Slashdot Mirror

← Back to Stories (view on slashdot.org)

95% of ATMs Worldwide Are Still Using Windows XP

Posted by samzenpus on from the if-it-aint-broke dept.

BUL2294 writes "95% of the world's ATM machines are still running Windows XP and banks are already purchasing extended support agreements from Microsoft. (some of the affected ATMs are running XP Embedded, which has a support lifecycle until January, 2016). 'Microsoft is selling custom tech support agreements that extend the life of Windows XP, although the cost can soar quickly—multiplying by a factor of five in the second year, says Korala. JPMorgan is buying a one-year extension and will start converting its machines to Windows 7 in July; about 3,000 of its 19,000 ATMs need enhancements before the process can begin...'"

34 of 346 comments (clear)

  1. Relevant XKCD by iYk6 · · Score: 5, Funny

    https://xkcd.com/801/

    1. Re:Relevant XKCD by Art+Challenor · · Score: 5, Funny

      I was thinking this one: http://xkcd.com/463/

  2. Price? by mriswith · · Score: 5, Insightful

    The cost of the support agreements, would still be less than the replacement of several thousand ATMs and internal systems. There is a reason why people do this, and it's not just lazyniess..

    1. Re:Price? by icebike · · Score: 5, Interesting

      There is a reason why people do this, and it's not just lazyniess..

      Still, you would have thought they would have learned a few lessons by now.

      JPMorgan is buying a one-year extension and will start converting its machines to Windows 7 in July;

      Anything that can run Windows 7 could run linux.
      Anything that can run embedded Windows 7 would have no problem running linux.
      Or OpenBSD.
      You can replace the entire motherboard and processor with something 10 times as expensive as a Raspberry Pi for $350, and still save money over paying Microsoft extensions for every terminal.

      There will be several companies dragged before congress. There have been multi-billion dollar losses. How many times do you have to let hackers make you their bitches before you cry uncle and at least look at a Linux solution?

      --
      Sig Battery depleted. Reverting to safe mode.
    2. Re:Price? by turbidostato · · Score: 4, Insightful

      "The cost of the support agreements, would still be less than the replacement of several thousand ATMs and internal systems."

      It won't. Is this extended support going to avoid XP from being replaced? I bet not. Therefore paying for the extended support *plus* replacing is certainly going to cost more than just replacing.

      "There is a reason why people do this, and it's not just lazyniess.."

      It *is* lazyness.

      The very day they started deploying XP they knew that would come to an end for the very reason they were using a closed-source license-based operating system.

      Paying through the nose now for something they knew it was coming but didn't nothing in time is the very definition of lazyness.

    3. Re: Price? by icebike · · Score: 3, Insightful

      Your spewing FUD.

      Google, Amazon, IBM, and even Microsoft themselves are all HUGE Linux users.
      Big business isn't afraid of Linux.

      --
      Sig Battery depleted. Reverting to safe mode.
    4. Re: Price? by MightyMartian · · Score: 4, Insightful

      What a load of shit. Some of the biggest corporations in the world use Linux.

      IBM demonstrated quite nicely what happens when some patent troll tries to shut down Linux.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    5. Re:Price? by anubi · · Score: 5, Insightful

      This whole affair of what platforms to use puzzles me greatly. I am of the opinion that the selection process has everything to do with politics and little to do with substance.

      I feel a lot of it has to do with a corporate mentality of holding everything blameless with contracts which have to be signed off on before the business will do anything. "Hold Harmless" seems the byword of the day.

      I have tried to use Micrium's uC/OS products, based mostly on their certifications for mission critical affairs such as aircraft and life support . For me, this thing is like a "Super Arduino" for embedded applications.

      Business will pay for people to play down everything the "leadership" type does not understand, and personal experience tells me that if I do not recommend Microsoft, I will not get the job. Regardless of my belief and experiences to the contrary. Its been my observation that once one gets high enough in corporate hierarchy, one is forced to play CYA, and the only way to play is find someone else to pin the blame on if things go sour - better yet be able to blame someone big - so the guy who hired them does not take the fall for it.

      There seems to be a trivial amount of effort expended to mitigate the probability of a breach in the first place.

      I am not trying to shill for Micrium - I just like their product and their philosophies of supporting an OS. It is all quite well documented ( link to the book I use all the time ).

      NetBurners run this code. This had been the most robust system I have ever studied, yet I find few people who are willing to let me implement it - and for now it runs on a machine I have for my own edification.

      My own feeling if anyone wants to hack a bank ATM, go for it. No one's responsible, its just another ledger entry to the bank. If the thing gets too out of hand, the government will make it up to them.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]

    6. Re:Price? by icebike · · Score: 4, Informative

      Banco do Brasil moved to linux ATMs in 2008. IBM backends, Linux ATMs. As has Banrisul, largest southern region bank in Brazil.

      Third biggest ATM country in the world, and you haven't heard of it?

      --
      Sig Battery depleted. Reverting to safe mode.
    7. Re: Price? by icebike · · Score: 5, Informative

      Nice try:

      ORDER granting 829 Stipulation of Dismissal filed by Bedrock Computer Technologies, LLC, Google Inc. The verdict rendered in this matter is VACATED and all claims for relief asserted by Bedrock against Google are DISMISSED with prejudice.

      http://docs.justia.com/cases/federal/district-courts/texas/txedce/6:2009cv00269/116887/830/

      Bedrock also lost to Yahoo and Amazon, over the same patent and they have thrown in the towel.

      --
      Sig Battery depleted. Reverting to safe mode.
    8. Re: Price? by Culture20 · · Score: 3, Insightful

      no one bothers hacking 1000 machines

      They do if
      # eject /dev/cash
      spits out ten $20 bills at a time.

    9. Re:Price? by AmiMoJo · · Score: 5, Insightful

      Stop and think what using Linux would mean for them for a moment. They would have to pay hardware manufacturers to provide Linux drivers, or write their own. Those ATM NICs are proprietary and use certified encryption, so it's not even just a case of hacking some code together, it needs expensive certification as well.

      They would also have to employ some experts to do OS level support for them. They are not paying Microsoft for security patches, this is an embedded system. They are paying for technical support when they have issues. That cost would probably be close to what they would have to pay some Linux experts, and they wouldn't have any other company to blame when things went wrong.

      I'm not saying Windows is definitely a better solution, but Linux isn't as wonderful as you think either. No matter which one they picked they would have issues, but it an ancient Linux kernel that needs support or an ancient Windows kernel that needs support.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. should have gone with a browser... by johnjones · · Score: 3, Insightful

    I never understand why ATM's dont use HTML/SVG and then the OS is replaceable as a browser is the interface and a HTTP server security is well understood and network security would be part of a core competency

    thoughts ?

    john jones

    1. Re:should have gone with a browser... by dantotheman · · Score: 3, Funny

      Maybe they do now, but the ATMs in question are so old they are running a 12 year old OS. Do you happen to remember the state of HTML and web browsers 12 years ago? I'll give you a hint. They certainly didn't support SVG then.

      HTML/SVG tend to be sandboxed to some extent... ditto for JavaScript... how do you propose your HTML based ATM interact with the card reader, cash dispenser, receipt printer or deposit slot?

      ATMs are more than just a touch screen with a UI.

      ActiveX controls running in IE 7

      shiver...

    2. Re:should have gone with a browser... by Artifakt · · Score: 3, Informative

      On some designs, a 16 key pad has extra pinouts which were originally intended to drive the circuits for Dual Tone Multi Frequency signalling built in (think of AT&T). These don't drive tone generators in ATMS, but they may reliably put out a square wave 1/2 second long pulse while the main pinouts are outputting a pulse of the length the finger stays on the key.
              On other designs, it has sensors to disable signaling when temperatures get above a certain value (think of the anti-fire security common on elevator keypads - this gets used on some 16 key designs because they also get used in door security systems, rather than them commonly being used in elevators, or people really worrying that an ATM on fire may start spewing money).
              Some designs used to incorporate the very same additional chipset used in soda machines so the owner could put those into maintenance modes (see "hacking coke machines"), and they let the ATM service tech run diagnostics by entering a reserved pin number or longer sequence, but I'm not sure if any of those last are still in use.
              There are rumors of radio frequency signalling built in, and sometimes actually used to get the pad signal to the servos it controls when the physical mounting for the ATM is in a sufficiently awkward location. I don't think those rumors are likely, but I wouldn't just assume they are completely bogus either. Alternately, I suspect the parent poster may be referring to various claims that the pads can be used to scan fingerprints and even to tell a live finger from a severed one, but these last are certainly urban legends.

      --
      Who is John Cabal?
  4. Obvious choice I think by Mateo_LeFou · · Score: 5, Funny

    Windows XP is the only operating system stable & secure enough to handle sensitive transactions such as cash dispensing.

    --
    My turnips listen for the soft cry of your love
  5. Windows.. by nurb432 · · Score: 4, Insightful

    Is a bad choice anyway. Not just a Microsoft bash, but aside from all the security issues, windows is XP is a desktop platform, not a OS to be putting on dedicated devices ( even the so-called embedded version really isn't any more appropriate for this, don't let the marketing folks fool you )

    An ATM should be running off a custom embedded OS targeted for this purpose, not a commodity OS.

    --
    ---- Booth was a patriot ----
    1. Re:Windows.. by Em+Adespoton · · Score: 5, Insightful

      An ATM should be running off a custom embedded OS targeted for this purpose, not a commodity OS.

      It is... it's called XP Embedded, as outlined in the summary. And yes, bank machines were a major target during XP Embedded's design phase.

      Of course, it would make MORE sense to use an embedded OS where the banks/ATM manufacturers have full access to the source.

    2. Re:Windows.. by erice · · Score: 4, Insightful

      Is a bad choice anyway. Not just a Microsoft bash, but aside from all the security issues, windows is XP is a desktop platform, not a OS to be putting on dedicated devices ( even the so-called embedded version really isn't any more appropriate for this, don't let the marketing folks fool you )

      An ATM should be running off a custom embedded OS targeted for this purpose, not a commodity OS.

      Who is going to write, maintain, and keep secure this custom OS?

      The trouble with custom embedded OS's is that, in spite of the best intentions to limit their scope, they almost always need more features than can be written from scratch by a small team and be obviously secure. So they port code from more commodity OS's. Due to limited resources, the code in the embedded OS tends to fall behind. The porting effort can introduce bugs too that are non-obvious to the guy doing the port because he doesn't fully understand what he is porting.

  6. yes, but... by Anonymous Coward · · Score: 5, Funny

    "95% of the world's ATM machines are still running Windows XP

    Yes, but what about the *automatic* ATM machines? Those are the ones I most am concerned about.

  7. Go to 8 by cosm · · Score: 5, Funny

    To hell with 7. Please put Windows 8 on the ATMs instead! I already love how ATMs do a wonderful job of selecting the wrong option for me after finally getting the card to take, only to then take me into the Spanish menu, spitting out a receipt, and then not accepting my card again while the line forms behind me! Metro can only enhance this lovely experience! Hell, add a kinect to it so when I flip it a golden salute it recognizes my input and doubles the ATM fee! Gotta keep up with the bank's great customer service these days!

    --
    'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
    1. Re:Go to 8 by CannonballHead · · Score: 4, Insightful

      Actually, how would Metro be a bad thing? This is pretty much exactly what Metro is meant for - one application, completely full screen, used with a touch screen ...

  8. I throw this out there often by TheRealMindChild · · Score: 5, Interesting

    As someone who has worked with Diebold, they have never have more than 3 programmers and they only use and have ever used Visual Basic. This is why their ATMs (and voting machines) are required to run Windows.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  9. Re:Global Financial Collapse by roc97007 · · Score: 4, Insightful

    Actually, that doesn't worry me nearly as much as Windows for Warships.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  10. Re:What about OS/2? by Anonymous Coward · · Score: 5, Interesting

    OS/2 was entrenched. The ADA a couple of years ago declared that all ATMs must have blind support. That meant adding sound. The OS/2 machines could in the main not support that service and as such were retired. It was a field day for NCR, Hyosung and Diebold with hundreds of thousands of new ATMs being purchased. These new ADA compliant ATMs were replaced mostly by Windows XP driven ATMs, with the promise that the ATMs could be upgraded to Windows 7 when it became necessary.

    I have only been working with Diebold, but they are refusing to hire sufficient (or maybe any idk) additional hands to deal with the necessary surge in maintenance to upgrade to Windows 7.

    All that being said, the XP ATMs are perfectly safe. They are behind some rather crazy firewalls. It would be rather difficult to get into them to take advantage of any potential problem. (The issue for the bank / ATM driver / card processor not being the loss of the cash, but rather the loss of the customer information.)

    Hmmm. Better post this anonymously.

  11. Re:Let's go one better... by Anonymous Coward · · Score: 4, Informative

    I worked for an ATM software development shop called Phoenix Interactive. The software we wrote was mostly C++, with some C mixed in to deal with updating the main software. The main ATM manufacturers (Diebold, Wincor, NCR) all only create Windows drivers (or did, 10 years ago when I worked there). The OS is locked down hard, while you may see the occasional blue screen, even if you had a keyboard plugged in you would not be able to stop the software from running or move it to the background without triggering a restart and a tamper alert back to the bank. Windows can be locked down just as well as Linux, it's just a royal pain in the ass to do so.

  12. Re:The Market? by icebike · · Score: 5, Insightful

    Because Microsoft can be sued if they need to?

    Ah, no. Not going to happen.
    Your hardware, you installed the software,
    You managed it for the last 10 years,
    You probably didn't apply patches...

    No way that ever gets a dime out of Microsoft in court.

    --
    Sig Battery depleted. Reverting to safe mode.
  13. OS/2 Warp by transporter_ii · · Score: 3, Informative

    [O]verall, OS/2 failed to catch on in the mass market and is little used outside certain niches where IBM traditionally had a stronghold. For example, many bank installations, especially Automated Teller Machines, run OS/2 with a customized user interface.

    http://en.wikipedia.org/wiki/OS/2

    --
    Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
  14. Re:The Market? by camperdave · · Score: 3, Insightful

    Banks wouldn't sue in a case like this. Banks would go to the government for a bailout.

    --
    When our name is on the back of your car, we're behind you all the way!
  15. JP Morgan by Nethead · · Score: 3, Interesting

    About two years ago I was a field tech and would get service calls to JPMS. Most of the time it was just to move fax machines around or to make a jack live. Sometimes it was to try to get a PC to boot. There is SO much legacy cruft in the boot image of a JPMS desktop that it can take three boots just to get the damn thing stable. Some of the boot code even flashes by "DOS TCP/IP 1.0" as it goes by. They have decades of cruft to dig through to get those things anywhere modern. I have pity for the admins trying to roll this out, I really do.

    On the other hand that damn image is used by hotshot investment brokers to transact multi-million dollar trades everyday. That image is a lot of their "secret sauce" that they use to make a shit load of cash. It's a tool that has made them trillions. I can see why they don't want to fuck with it. They would gladly have me hang around for a day at a few hundred dollars an hour (not that I was seeing 20% of that) just to make sure the hotshot could do his job. The hotshot's downtime cost them thousands of dollars an hour. Imagine having to roll out an image to 1000 hotshot desktops and have it fail for even a day.

    That's a lot of incentive to keep the boat from rocking, whatever the cost.

    Remember that a lot of that legacy code is interfacing with mainframes that are running code before the advent of PCs.

    --
    -- I have a private email server in my basement.
  16. Let me laugh even harder... by Anonymous Coward · · Score: 5, Informative

    All that being said, the XP ATMs are perfectly safe. They are behind some rather crazy firewalls.

    Nope.

    http://www.extremetech.com/extreme/173701-atms-running-windows-xp-robbed-with-infected-usb-sticks-yes-most-atms-still-run-windows

    And another successful attack vector using Plotus http://www.atmmarketplace.com/article/221087/Mexican-ATMs-fall-prey-to-new-cyberattack

    Successful malware attacks (both gaining access to the local cash and screen scraping and keystroke recording of customer information) through ATMs have been going on since 2008 and Diebold would most certainly be well aware of this, even if they are choosing not to bring it to your attention.

  17. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  18. Not just ATMs.... by ub3r+n3u7r4l1st · · Score: 3, Interesting

    Went to a hospital a week ago that was newly opened late last year. All workstations are the Lenovo all-in-ones with the Windows 8 sticker on it. Guess what operating system they are running on now .... Windows XP Professional (at least that's what the screen saver said.)

    I saw an IV infusion pump being rebooted by a nurse. I hear the famous chine of Windows XP shutting down.

    --
    New Economic Perspectives
  19. Re:Why XP? by tftp · · Score: 5, Informative

    why would they chose XP in the first place

    XP was a very good choice compared to Linux as it was 12 years old. Cost of Windows ($50 per copy?) was entirely immaterial. The important things were maturity, support, features, and toolchain. Linux in the year 2000 was light on those. Where in Linux's Event Viewer is the Security Log? How many objects can be audited in Linux? In NT - a lot, and it all was available immediately. In the toolchain department even today autotools give you a horrifying experience compared to MSVC.

    Developers of ATM took the most complete foundation for their work (the OS) and then added what was custom. If they started with Linux, or BSD, or DOS, they'd have to add far more - and the more you write yourself the more you have to maintain. If they started with Linux that would be kernel 2.0.x - and today we are on 3.x, with gigabytes of patches applied to libc and other essential components of the system. It would be extremely difficult to upgrade and maintain.

    and why have they not moved to something else in the last decade?

    Who is going to pay money for fixing what isn't broken? It's not broken even today, that's why they want to keep the machines running. It's pretty expensive to send engineers to tens of thousands of ATMs to upgrade them, since doing it remotely might be too scary. The hardware also probably went through ten revisions, so each ATM runs its own set of drivers that were customized to the hardware that is installed. Your upgrade task would require you to support all that old hardware - and that is a dead end job. Better to just keep the thing running until it falls apart, and then replace it.