The Vast Majority Of Bank ATMs Will Be Suddenly Vulnerable To Hackers On April 8

[Tywais]

The Vast Majority Of Bank ATMs Will Be Suddenly Vulnerable To Hackers On April 8

On April 8, Microsoft will end its support for Windows XP, leaving up to 95% of bank ATM machines vulnerable to hackers.

Machines running outdated operating systems, unbacked by corporate security updates, are the easiest types of computers to hack. And most ATMs run Windows XP.

Microsoft is expecting hackers to go to work on machines running XP as soon as the April 8 deadline passes: “The probability of attackers using security updates for Windows 7, Windows 8, Windows Vista to attack Windows XP is about 100 per cent,” Timothy Rains, Microsoft’s director of trustworthy computing, said recently.

Windows XP was originally launched in 2001 and is widely regarded as the best version of Windows ever. Just under 40% of PC users still run Windows XP on their desktops. Microsoft is trying to force all those users to upgrade to newer, more secure versions of Windows. The company originally tried to migrate everyone off XP back in 2007, but people liked it so much many refused to upgrade. So Microsoft begrudgingly kept up support for XP for seven more years.

Now, Microsoft is finally pulling the plug, and bank ATMs still running XP are about to become Target No.1 for hackers.

The world of bank ATMs moves even more slowly than personal computer users. NCR estimates that up to 95% of ATMs run XP, and that only a third of them will have been converted to new systems by April 8.

Many banks are paying Microsoft to extend support for XP on cash machines while they make the switch to Windows 7, according to Reuters.

More here - finance.yahoo

[Dork]

I saw this on one of the television news channels and have to admit it doesn't make any sense to me.

I'm quite sure ATM machines are not connected to the internet or any other publicly accessible network. So in order for a potential hacker/attacker to take advantage of a vulnerability in the operating system of an ATM machine they would first have to gain access to a financial institutions private network which most certainly doesn't run on Windows XP.

Or am I missing something?

[emiubon]

well so on a defcon, a hacker that accessing the machine PC, could just inserting a preloaded usb key, reset the PC, and make him start to spit money out.

[PlastikbinLina]

Clear as mud to me. Please explain how Windows XP, a personal OP PC system, works on an ATM? Is it similar to connecting to an Internet account on a PC?

[Saradoc1972]

I saw this on one of the television news channels and have to admit it doesn't make any sense to me.

I'm quite sure ATM machines are not connected to the internet or any other publicly accessible network. So in order for a potential hacker/attacker to take advantage of a vulnerability in the operating system of an ATM machine they would first have to gain access to a financial institutions private network which most certainly doesn't run on Windows XP.

Or am I missing something?

Afraid so.

While network traffic to and from those machines will be heavily encrypted, they are on a network and that would be "the internet", i.e. run through the same cables. It's called a VPN (virtual private network).

Banks are not in the business of digging for their own cables. Might be different for short connections between server plants, but not for keeping every single ATM in a country on a live connection, which those obviously need.

So there is the possibility to reach a machines network adapter and insert some malformed code to breach through whatever firewall these machines might have, quite like on a normal computer. Ask the NSA for specifics.

There was one very interesting case in Europe where criminals had obviously had access to one make of ATM (probably ripped it of the wall) and knew exactly where the connectors on the standard PC mainboard lay. So they cut a wee hole in the site of operating ATM to insert a USB-Stick that changed the operating system on the thing, and skillfully shut that hole. They could now, by typing a long passphrase individual for each infected machine on the num-pad, go into a special user interface and make unlimited withdrawals without the machine logging them, and then reset the thing to normal operation.

Was even a nice user-friendly interface with an option to erase the whole trojan.

[Saradoc1972]

Clear as mud to me. Please explain how Windows XP, a personal OP PC system, works on an ATM? Is it similar to connecting to an Internet account on a PC?

Because for cost-effectiveness they didn't make up their own embedded system or special hardware. An ATM is basically a normal over-the-counter PC in a big sturdy box with money-telling slot and machinery or what you might call it.

It's all normal PC stuff: a motherboard, ethernet adapter, graphic-chip, harddrive. On the rare occasions the things crash you can see your well-accustomed XP-desktop or bluescreen-of-death.

[wolf5370]

Microsoft have already said they will support embedded XP (in ATMs and POS systems etc) until 2016 - and unofficially (slightly - it was official letter leaked) in China for XP consumers because the Win 7 uptake is almost non existent.

[thrilled]

Say thank you Microsoft.I will stop using ATM machines til they change XP.I have to throw away my perfectly good computer.

I'm going to chrome.I'm done with Microsoft products.

[SheungWan]

Say thank you Microsoft.I will stop using ATM machines til they change XP.I have to throw away my perfectly good computer.

I'm going to chrome.I'm done with Microsoft products.

You don't have to throw away your computer. You can continue using it and rely on firewall software if that's what you want. XP is not going to stop. It is just not going to be supported by MS>

[MrWorldwide]

Yup - just as I was told by a reseller earlier this week that MS are fast-tracking WIn9 because the market - particularly corporate users - have strongly resisted Windows 8. Personally, I just dont see the fascination with tiles and apps - does everything have to look like a bloody iPhone ???

I dont know about anyone else, but I lost interest in upgrading when we got to the point where you could get Win7 on a Core i5 for less than I paid for a 386 back in the distant past (OK - early 90's - in computing terms, the Paleolithic era). Some of us will even recall the hilarious prices Apple were charging before Steve moved them to Intel hardware - and at a point where you could have bought the entire company for a 100K USD

[Doc50]

Sounds like Y2K BS again to me.

The sky is falling!

Give me a break.

It is a conspiracy no doubt about it.

[Kerryd]

Yawn - sounds pretty much like all the pre-1999 (Y2K) hype.

"HURRY ! Buy our product NOW or airplanes will start falling from the skies, pacemakers will explode in you chest and we'll all be back in the Stone Age come 1 Jan 2000 ! Hurry and buy our guaranteed upgrade before it's too late !"

So much frikken BS hype that people like myself (and others in uniform) spent New Years Eve 1999 manning emergency response centers "just in case". Some software companies made a bundle selling useless upgrades for a problem the computing industry knew existed literally from the day the first PCs and OSs were sold (banks knew about the "00" date issue as far back as 1975 when they were amortizing 25 year mortgages).

Now what we have is MS in a bind because nobody likes their "new and improved" OS and, surprise-surprise, hardly ANYONE wants their computer to look/act like their frikken phone. The only way they can get people to buy the new system (so they can try to recoup all those wasted development costs) is to stop supporting older, more popular versions of their software.

It is unlikely that just because MS stops supporting the software on 8 Apr that hackers are lining up with hacks that for some reason will suddenly work that same day. And I'll bet a lot of companies are balking at upgrading to Windows 7 when 8 is out and 9 is coming soon. But that's a part of the whole marketing plan. Just like it is with PCs themselves.

Not long after I bought my first 286 they came out with a 386 chip. It was all the "rage" and soon all new software and games would only work on that chip, not the "slightly" older 286. I resisted upgrading mainly because I'd just read an article mentioning that the 486 "Pentium" chip was already in mass production, and "they" had a 586 chip ready to go once the sales of 486 chip equipped machines started to sag.

And that lit a very large light bulb. They had the more advanced tech ready to go, but deliberately held it back until sales of the older tech had slowed down to a certain degree, indicating that the majority of the consumers had upgraded to that level already. Then they bring out the newer chip so everyone is forced to upgrade again, sometimes barely months after just having upgraded previously !

MS is pretty much doing the same. Bring out a new OS when they see the sales of previous versions is slowing down. Write the OS so that most older programs are no longer compatible (meaning software developers have to redo their programs to be compatible, which means you have to buy the new OS in order to keep running the upgraded versions of software you already have and was working fine before). If Win 9 is shipping now, then they probably have Win 10 queued up in the production lines and Win 11 is probably getting it's pre-production QA checks and final polishing.

If financial institutes are reluctant to upgrade to newer versions of Windows, MS has no one to blame but itself, for continuously releasing such buggy versions of it's software that they require constant patching and upgrades to keep them going. Banks do not want to have to be upgrading the software in their huge ATM chains every week (or more often) and risking their machines crashing frequently (which would of course drive customers to use other bank's ATMs). Not to mention that every frikken new version of the OS that comes out would require them to buy 10s of thousands of new licences.

Unfortunately, until someone comes out with a better system (no, not Linux), one that is better in every way than windoze and easy for people to switch over to, we are stuck with what we have.

[caughtintheact]

There might be practical mitigating actions that the banks can take. But what the banks are doing remains to be seen. See "Mitigating risk after April 8 - without Windows 7"

http://www.atmmarketplace.com/article/226707/Mitigating-risk-after-April-8-without-Windows-7

I've asked a couple of banks by email what they are doi9ng, and if I get any relevant answers I will post them.

[AyG]

Stupid headline. ATMs will be no more vulnerable on April 8th than they are on April 7th.

[Gsxrnz]

Yawn - sounds pretty much like all the pre-1999 (Y2K) hype.

"HURRY ! Buy our product NOW or airplanes will start falling from the skies, pacemakers will explode in you chest and we'll all be back in the Stone Age come 1 Jan 2000 ! Hurry and buy our guaranteed upgrade before it's too late !"

So much frikken BS hype that people like myself (and others in uniform) spent New Years Eve 1999 manning emergency response centers "just in case". Some software companies made a bundle selling useless upgrades for a problem the computing industry knew existed literally from the day the first PCs and OSs were sold (banks knew about the "00" date issue as far back as 1975 when they were amortizing 25 year mortgages).

Now what we have is MS in a bind because nobody likes their "new and improved" OS and, surprise-surprise, hardly ANYONE wants their computer to look/act like their frikken phone. The only way they can get people to buy the new system (so they can try to recoup all those wasted development costs) is to stop supporting older, more popular versions of their software.

It is unlikely that just because MS stops supporting the software on 8 Apr that hackers are lining up with hacks that for some reason will suddenly work that same day. And I'll bet a lot of companies are balking at upgrading to Windows 7 when 8 is out and 9 is coming soon. But that's a part of the whole marketing plan. Just like it is with PCs themselves.

Not long after I bought my first 286 they came out with a 386 chip. It was all the "rage" and soon all new software and games would only work on that chip, not the "slightly" older 286. I resisted upgrading mainly because I'd just read an article mentioning that the 486 "Pentium" chip was already in mass production, and "they" had a 586 chip ready to go once the sales of 486 chip equipped machines started to sag.

And that lit a very large light bulb. They had the more advanced tech ready to go, but deliberately held it back until sales of the older tech had slowed down to a certain degree, indicating that the majority of the consumers had upgraded to that level already. Then they bring out the newer chip so everyone is forced to upgrade again, sometimes barely months after just having upgraded previously !

MS is pretty much doing the same. Bring out a new OS when they see the sales of previous versions is slowing down. Write the OS so that most older programs are no longer compatible (meaning software developers have to redo their programs to be compatible, which means you have to buy the new OS in order to keep running the upgraded versions of software you already have and was working fine before). If Win 9 is shipping now, then they probably have Win 10 queued up in the production lines and Win 11 is probably getting it's pre-production QA checks and final polishing.

If financial institutes are reluctant to upgrade to newer versions of Windows, MS has no one to blame but itself, for continuously releasing such buggy versions of it's software that they require constant patching and upgrades to keep them going. Banks do not want to have to be upgrading the software in their huge ATM chains every week (or more often) and risking their machines crashing frequently (which would of course drive customers to use other bank's ATMs). Not to mention that every frikken new version of the OS that comes out would require them to buy 10s of thousands of new licences.

Unfortunately, until someone comes out with a better system (no, not Linux), one that is better in every way than windoze and easy for people to switch over to, we are stuck with what we have.

Ah.....those were the days. I still remember when I asked the computer shop to upgrade my new 386 to 1 meg of memory from the standard 640k. The guy asked my why the hell I wanted a "super computer" with so much RAM.

[DrTuner]

I'm surprised they use something as new as XP here.

[rickirs]

"...only a third of them will have been converted to new systems by April 8."

Anyone know who these banks are?

[MrWorldwide]

"...only a third of them will have been converted to new systems by April 8."

Anyone know who these banks are?

Just look for this logo on the ATM:

[Saradoc1972]

Ah.....those were the days. I still remember when I asked the computer shop to upgrade my new 386 to 1 meg of memory from the standard 640k. The guy asked my why the hell I wanted a "super computer" with so much RAM.

Getting "Ultima V" to run springs to mind. Along with installing a Creative Soundblaster 1st generation yourself ...

[DrTuner]

"...only a third of them will have been converted to new systems by April 8."

Anyone know who these banks are?

Just look for this logo on the ATM:

That's it, I'm taking my money out and putting it in my pillow case.

[Doc46]

Hackers my arse they have to hack the banks com The workings of Atm;;;;>

[BBarghout]

ATM's are closed systems and completely isolated from the Internet and other sources that could insinuate themselves onto the operating system.

They absolutely will not be getting any viruses.

There's a podcast at Grc.com that covers this whole issue.

Sent from my iPhone using Thaivisa Connect Thailand

[DrTuner]

Hackers my arse they have to hack the banks com The workings of Atm;;;;>

Countless times I've seen the computer and modem been left outside the ATM box itself, running happily on the floor next to it with the service guy gone who knows where. All you need to do is plug in a usb stick and reset.

[Rorri]

Gsxrnz, on 20 Mar 2014 - 09:56, said:

Kerryd, on 20 Mar 2014 - 09:44, said:

Yawn - sounds pretty much like all the pre-1999 (Y2K) hype.

"HURRY ! Buy our product NOW or airplanes will start falling from the skies, pacemakers will explode in you chest and we'll all be back in the Stone Age come 1 Jan 2000 ! Hurry and buy our guaranteed upgrade before it's too late !"

So much frikken BS hype that people like myself (and others in uniform) spent New Years Eve 1999 manning emergency response centers "just in case". Some software companies made a bundle selling useless upgrades for a problem the computing industry knew existed literally from the day the first PCs and OSs were sold (banks knew about the "00" date issue as far back as 1975 when they were amortizing 25 year mortgages).

Now what we have is MS in a bind because nobody likes their "new and improved" OS and, surprise-surprise, hardly ANYONE wants their computer to look/act like their frikken phone. The only way they can get people to buy the new system (so they can try to recoup all those wasted development costs) is to stop supporting older, more popular versions of their software.

It is unlikely that just because MS stops supporting the software on 8 Apr that hackers are lining up with hacks that for some reason will suddenly work that same day. And I'll bet a lot of companies are balking at upgrading to Windows 7 when 8 is out and 9 is coming soon. But that's a part of the whole marketing plan. Just like it is with PCs themselves.

Not long after I bought my first 286 they came out with a 386 chip. It was all the "rage" and soon all new software and games would only work on that chip, not the "slightly" older 286. I resisted upgrading mainly because I'd just read an article mentioning that the 486 "Pentium" chip was already in mass production, and "they" had a 586 chip ready to go once the sales of 486 chip equipped machines started to sag.

And that lit a very large light bulb. They had the more advanced tech ready to go, but deliberately held it back until sales of the older tech had slowed down to a certain degree, indicating that the majority of the consumers had upgraded to that level already. Then they bring out the newer chip so everyone is forced to upgrade again, sometimes barely months after just having upgraded previously !

MS is pretty much doing the same. Bring out a new OS when they see the sales of previous versions is slowing down. Write the OS so that most older programs are no longer compatible (meaning software developers have to redo their programs to be compatible, which means you have to buy the new OS in order to keep running the upgraded versions of software you already have and was working fine before). If Win 9 is shipping now, then they probably have Win 10 queued up in the production lines and Win 11 is probably getting it's pre-production QA checks and final polishing.

If financial institutes are reluctant to upgrade to newer versions of Windows, MS has no one to blame but itself, for continuously releasing such buggy versions of it's software that they require constant patching and upgrades to keep them going. Banks do not want to have to be upgrading the software in their huge ATM chains every week (or more often) and risking their machines crashing frequently (which would of course drive customers to use other bank's ATMs). Not to mention that every frikken new version of the OS that comes out would require them to buy 10s of thousands of new licences.

Unfortunately, until someone comes out with a better system (no, not Linux), one that is better in every way than windoze and easy for people to switch over to, we are stuck with what we have.

Ah.....those were the days. I still remember when I asked the computer shop to upgrade my new 386 to 1 meg of memory from the standard 640k. The guy asked my why the hell I wanted a "super computer" with so much RAM.

Ah, we do go back a long way, I can remember wanting to upgrade my 386SX, from 1MB to 2MB of memory, it would cost $100/MB and I had to remove the existing chips then repopulate the motherboard, my current PC has 16GB of memory, which using $100/MB my PC has the equivalent of $1,600,000 worth of memory never mind the CPU, graphics cards etc.

[Rorri]

MrWorldwide, on 20 Mar 2014 - 10:46, said:

rickirs, on 20 Mar 2014 - 10:22, said:

"...only a third of them will have been converted to new systems by April 8."

Anyone know who these banks are?

Just look for this logo on the ATM:

Or more likely this

[techboy]

Hackers my arse they have to hack the banks com The workings of Atm;;;;>

Countless times I've seen the computer and modem been left outside the ATM box itself, running happily on the floor next to it with the service guy gone who knows where. All you need to do is plug in a usb stick and reset.

"Countless times..."? Never seen this myself. Sorry to be rude but I am more than a little sceptical.

[paddyjenkins]

ATM's are closed systems and completely isolated from the Internet and other sources that could insinuate themselves onto the operating system.

They absolutely will not be getting any viruses.

There's a podcast at Grc.com that covers this whole issue.

Sent from my iPhone using Thaivisa Connect Thailand

Isolated? So how do you suppose they obtain authorisation from your bank for your withdrawal? Lol.

[DrTuner]

Hackers my arse they have to hack the banks com The workings of Atm;;;;>

Countless times I've seen the computer and modem been left outside the ATM box itself, running happily on the floor next to it with the service guy gone who knows where. All you need to do is plug in a usb stick and reset.

"Countless times..."? Never seen this myself. Sorry to be rude but I am more than a little sceptical.

F.ex at the ex-Carrefour (BigC extra), in Tukcom, couple of times in Lotus @ Thepprasit to mention a few. Not a rare occurrence. In BigC extra the whole machine was once pulled out of the wall with the innards open to all, while people were withdrawing money. Should have taken a pic but didn't have a camera on me.

[DLP]

There might be practical mitigating actions that the banks can take. But what the banks are doing remains to be seen. See "Mitigating risk after April 8 - without Windows 7"

http://www.atmmarketplace.com/article/226707/Mitigating-risk-after-April-8-without-Windows-7

I've asked a couple of banks by email what they are doi9ng, and if I get any relevant answers I will post them.

I will be very surprised if you get any replies to your emails

[SICHONSTEVE]

Say thank you Microsoft.I will stop using ATM machines til they change XP.I have to throw away my perfectly good computer.

I'm going to chrome.I'm done with Microsoft products.

When I get back to the UK I'm going to buy an Acer chromebook C720 - it costs 200 pounds, takes 5 - 7 seconds to boot up and has an 8 hour battery life!!!