Up to 90 per cent of the UK’s cash machines still run Windows XP. With Microsoft support for XP now ended, what are the security implications for all of us? Cashpoints were first introduced around 40 years ago, making them something of a veteran in computing terms. The reason they have lasted this long while changing so little is that they remain the easiest way of accessing your cash.
Hackers can send texts to cash machines ordering them to dispense money or steal PIN data
But running behind every cash machine is a computer operating system similar to the one you have at home. Right now, it is estimated that between 80 to 90 per cent of cash machines in the UK run on Windows XP platform, which is an alarming statistic when you consider that Microsoft recently ended its support for the 12 year old Operating System, rendering it a major security liability. Even Microsoft’s own Director of Trustworthy Computing, Tim Rains, said that after 8 April 2014 “Windows XP will esentially have a zero-day vulnerability forever”.
Combine this with the recent news that hackers have begun exploiting Windows XP security flaws to withdraw money from cash machines using their mobile phones, and you start to wonder whether we are looking at a serious cashpoint security crisis.
We contacted Link, the company in charge of the network linking almost all cash machines in the UK, to find out what steps it’s been taking to guarantee cash machines will be 100 per cent secure, now that XP is no longer protected by Microsoft. Link’s Sirin Kamalvand, told us : “Most link members will migrate to Windows 7 based cash machines.. The vast majority of these migrations will take place during 2014 and 2015”. But what are the threats during this lengthy migration period? Will we be left at the mercy of hackers while waiting for cash machines to upgraded?
As it turns out, the version of Windows XP running on most cash machines is a special “embedded” version that will continue to receive support to some degree until 2016. All major UK banks have reached an agreement with Microsoft whereby support for Windows XP will be extended until the migration is complete. Additional security will also be provided through third-party security software.
Other concerns raised over XP-based cashpoint security involve the recent hacking of machines using mobile-phone text messages. Using malware called Backdoor. Plotus, hackers can use their mobile phones to send text to cash machines, ordering them to dispense money, withold someone’s card or steal a cashpoint user’s PIN data. This malware specifically targets Windows XP cashpoint and requires that the phone is connected to the cashpoint via an USB ports.
“This is not something we have seen in Europe or the UK,” said Kamalvand. “There are improved access rules and procedures in the UK about who has access to ATMs. Also, in the UK, USB drives are removed or locked to prevent virus injection.”
So, while we await the biggest overhaul of our cash machines in more than a decade, it seems that UK cash machines will be protected against Windows XP vulnerabilities that arise in the meantime.
However, while cashpoint hacking seems unlikely to affect UK Machines, cashpoint fraud in the UK still on the rise thanks to “skimming” tools placed in card slots and fake keypads. It’s a good idea to check around the card slot, the top of machine, and around the edges of the keypad for damage and glue-like residue. A hole in the wall at a bank is generally safer than a stand alone cashpoint machine.
The Facts about UK Cash Machine
- 80 to 90 per cent of cash machines in the UK still run on Windows XP
- Hackers are exploiting security flaws in Windows XP using malware that lets them steal money with their mobile phones
- The majority of Cash machines in the UK are expected to run on Windows 7 by 2015 (Same year when Windows 9 will be released)