Remember when Windows 8 released with its fancy new start screen and gesture-based interface? A lot of people expressed concern about whether they’d want to upgrade to the new operating system, especially with it bringing such dramatic changes.
But upgrading from Windows 7 to Windows 8 is a minor problem compared to the one that the South African banking industry faces.
Once upon a time, the vast majority of the world’s automatic teller machines (ATMs) were designed around IBM’s OS/2, an operating system that was first released in 1987. Official support for OS/2, which means regular security patches and bug fixes from the software vendor, ceased at the end of 2006. As a result, between the years 2002 and 2003, the two major manufacturers of ATMs – NCR and Diebold – switched the majority of their customers over to Windows XP-powered hardware. A decision which shortly led to the discovery of the first cash machines infected by a standard desktop virus.
Security concerns notwithstanding (or largely fixed), around 95% of the world’s ATMs run Windows XP. And that’s a problem, because Microsoft will end support for the ageing operating system on 8th April – just over two months from now. This announcement that this would happen was made in nearly three years ago, which means banks and ATM manufacturers have had plenty of time to evaluate options. But naturally everybody is cutting it pretty close to do something about it – local banks included.
Nedbank, which has around 3 000 ATMs across the country, says that all of its ATMs currently run Windows XP, but that it is about to start a massive upgrade program. “The rollout [of upgraded machines] will be phased and it is earmarked for completion by 31 March 2014,” says Preni Naidoo, executive for self-service banking at Nedbank. That’s a mere eight days before Microsoft’s support ends.
FNB’s Aziz Cassim, head of self-service channels, also confirms that FNB’s ATMs run Windows XP. “We are aware that Microsoft Windows XP support ends in April 2014 and we are currently implementing a solution,” he tells us.
Those banking with ABSA will be pleased to know that it’s already on the case. Last last year it committed to a R550-million to upgrade its network of more than 9 000 ATMs. Some of the upgrades will simply see new software applied to the existing bank machines, but in many cases it will involve replacing the hardware inside too. Arrie Rautenbach, head of retail banking at ABSA, says, “ABSA is aware of Microsoft’s decision to end its support of Windows XP and is already underway with a project to address this.” Rautenbach is also quick to put people’s minds at ease, pointing out that security is a major concern. “ABSA has world-class security in place on its ATM stack and will ensure that this security is never compromised,” he adds.
Compared to the competition, Standard Bank is living on the edge. “We expect to begin the implementation from April 2014,” says a spokesperson for the bank – and that’s no small task when it has 6 500 machines to service. While Microsoft does offer extended support contracts for Windows XP, they are costly. When we asked about this Standard Bank declined to provide specifics, citing the sensitive nature of the matter.
It’s more than just an operating system upgrade, though. With Windows XP being as old as it is, it’s unlikely that machines from that era will reliably run a newer operating system, and those that can might not be powerful enough. ABSA says that its rollout also includes hardware refreshes, in addition to new functionality. FNB also plans to upgrade existing hardware, and replace machines that cannot run Windows 7 – the new operating that’s been chosen for its ATMs. While Standard Bank and Nedbank don’t provide specifics on their upgrade plans, it’s a logical conclusion that incompatible hardware will be replaced with newer machines.
So how will we, the banks’ customers, be impacted by the changes? Last year’s Mobility Report from World Wide Worx shows that of all banking methods – including ATMs, branches, cellphone banking, and apps – the overwhelming majority of South Africans still use the machines for their transactions. 94% of bank customers rely on ATMs, and if the network should be unavailable at any time it’ll potentially inconvenience a lot of people.
To that end, the banks will obviously work to minimise inconvenience and downtime. Nedbank estimates that its ATMs will be impacted for about two hours during the changeover, but Standard Bank says all changes will be invisible to its customers. Regardless – a little bit of downtime should be negligible compared to the potential impact of an unsecured ATM.
Dominic White, CTO at security firm Sensepost, points out that there is no imminent threat, but that any future security flaws in Windows XP would not be patched.
“The only thing we know would happen, is that Microsoft would no longer support the systems,” he says. “From a security perspective, this means that any vulnerabilities published in the software will not have security updates (patches) to correct them released.”
This not only goes for the banks, but also any desktop owners who are still stuck on the teenage version of Windows. The current market share for Windows XP on desktop computers is nearly 29% – and that’s a lot of potential clients for a future botnet.
While some enthusiastic commentators have raised concerns that malware writers are ready to roll over XP machines with a hatful of hitherto unknown exploits the day that support for XP closes down, White says that he doesn’t expect there to be a flurry of attacks after 8th April. Rather, he says, those vulnerabilities that do get discovered after XP expires will become more valuable. There’s a vibrant underground trade in backdoor keys and unknown security holes, and hackers who find flaws in a system auction them off to malware writers, who could make a lot of money from a reliable exploit.
“[Exploits] will fetch a higher price on the exploit market than just releasing them publicly, and increasingly fewer of them are published these days,” says White. He also points out that the bigger concern here is that XP, being old and soon-to-be unsupported, will pose a greater security risk over time.
As for the banks choosing Windows 7 to replace it? Well, despite its age it has a proven track record and is a known quantity. “The security of Windows has increased dramatically over the last decade, Windows 7 is better secured out of the box than XP was, and based on the limited metrics of exploitability we have, appears to have stood up better,” says White.
However, the concern here isn’t just the operating system that runs the ATMs. While the banks are moving away from Windows XP, it’s simply a matter of being able to depend on Microsoft for support if something major goes wrong. The banking world relies on more than just the built-in security measures in Microsoft’s consumer operating systems.
“The total security of bank ATMs is far more involved than vulnerabilities in the base operating system alone,” explains White.
“If I was a bank, I’d be far more worried about vulnerabilities in other software running on the ATM, or even problems with the network architecture, or administrative authentication.”