CONTINUE TO SITE »
or wait 15 seconds

Article

Mitigating risk after April 8 - without Windows 7

Microsoft anti-malware support alone won't cut it for ATM security; independent tests say PC/E Terminal Security Software will.

January 23, 2014

It's been widely reported that 95 percent of the world's ATMs run Microsoft Windows XP, and that only about 15 percent of these will have been upgraded to Windows 7 before the XP support cutoff date of April 8, 2014.

In acknowledgement of the monumental risk this represents to the world's financial services industry, Microsoft announced last week that, through July 2015, it will continue to offer monthly anti-malware updates to scrub known viruses from XP operating systems.

To sum up Terence Devereux's feelings about this munificent gesture in two little words: Big. Deal.

Devereux, who is senior trusted advisor for product line banking software at Wincor Nixdorf, sat down with ATM Marketplace this week during Wincor World to talk about post-deadline security for Windows XP. He gave presentations in two workshops on the topic during the 3-day trade fair in Rheda-Wiedenbrück, Germany.

"Microsoft were very cheeky," Devereux said. "What they said was that as of April until July 15, 2015, they'd be releasing updates for their security products — and only their security products — their anti-virus. That does not mean they're freely releasing updates for their operating system ... or any other components that would be used in an XP environment."

So, no patches for operating system vulnerabilities — only a monthly download of anti-malware programs to remove suspect code from possibly infected machines. Which is equivalent to securing the chicken coop after the fox has legged off with a prize hen. 

Further, Devereux said, in order to receive these automatic anti-virus downloads, an ATM must be networked to Microsoft, which in itself presents a massive entryway for a security breach. So, crossing off that option, any anti-malware solution will have to be manually (and religiously) downloaded and run on ATMs as it is released.

All of this in order to get partial, after-the-fact protection from malware. An operator must still decide whether to leave a fleet's operating system vulnerable and hope for the best — or pay a price so outlandish for contracted Microsoft support that one might as well bite the bullet and migrate to Windows 7.

Except that, due to either budget or time constraints — or both — such a fleetwide upgrade will not be possible. And the vicious cycle goes on. 

Or does it? In fact, it does not, Devereux said, offering this analogy:

"At the end of the day, it's just risk mitigation," he said. "I don't have to have a lock on my door — I can leave the door open, I can leave the windows open — if I have a 50-foot wall around my house."

Wincor thought it might have such a wall in the form of its multi-vendor PC/E Terminal Security Software, Devereux said.

"We said, we think we have a scenario to mitigate that risk of staying on XP. We're not sure, but we're going to verify it. We're going to certify that what we say is in the box is in the box."

The company undertook that verification in an extensive battery of tests designed to gauge the effectiveness of Wincor’s PC/E Terminal Security Software on ATMs running Windows XP. 

These tests, conducted by independent, accredited PCI-qualified security assessor Security Research & Consulting GmbH, found that PC/E Terminal Security Software from Wincor provided such a high level of protection that ATMs running the program can obtain a PCI DSS Compensating Control and continue to run Windows XP after the April 8 support cutoff date.

SRC tested ATM environments that have deployed the PC/E Terminal Security Software with unpatched Windows XP operating systems. Extensive penetration and vulnerability tests injected malware in order to manipulate the behavior of ATMs.

SRC concluded that Wincor’s PC/E Terminal Security Software provided an exceptional level of protection against network and local attacks that leveraged all known Windows XP vulnerabilities.

SRC also concluded that the security provided by the Wincor software not only surpassed the security of a fully patched Windows XP system, but also exceeded the security standards of any Windows environment in an ATM.

Wincor's PC/E Terminal Security Solution features three innovative components that work together to provide the "50-foot wall" Devereux mentioned:

1) Access protection

Many features of Microsoft operating systems (XP and Windows 7 both) are not required for ATM use, and are potential weaknesses that can be exploited by hackers.

Access protection hardens the operating system by disabling or removing superfluous components and services and reducing the "attack surface." The feature also secures logon processes and restricts remote access, making it harder to exploit security settings.

2) Intrusion protection

This feature protects ATMs against all forms of malware, not by removing them from the operating system as Microsoft's "scrubber" programs do, but by preventing their installation in the first place.

Intrusion protection continuously monitors for any change or anomaly within an ATM's programs or behavior — however small. In this way, it protects not only against external attacks, but also helps to guard against internal threats, such as rogue programmers or service-branch employees attempting to manipulate ATM behavior.

3) Hard disk encryption

The HDE feature in PC/E Terminal Security Software minimizes the risk of manipulation, misuse or theft by securing the contents of the drive and making it unreadable not only in a case of unauthorized booting but also in the event of the theft of the PC or disk itself.

As Devereux described it, the disk does this by encrypting unique identifiers found in every one of the ATM's peripherals — card reader, pin pad, printer, cash dispenser, etc.

"When you install our disk encryption, it encrypts the disk with this information," Devereux said. "So if I remove the disk from the ATM, because these devices aren't there, you don't gain access to the disk."

Wincor has patented this idea, Devereux said. "It's a simple idea ... But security is practical."

It can also be affordable — a fraction of the cost of contracted Microsoft support or the cost of upgrading before the deployer is financially prepared to do so. And it will continue to provide a return on investment, with existing protection against attacks on Windows 7 and 8 — and against threats to future operating systems as well.

"We will continue to secure and offer support for the operating system going forward," he said. "We'll support it because we're supplying into that area."

Read more about security.

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf

Software
Top 10 ATM software solutions
Software
Examining the past, present and future of XFS
Commentary
ATM features: 5 to include
Special Report
2024/25 ATM & Self-Service Software Trends
Presented by KAL ATM Software GmbH
Recent Posts
ATM fees increase for 3rd consecutive year
ATM check deposit fraud on the rise in Honolulu
The Farmers Bank renames branches, converts ATMs to ITMs
ParaScript intros verification solution for checks
Nymeo Federal Credit Union wins recognition as 1 of the best workplaces in Maryland


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'