April 8, 2014, marked the end of the computer era. Microsoft stopped supporting Windows XP, leaving 500 million current Windows XP users without software updates or security patches to protect their PCs. It’s a good business decision for Microsoft. After all, Windows XP is 12 years old, and the company needs its customers to buy newer products. However, because many consumers and businesses can’t afford to upgrade, they’re now vulnerable to cyber attacks.
People in the U.S. use automated teller machines (ATM) every day, but they probably don’t realize that many of the country’s ATMs run on Windows XP. NCR, the country’s top ATM supplier, told CBS News that 95 percent of their cash machines still use Windows XP. By the time Windows XP support had ended, NCR estimated that it had fixed between 20 and 30 percent of those machines. A large number of the country’s ATMs are no longer receiving crucial security patches to protect them from cyber attacks.
Why Are So Many Machines Still Using Windows XP?
Windows XP got off to a slow start when it was released in 2001. At that time, most computers used Windows 95, and Windows XP demanded substantially more computing power. Also, Windows XP had poor driver support and substandard driver performance compared to Windows 95. Sales were sluggish until Microsoft released Service Pack 2 in 2004. By then, Internet usage had dramatically increased, and users needed the stability of Windows XP and Microsoft’s focus on system security. At its peak, over 80 percent of PC users operated a computer run on Windows XP.
When Vista came out in 2006, most XP users didn’t want to purchase a new operating system. Although Windows 7 was well-received, it barely cracked 50-percent market share before the release of Windows 8. Consumers and businesses that stayed with Windows XP throughout the changes still had a decent product, even though computing technology and typical computer usage eventually outpaced XP’s capabilities.
Computers like ATMs don’t perform CPU-heavy functions, like downloading big files or playing online games, so banks saw no need to upgrade the machines. Also, after the economic downturn of 2008, many businesses chose not to invest in computer upgrades that weren’t absolutely necessary. As a result, older, simpler machines that didn’t need immediate modernization, like ATMs, continued using Windows XP. Today, one in five of the planet’s computers still runs on XP, which has created an “open season” environment for cyber crime and data breaches now that Microsoft no longer supports XP.
How to Hack an ATM
Stealing employee credentials is one way to hack an ATM, but it’s not the only way. Attackers also set up distributed denial-of-service (DDoS) attacks against banks, which flood the bank networks with traffic and cripple bank operations. As banks focus on shutting down the DDoS attack, attackers can then exploit vulnerabilities, like an ATM running on an unpatched Windows XP operating system.The Federal Financial Institutions Examinations Council (FFIEC) revealed recently that a hacker group called “Unlimited Operations,” which was under Secret Service surveillance, obtained over $40 million from just 12 debit card accounts by hacking into vulnerable ATMs. The group targeted small and midsized banks by sending out phishing emails designed to steal employee login credentials. Then, they used the credentials to hack into ATM control panels, changing the caps on how much money customers could withdraw from their bank accounts. They also changed controls on geographic usage limits, which allowed them to hit multiple ATMs using only one debit card. The group scheduled attacks on weekends and during holidays, which are times that machines carry larger amounts of cash.
What Consumers Can Do to Protect Their Accounts
Consumers can check with their banks to find out what operating system is used by its cash machines. If they don’t trust the bank’s ATM network, then they should consider switching banks. Also, they can stop using debit cards and use only credit cards for transactions. Credit cards aren’t connected to bank accounts, so credit card users never actually lose control of their cash.
The bad news is that any consumer or business still using Windows XP is now vulnerable to cyber attack. The good news is that antivirus software and services can help until users can afford to make an upgrade.
Image Credit: Windows XP logo image by Microsoft Corporation from Wikimedia Commons.