Banking Exchange Magazine Logo

Rest in peace, Windows XP

Once support ends, bank systems gravely exposed to cyberthieves

Rest in peace, Windows XP

Those creaking, cranking old laptops and desktops that have served well for years will soon be kicked to the curb in April once Microsoft stops its automatic security patches for Windows XP.

That means that, when you go to shut down your computer, those periodic messages from the blue that say “Downloading Update—system will automatically shut down,” will no longer appear. Those updates generally contain patches that protect the system from new and improved malware.

It’s a big deal, when you consider that most businesses, let alone banks, depend upon systems that use the 12-year-old Windows XP operating system.

It’s an even bigger deal when, according to reports citing an NCR representative, 95% of ATMs in this country run on Windows XP. Imagine hundreds of thousands of ATMs, no longer automatically protected against cybercrooks, suddenly becoming the crooks’ private money dispensing machines.

If this comes as a surprise, don’t blame Microsoft, at least too much. They announced this last April and have offered advice and warnings since then. For example, in October, its security team identified three specific worldwide threats for those running Windows XP after support ends:

• Sality—A malware family that can steal personal information and lower a PC’s security settings.

• Ramnit—Malware that infects Windows executable files, Microsoft Office files, and HTML files.

• Vobfus—A family of worms that can download other malware onto a PC; it can be downloaded by other malware or spread via removable drives, such as USB flash drives.

Of course, Microsoft is heavily invested in converting everybody from XP to its newer operating systems, namely Windows 7, Windows 8, and Windows 8.1. Arguably, however, these newer systems do have improved security technologies designed to make it harder for cybercriminals to exploit vulnerabilities.

The threats are real. Trend Micro, which makes security software, in its predictions for 2014 says the lack of support for popular software such as Windows XP “will expose millions of PCs to attack.”

“We see the sophistication of threats expanding at a rapid pace, which will impact individuals, businesses, and governments alike,” says Raimund Genes, chief technology officer, Trend Micro. “From mobile banking vulnerabilities and targeted attacks, to growing privacy concerns and the potential of a major breach each month, 2014 promises to be a prolific year for cybercrime.”

Clare Computer Solutions detailed four reasons why it’s necessary to upgrade operating systems now:

• There can be legal consequences for companies, such as those in the financial industry, if they continue using an unsupported system.

• The lack of new security patches for Windows XP means newly developed malware can exploit the operating system, opening the door to viruses and other malware.

• Printers, scanners, and professional equipment compatible with Windows XP will no longer be made.

• It will be expensive for a business to support an unsupported operating system, and will get more expensive the longer the unsupported products are in place.

If that’s not enough, the FFIEC last October issued a joint statement alerting regulated financial institutions of the risks related to the discontinuation of support for the Windows XP operating system. The statement, in part, says: “Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorized additions, deletions, and changes of data. Additionally, financial institutions and technology service providers that are subject to the requirements of the Payment Card Industry Data Security Standard and continue to use XP after April 8, 2014, may no longer be compliant.”

The thing is, with all this warning, how come 95% of ATMs, for example, have yet to be converted, given that the deadline is about two months away? The ATM manufacturers certainly have been on top of this.

NCR has incorporated the newer operating systems in its new machines and offers upgrade kits to reconfigure older machines. Diebold likewise has been working with its financial institution clients to convert to Windows 7.

These companies point out other advantages to upgrading out of Windows XP, besides security. “There are some positive reasons to move to Windows 7 in addition to keeping you in control of security and compliance issues,” says NCR in its corporate blog. “[These] include faster and easier installation, faster boot-up times, and full support for the latest touch screen technology.”

Even so, conversion requires planning, budgeting, and time, things never in great supply. “Businesses may not realize the complexity of migrating to a new OS,” says Brad Mendonsa, CEO, Clare Computer Solutions. “Because the migration involves detailed planning, creating a budget specific to a company’s needs, testing, implementation, and training, it’s important for companies to begin now.”

FFIEC, in its guidance, provides a number of general considerations that have to be made. Granted their generality, they at least serve to illustrate the seriousness and complexity of this issue:

• Perform risk assessments. Identify and measure the risk from the continued use of XP throughout the organization and at third parties, including business continuity and disaster recovery situations.

• Select appropriate mitigations. Consider costs and potential risks, including compatibility with other systems and applications, in selecting a mitigation strategy.

• Conduct appropriate planning. Develop an implementation plan addressing priorities for changes, ensuring appropriate change management procedures, and monitoring related third parties’ mitigation and migration activities, as warranted.

• Monitor and report. Monitor the risk mitigation implementation to ensure that the level of risk is acceptable. The effectiveness of controls should be tested periodically and results reported to senior management or a committee of the board of directors, as appropriate, to ensure risk continues to be managed.

It has been reported that Microsoft will offer, for a fee, continued security support for XP for a limited time, and that some banks will pay for this service as they work to convert their systems. FFIEC has this to say about that: “[This] option potentially includes implementing controls designed to provide additional monitoring for XP-support systems and devices, protecting XP from threat sources, and isolating XP from the remainder of the network.”

That in itself seems like it would require a lot of time, planning, and budget resources. Tim Rains, director of Microsoft Trustworthy Computing, perhaps speaks from someplace other than just promoting his own company, when he says: “The importance of upgrading from Windows XP cannot be overstated. We truly want people to understand the risks of running Windows XP after support ends and to recognize the security benefits of upgrading to a more modern operating system—one that includes the latest in security innovations, provides ongoing support, and can in turn better protect them.”

Sources used in this article include:

Clare Computer Solutions Provides Four Reasons Why Businesses Need to Develop a Windows XP Migration Plan Now

U.S. Bank Deploys Industry's First ATMs Operating On Windows 7 And Running Agilis Software

Joint Statement: End of Microsoft Support for Windows XP Operating System

New cybersecurity report from Microsoft details risks of running unsupported software

Windows 7—Coming Soon to an ATM Near You

Trend Micro Predicts Cyber Security Concerns for 2014 and Beyond

John Ginovsky

John Ginovsky is a contributing editor of Banking Exchange and editor of the publication’s Tech Exchange e-newsletter. For more than two decades he’s written about the commercial banking industry, specializing in its technological side and how it relates to the actual business of banking. In addition to his weekly blogs—"Making Sense of It All"—he contributes fresh, original stories to each Tech Exchange issue based on personal interviews or exclusive contributed pieces. He previously was senior editor for Community Banker magazine (which merged into ABA Banking Journal) and for ABA Banking Journal and was managing editor and staff reporter for ABA’s Bankers News. Email him at [email protected].

back to top


About Us

Connect With Us