for these defects. This market has apparently been relatively quiet recently, as nobody is parting with new defects until they become more valuable to the seller — after tomorrow's deadline.
What makes the XP issue different from Y2K is that Y2K did not fight back. Today there is a war going on between security protections on the one hand and new malware on the other.
The PCI council estimates that 20 million new pieces of malware were detected in a particularly bad four-month period in 2013 alone. Combine this with the fact that banks are a natural target (they're where the money is!), and we have a deadly cocktail in the making.
How long will it be before a zero-day exploit is able to attack a well-defended XP ATM? It must be just a matter of time.
Whitelisting is the most powerful antidote we have against an unknown future attack — but it could well become the ATM's Maginot line. What makes this risk unacceptable is that if ATM defenses are breached, there may be no alternative but to shut down unpatched XP ATMs immediately.
As I travel around the world talking to various banks about their perception of the threat, the attitude that surprises me the most is from some who have decided to do nothing until the threat manifests itself. It reminds me of those nature films where wildebeest graze confidently while a lioness lurks nearby.
So what must we do?
Microsoft will provide a limited support contract, or Customer Service Agreement, for a maximum of two years from tomorrow, at a cost. It is essential that banks purchase a CSA so that security patches continue to be made available. (There is unfortunately another little problem in that many banks bought the "wrong kind of XP" license for their ATMs — maybe a little bit of sweet-talking with Microsoft will allow these ATM licences to be covered by a CSA also).
Then using the two-year grace period that the CSA buys, we must get those XP ATMs migrated to Windows 7 (or even better, to Windows 8). We really have no more excuses not to do so.
So back to the question of how we got to this very difficult point. The primary blame lies with the ATM manufacturers. They jealously guard the low-level ATM driver layer called "XFS SPs."
There is no open market for XFS SPs — each hardware vendor develops and distributes these drivers for their own ATMs — third parties keep out!
The major vendors delayed releasing these drivers until 2013 — by which time it was way too late to migrate the world's 2.6 million ATMs ahead of the XP deadline.
The banks too played a role in this delay — they did not demand that these drivers be made available in time and they did not have budgets in time for the migration.
When was the right time to start this migration? Four years ago would have been a good time to start so that the XP-W7 migration could have been handled smoothly along with the hardware replacement cycle.
The industry has finally sprung into action to avoid the next such debacle — the ATMIA Industry Association recently launched a 2020 Committee and an Updateable ATM Committee to ensure that we do not have a repeat of this in 2020 when support for Windows 7 expires.
When should the industry start migrating ATMs to Windows 8? Why, now, of course — we have just 6 years to go until the next mess.