Defunct OS risks ATM security

Defunct OS risks ATM security

Microsoft winds down Windows XP support

ATMs running Microsoft's Windows XP face a serious cyberattack threat if banks fail to upgrade their security software quickly, warns a global computer security firm.

People line up at a Bangkok Bank ATM. Microsoft has announced an end to security support for the Windows XP Embedded version for bank ATMs by January 2016. Thanarak Khoonton

The California-based Symantec Corporation said 95% of the world's ATMs are supported by the Windows XP Embedded operating system (OS).

Microsoft has announced it will end its security support for Windows XP Embedded for bank ATMs on Jan 12, 2016, meaning cash machines running the OS will be left without security patches and potentially vulnerable to cyberattack.

The software maker yesterday stopped supporting its decade-old Windows XP for computers and mobile devices.

Symantec Thailand technical director Nopchai Tangtritham said the banking industry is at risk of increasingly sophisticated cyberattacks on ATMs.

For example, details are emerging of weaknesses that let hackers withdraw cash simply by sending an SMS to compromised machines, he said.

Late last year, a new ATM malware arose called Backdoor.Ploutus, originating in Mexico.

This malware lets attackers force ATMs to spew cash on demand using an external keyboard.

Mr Nopchai said while Thailand has seen no incidence of Backdoor.Ploutus, banks should be alert to threats and quickly upgrade to a new OS.

William Tan, country manager of the computer security firm Trend Micro (Thailand), said his company provided a virtual patching solution that lets computers continue running Windows XP with no vulnerability concerns.

Rachod Isarankura Na Ayuthaya, group leader for Windows business at Microsoft Thailand, acknowledged that Windows XP Embedded remains widely used by bank ATMs nationwide.

"We're in talks with Thai banks and cash machine makers to secure our newer OSs," he said.

Mr Rachod said at least 5 million computers in Thailand were still using Windows XP, mostly in state enterprise offices.

With the end of life for Windows XP, users must upgrade to later versions of Windows or purchase a new computer with a new OS.

A recent security survey found Windows XP Service Pack 3 was up to 5.68 times more vulnerable to viruses than the recent Windows 8 RTM version.

It had an 82.4% higher malware infection rate.

Local banks, meanwhile, have made assurances that Microsoft's plan to end support for Windows XP will have no affect on ATM cardholders or transactions.

Thai commercial banks have committed to migrating to Windows 7, which is compatible with chip-based technology, by early 2016.

Kwannet Rattanaprug, first senior vice-president of Kasikornbank (KBank), said local banks are unruffled by the demise of support for Windows XP, as they are gradually employing new software programs to prevent themselves from falling prey to financial fraud such as ATM cyberattacks.

With the upgraded features and better security of Windows 7, banks can prevent ATM skimming through biodetection technology that scans the cardholder's retina or fingerprint.

KBank, the country's fourth-biggest lender by assets, is upgrading its existing 800 ATMs nationwide to accept chip-based cash cards.

Bangkok Bank was the first financial institute in Thailand to offer chip-enabled ATM cards, shifting from the magnetic card system.

Do you like the content of this article?
COMMENT (3)