I was under the impression that ATMs ran an embedded version of XP that
had another year or so to run.
alan.
On 03/20/14 21:31, Stephen Loosley wrote:
Most ATMs will remain on Windows XP after Microsoft's pulls plug on OS
By Jaikumar Vijayan (Computerworld (US)) 19 March, 2014
More than six out of 10 ATM machines in the country will be running on an
obsolete operating system when Microsoft pulls the plug on Windows XP on April
8, raising serious security and compliance issues for the systems' operators.
According to the ATM Industry Association (ATMIA), only about 38% of the nearly
425,000 ATMs in the U.S. that are powered by Windows XP will have migrated off
the OS by next month's deadline.
Operators of the remaining quarter million or more machines will have an
increasingly hard time supporting their systems and ensuring sufficient
software security after that date.
The Payment Card Industry Security Standards Council (PCI SSC), which is
responsible for overseeing security standards in the payments industry, has
already noted that ATMs still on Windows XP after April 8 will need to have
certain compensating controls in place to be considered PCI compliant.
The PCI SSC estimates that Windows XP powers 95% of ATMs in the world.
Several financial institutions have worked out, and at great cost, arrangements
with Microsoft to keep Windows support available for a while longer, said David
Tente, executive director USA of the ATMIA.
In many cases, upgrading an ATM's operating system involves physical access to
the machine and about one hour's worth of labor. Not all ATMs will be ready to
migrate to Windows 7 and may need hardware upgrades as well, Tente said.
According to Tente, independent operators run about half the ATMs in the U.S., while
large financial networks operate the rest. A "fair number" of installed ATMs
are powered by Windows CE and embedded versions of Windows XP, which are not affected by
the April 8 deadline, he said.
Microsoft has pointedly noted that PCs running Windows XP after end-of-support,
should not be considered as protected and has urged users of the operating
system to move to a newer version as soon as possible.
According to Tente, it is quite possible that malicious attackers are waiting until after
April 8 to attack ATMs and other systems running Windows XP. But just because a system
remains on Windows XP after that date does not automatically make it more vulnerable.
"An ATM on April 9th is going to be just as secure as it was on April 7th," if
operators have the proper measures in place for protecting them, Tente said.
The ATMIA earlier this month released a white paper outlining several of the
risks that operators face by choosing to remain on Windows XP. The paper is
available only to registered members of the association.
An executive summary provided to Computerworld highlighted several issues. Since Windows
XP was launched, more than 700 vulnerabilities have been found in the operating system.
"After April 8th 2014, Windows XP will essentially have zero-day vulnerabilities for
perpetuity," the statement noted.
Most ATM hacks have been at the hardware level and through the use of devices
like skimmers. Other security risks include attacks on an ATM's network, local
ports, or browser, the summary said.
Without Microsoft's technical support and security fixes, ATM operators also
risk falling out of compliance with requirement 6.2 of the PCI DSS, which
stipulates that all system components handling credit and debit cards are fully
supported by a software or hardware vendor.
"If a vendor isn't providing patches due to support having been discontinued, then by
definition that system cannot be PCI DSS compliant," said Jim Huguelet, an independent retail
security consultant. "As a general rule, retailers would be concerned about running any
systems without access to ongoing security analysis and patches, but it is PCI DSS requirement 6.2
that brings the issue to the forefront."
A joint statement issued by the PCI SSC and the ATMIA pointed to several
compensation controls that ATM operators can implement to remain compliant with
PCI requirements even while remaining on Windows XP.
"To be effective, the compensating controls must protect the system from
vulnerabilities that may lead to exploit of the unsupported code," the statement
said.
Examples of controls that could be used combined to mitigate risk include
active monitoring of system logs and network traffic, application whitelisting
and isolating Windows XP systems from other systems and networks. Each control
by itself is insufficient, but when combined, could potentially qualify as a
compensating control from a PCI compliance standpoint.
"Compensating controls should only be considered a temporary solution," Troy Leach, CTO
of the PCI SSC, said in the statement. "Organizations should have a migration plan to upgrade
in a reasonable amount of time to a supported operating system as the OS serves as the foundation
for services and other security controls related to protecting cardholder data."
This article, Majority of ATMs will remain on Windows XP after Microsoft's
pulls plug on OS, was originally published at Computerworld.com. Jaikumar
Vijayan covers data security and privacy issues, financial services security
and e-voting for Computerworld.--
Cheers,
Stephen
_______________________________________________
Link mailing list
[email protected]
http://mailman.anu.edu.au/mailman/listinfo/link
_______________________________________________
Link mailing list
[email protected]
http://mailman.anu.edu.au/mailman/listinfo/link
