Banks are paying for extended support from Microsoft. Richard Chirgwin
On 20/03/14 9:36 PM, Alan Hargreaves wrote: > I was under the impression that ATMs ran an embedded version of XP > that had another year or so to run. > > alan. > > On 03/20/14 21:31, Stephen Loosley wrote: >> >> >> >> Most ATMs will remain on Windows XP after Microsoft's pulls plug on OS >> >> By Jaikumar Vijayan (Computerworld (US)) 19 March, 2014 >> >> More than six out of 10 ATM machines in the country will be running >> on an obsolete operating system when Microsoft pulls the plug on >> Windows XP on April 8, raising serious security and compliance issues >> for the systems' operators. >> >> According to the ATM Industry Association (ATMIA), only about 38% of >> the nearly 425,000 ATMs in the U.S. that are powered by Windows XP >> will have migrated off the OS by next month's deadline. >> >> Operators of the remaining quarter million or more machines will have >> an increasingly hard time supporting their systems and ensuring >> sufficient software security after that date. >> >> The Payment Card Industry Security Standards Council (PCI SSC), which >> is responsible for overseeing security standards in the payments >> industry, has already noted that ATMs still on Windows XP after April >> 8 will need to have certain compensating controls in place to be >> considered PCI compliant. >> >> The PCI SSC estimates that Windows XP powers 95% of ATMs in the world. >> >> Several financial institutions have worked out, and at great cost, >> arrangements with Microsoft to keep Windows support available for a >> while longer, said David Tente, executive director USA of the ATMIA. >> >> In many cases, upgrading an ATM's operating system involves physical >> access to the machine and about one hour's worth of labor. Not all >> ATMs will be ready to migrate to Windows 7 and may need hardware >> upgrades as well, Tente said. >> >> According to Tente, independent operators run about half the ATMs in >> the U.S., while large financial networks operate the rest. A "fair >> number" of installed ATMs are powered by Windows CE and embedded >> versions of Windows XP, which are not affected by the April 8 >> deadline, he said. >> >> Microsoft has pointedly noted that PCs running Windows XP after >> end-of-support, should not be considered as protected and has urged >> users of the operating system to move to a newer version as soon as >> possible. >> >> According to Tente, it is quite possible that malicious attackers are >> waiting until after April 8 to attack ATMs and other systems running >> Windows XP. But just because a system remains on Windows XP after >> that date does not automatically make it more vulnerable. "An ATM on >> April 9th is going to be just as secure as it was on April 7th," if >> operators have the proper measures in place for protecting them, >> Tente said. >> >> The ATMIA earlier this month released a white paper outlining several >> of the risks that operators face by choosing to remain on Windows XP. >> The paper is available only to registered members of the association. >> >> An executive summary provided to Computerworld highlighted several >> issues. Since Windows XP was launched, more than 700 vulnerabilities >> have been found in the operating system. "After April 8th 2014, >> Windows XP will essentially have zero-day vulnerabilities for >> perpetuity," the statement noted. >> >> Most ATM hacks have been at the hardware level and through the use of >> devices like skimmers. Other security risks include attacks on an >> ATM's network, local ports, or browser, the summary said. >> >> Without Microsoft's technical support and security fixes, ATM >> operators also risk falling out of compliance with requirement 6.2 of >> the PCI DSS, which stipulates that all system components handling >> credit and debit cards are fully supported by a software or hardware >> vendor. >> >> "If a vendor isn't providing patches due to support having been >> discontinued, then by definition that system cannot be PCI DSS >> compliant," said Jim Huguelet, an independent retail security >> consultant. "As a general rule, retailers would be concerned about >> running any systems without access to ongoing security analysis and >> patches, but it is PCI DSS requirement 6.2 that brings the issue to >> the forefront." >> >> A joint statement issued by the PCI SSC and the ATMIA pointed to >> several compensation controls that ATM operators can implement to >> remain compliant with PCI requirements even while remaining on >> Windows XP. >> >> "To be effective, the compensating controls must protect the system >> from vulnerabilities that may lead to exploit of the unsupported >> code," the statement said. >> >> Examples of controls that could be used combined to mitigate risk >> include active monitoring of system logs and network traffic, >> application whitelisting and isolating Windows XP systems from other >> systems and networks. Each control by itself is insufficient, but >> when combined, could potentially qualify as a compensating control >> from a PCI compliance standpoint. >> >> "Compensating controls should only be considered a temporary >> solution," Troy Leach, CTO of the PCI SSC, said in the statement. >> "Organizations should have a migration plan to upgrade in a >> reasonable amount of time to a supported operating system as the OS >> serves as the foundation for services and other security controls >> related to protecting cardholder data." >> >> This article, Majority of ATMs will remain on Windows XP after >> Microsoft's pulls plug on OS, was originally published at >> Computerworld.com. Jaikumar Vijayan covers data security and privacy >> issues, financial services security and e-voting for Computerworld.-- >> Cheers, >> Stephen >> >> >> _______________________________________________ >> Link mailing list >> [email protected] >> http://mailman.anu.edu.au/mailman/listinfo/link >> > > > > _______________________________________________ > Link mailing list > [email protected] > http://mailman.anu.edu.au/mailman/listinfo/link _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
