According to a new report, 95% of ATMs in Mexico are still running Windows XP, an operating system that made its debut in 2001 and which recently hit its end of support deadline. Banks in Mexico are urged to upgrade their cash machines.
Jose Manuel Gonzalez Barragan, marketing director of Moneta Technologies, a technology and e-banking consultancy firm, is suggesting that these banks install Windows 7 or Windows 8 in ATM systems and enable remote management features. “The problem is that to update traditional ATMs, the person must physically go and install the new software, which permits these people to install any type of malware,” Barragan explains.
But its not easy to upgrade ATMs to Windows 7 or higher, as it requires memory and processor upgrades as well. In some case, it requires a complete overhaul of the machine. Last year, a vulnerability named Ploutus was discovered, allowing hackers to send an SMS to access a breached ATM machine and force it to dispense cash. This malware was first installed though an infected CD or USB.
ATMs may run x86 processors and have a basic PC architecture, but they are far from being considered actual PCs. In fact, most ATMs don’t run a standard version of Windows, rather, they run Windows Embedded. Fortunately, Windows XP Embedded will continue to receive security updates till January 2016.
ATMs are an obvious target for attackers, but almost all successful attacks on ATMs are from the outside. Attackers can steal card credentials and cameras to capture PINs, and then make duplicate cards, via skimming. The ATM itself is typically hardened with controlled access to USB and network interfaces, as well as the installation and configuration of software. User authentication is strengthened with two factor authentication. In other words, ATMs are as safe as they can get.
However, banks have a lot of work ahead of them to upgrade their ATMs with a modern operating system, if they choose to do so. ATMs running Windows XP, likely the Embedded version, are not as vulnerable as Windows XP PCs, but the chance of an attack is still there when running an operating system that is over a decade old.