The end is nigh – is your bank or credit union ready? More importantly, are your ATMs?

By the time you read these words, Microsoft may have already discontinued its support of the Windows XP operating system. That’s significant because the majority of the 400,000 or so ATMs in the United States – most estimates put the figure around 80 to 90 percent – run on Windows XP.

Those machines will still continue to dispense cash on April 8, the day Microsoft discontinues its support of the popular operating system first rolled out in 2001, but the real problem with using the outdated software has much less to do with aesthetics, speed and features and much more to do with security.

“Day to day, they can still operate. The problem is that the bad guys will have an easier time finding ways to break in or break through the security because Microsoft will no longer be updating security functions for those machines. So if somebody develops a new way to hack into that software, Microsoft will not develop a new way to keep them out. It comes down to a security problem,” said David Paine, vice president of operations at CAI, a New Jersey-based ATM distributor.

ATMs still running Windows XP could be vulnerable to attacks like the kind security firm Symantec noticed in Mexico late last year. Hackers were able to upload a new type of malware to an ATM that allowed the machine to share an Internet connection with a mobile phone. The attacker then sent a command to the phone via text message, tricking the ATM into dispensing cash.

Microsoft recently announced it would extend anti-malware until July 2015, but that will only protect against known viruses, said Shane Creel, an adjunct professor at the New England College of Business and Finance.

“If I figure out a way to hack into the operating system, it doesn’t matter if you’re running those malware updates monthly; the update is not going to protect it,” he said. “Without these patches and security support, it’s going to be revealed as a game over vulnerability.”

Dean Stewart, senior director of self-service product management at Diebold, added, “It’s important to note that [bank] ATMs are less vulnerable to attack because they are part of internal networks, not directly connected to the Internet, that have complex perimeter security. Banks undergo regular audits to ensure they stay up to date with all levels of security.”

“However, specific to this migration, compensating controls, such as white listing, are potential methods until the operating system can be replaced,” he said.

A Problem We Saw Coming

But Microsoft didn’t just wake up one morning in January and decide to discontinue Windows XP. The company announced it would discontinue Windows XP two years ago. So why haven’t banks upgraded yet?

Well, upgrading an ATM is no small cost, especially for a bank that’s already squeezed by regulatory demands and tight margins – and maybe there’s also a bit of what Creel characterizes as the human tendency toward procrastination.

“With 80 to 90 percent of ATMs being upgraded, people are asking why we didn’t start this sooner,” Paine said. “It really comes down to ROI. Initially, there is none for these banks. It’s really just a flat-out expense to the financial institutions. Obviously, they’re going to hang onto that XP operating system as long as they can.”

Paine estimated the cost of simply upgrading a machine to a newer operating system to be anywhere from $1,000 to $4,000 per machine, plus the cost of hiring the technician.

Steve Rindner, president of CAI, added that some banks have been considering new equipment altogether. Not only is the Windows upgrade an issue, but so, too, are upgrades necessary to accommodate those EMV cards that are so popular in Europe right now – and, it should be added, much less vulnerable to fraud of the recent Target data breach variety.

Depending on the type of machine, Rindner said a lobby ATM can cost anywhere from $12,000 to $120,000, with the average price falling somewhere in the $40,000 to $45,000 range.

And while some of the world’s biggest banks – the Royal Bank of Scotland, HSBC and Santander U.K., for example – have negotiated deals with Microsoft to continue XP support until 2016, smaller banks thinking about putting it off even further might want to consider Creel’s words: “Not only have the banks enjoyed not having to purchase additional equipment, but the people that want to break into [these machines], they’ve had 13 years of practice." 

Email: lalix@thewarrengroup.com