Skip to content
New research from RBR reveals that the banking industry has migrated very few ATMs away from Windows XP, despite the long‑publicised end of support from Microsoft on 8th April 2014.
RBR’s comprehensive study ATMs in Europe 2014: Hardware, Software and Services, shows that only 4,150 ATMs in Europe – 0.7% of the total – had been upgraded to Windows 7 by the end of 2013. The share is 0.9% in western Europe, and just 0.2% in central and eastern Europe, with 23 of the 33 country markets included in the study having no Windows 7 ATMs at all.
Desire for stability underpins banks’ caution
Since ATMs are unattended and used by consumers rather than employees, downtime has a major impact on customer service: the banking industry has thus relied on established operating systems with proven stability. Adoption of newer operating systems is also slowed by the need for suppliers to provide driver software for the bespoke hardware devices found in ATMs, such as cash dispensing mechanisms and chip card readers.
European ATMs by Operating System, 2013
The RBR survey, which covers thousands of banks across the continent, shows that nine out of ten ATMs run Windows XP. But this is not the oldest operating system in use: there are also more than 20,000 machines using IBM’s OS/2 – standard support for which was ended in 2006 – most of which are in the UK and Spain.
Banks choosing to lock down operating systems and taking other risk mitigation initiatives
Given their well-defined function, ATMs have a limited and relatively stable software set-up, making locking down the operating system a more practical option than for home or office PCs.
A variety of risk mitigation tools are already in use, including whitelisting, sandboxing and encryption, along with more conventional technology like application-level firewalls and anti-malware/anti-virus software. Opinions in the industry differ as to whether such counter-measures comply with payment card industry (PCI) security requirements however, and thus whether institutions are leaving themselves open to substantial fines.
Risks increase on April 9th – but by how much?
Banks take ATM security seriously, not least because they want to avoid the negative publicity that a security breach can cause. The lack of migration from XP suggests most banks feel they have sufficient security solutions in place to protect their networks, at least for now.
Some institutions, including major US banks like JPMorgan Chase, have opted to purchase extended support from Microsoft. This option is however most useful where a well‑defined migration plan is in place, as such support is only available for a maximum of two years.
Going forward, how quickly the upgrade process happens across the industry will depend on fraudsters’ ability to successfully exploit newly-discovered XP vulnerabilities at the ATM. For now, banks are confident that the risk is small, but a well-publicised breach would cause many banks to re-evaluate.
The post Less than 1% of European ATMs upgraded to Windows 7 appeared first on Payments Cards & Mobile.
