Last month, Microsoft ended support for embedded Windows XP in ATMs. This Windows XP operating system is still used in the majority of ATMs that deliver cash to customers around the world. So, does this mean ATM customers will now be more vulnerable to cybercrime? In today’s connected world, if a user’s ATM information is compromised, it often leads to full identity theft.
Contrary to what many may think, there are two main things that help make the ATM environment less vulnerable to cyber attacks:
Most ATMs (in the UK) are connected directly to the Banks Driving Software via private connections. The banks tend to use dedicated leased line infrastructure, and where this isn’t the case (Independent ATM deployers etc.), the communications are still pretty secure, using private VPNs as a minimum.
This means that the ATM is less vulnerable to attack than most devices because it is segregated from the Internet and remote connections are very difficult to establish. Additionally, most of the machines are also locked down against other forms of connectivity, so no WIFI, USB ports locked down etc.
Software is hardened and the update process is stricter. For ATMs running Windows, most ATM manufacturers put specific software onto the machine which comes with a version of Windows that has been hardened, and once the software is deployed, it is not updated or changed with the exception of receiving application level configuration files directly from the Banks Driving system. The software can check the machine each time it loads to ensure the files on the machine are as expected and only allow changes which are signed by the ATM manufacturer.
In terms of Windows Update, there’s a different process there too, as the ATM manufacturer will perform their own reviews of changes coming from Microsoft and only implement those changes which are important to the ATMs functions. The updates can be signed as well.
These points make it harder to attack the ATM machine. However, nothing is invulnerable, and some manufacturers do not implement as much of the above as others, so there will be gaps, and certainly insider knowledge and access will be exploited to help in attacks. Additionally, all this rigor makes it harder and slower for the ATM manufacturers to update the OS which is the reason why so many are still on older systems (many machines have only just moved from OS2 in recent years).
While we are still less likely to see cyber attacks on ATMs than on any POS system still using XP, nothing is immune to attacks. In fact, here is a recent example that shows that attacks do occur on the ATM infrastructure. Microsoft ending its support for embedded Windows XP is just the kind of gap a fraudster would look to exploit, especially if they can get help from an insider who may have physical access to the ATM machine, in order to swap a hard drive, for example. And if such an attack did occur, it would indeed have a financial impact, both to the institution and the individual customers. The only safe way of ensuring that the fraud is detected quickly is by putting good transactional monitoring into place.