Microsoft will end support for the aging operating system after April
8, leaving unprepared financial institutions vulnerable to hacking.
FORTUNE -- After April 8th, 2014, Microsoft (MSFT) will end support,
including automatic security patches, for its 13-year-old Windows XP operating
system. This may sound like an inconvenience primarily for government agencies
and aging uncles, but another major set of Windows XP users are the automated
teller machines and credit card sales systems that handle billions of dollars of
transactions daily.
While major retailers and banks are likely to be well-prepared for the end of
XP, financial systems based on the software are also in the hands of a
far-reaching hodgepodge of independent ATM operators and small businesses.
Despite ample warning, industry analysts and insiders agree that high cost and
inconvenience will keep plenty of these smaller players running outdated
software for many months to come -- with serious implications for the security
of their systems.
Jerry Nevins, co-owner of the Kansas City cocktail bar Snow & Co., is
close to the dilemma. Snow & Co. bought a point of sale system less than a
year ago from the payments servicer Micros -- only to be told within a few
months of the need for an upgrade to Windows 7, at a cost of $1,700 for the
single-store system. Luckily, Snow & Co. was still under a service
agreement, so its upgrade was free. But as Nevins puts it, "If you're a small
business, an unexpected $1,700 might be like, eh, I'll go ahead and take my
chances." Moreover, Nevins describes a "huge line" of Micros customers waiting
for an upgrade. He's crossing his fingers that Snow & Co. will be upgraded
before the April 8 deadline.
Costs to retail credit card processors will vary widely, says John Berkeley
of Mercury Payment Systems. "If you have the right hardware you can just upgrade
the OS, but for some merchants upgrading from XP to Windows 7 can mean all new
hardware," likely costing much more than that $1,700.
The challenges of upgrading become even bigger in the case of ATMs. ATM
manufacturers are offering software upgrades for machines still based on XP --
though some of those have been available for less than a month. But the cost to
upgrade can be staggering.
According to Jay Weber, vice president in charge of North American debit and
ATM systems for FIS Global, "An ATM machine purchased in the last five years ...
would only need a software upgrade of $4,000 to 5,000 per machine." That
software cost is so high in part because much specialized software written for
Windows XP can't be easily ported to a new operating system. But ATMs 10 years
old or more would need to be completely replaced, and Weber says that new
high-end ATMs can cost at least $50,000 to $60,000 per device.
ATM operators and business owners are largely being left to decide on their
own whether to upgrade or not, says Weber. "Organizations are trying to look at
the investment of the upgrade and weight it against their perceived risk" -- and
many seem to be ready to take their chances. "[April 9th] is going to come and
go, and there are going to be some merchants who haven't done it yet," says
Berkeley. Weber speculates that "it's going to be a trickle approach, a slower
ramp-up," with many systems going without an upgrade -- and remaining officially
insecure -- through the end of 2014.
This hesitancy may be worsened because operators are getting mixed messages
about their risk. The Payments Card Industry Security Standards Council has
issued public warnings about the need for retailers to upgrade their point of
sale systems, but their current set of standards, which are used to determine
eligibility to operate on credit card networks, do not require it. And Weber
himself seems sanguine: "The risk is hard to quantify. There's a lot of
technology in place in the marketplace to help mitigate the risk," such as the
"fairly closed telecom environment" that most payment systems operate on.
But Bogdan Botezatu, senior e-threat analyst for the anti-malware software
company Bitdefender, couldn't disagree more. He talks about the issue with the
barely suppressed terror of a father watching his teenage son drive solo for the
first time. "They're not panicky," he says, "and actually that makes me
panicky."
Botezatu, who haunts underground hacking forums to keep an eye on looming
security threats, claims that hackers are gearing up to raid suddenly insecure
XP machines the minute Microsoft support ends. "When an operating system is
announced as reaching its end of life, [hackers] are frantically looking for
exploits, because then they can use it indefinitely," he says. "It's the holy
grail of malware."
To take fullest advantage of the situation, black-market vendors selling new
XP exploits have been stockpiling them, waiting to release them until after
Microsoft is no longer monitoring and repairing security flaws. Though
third-party security firms will continue to update anti-malware programs for XP,
users not running or updating such software could be permanently vulnerable to
an ever-growing set of exploits. Mercury Payment Systems' John Berkeley confirms
that "If a hacker discovers [a vulnerability] a month or two after the end of
[XP support], they have more time to exploit that."
These exploits could range from stealing credit card information from small
vendors to even more dramatic forms of theft, many of them easily circumventing
external security measures such as the semi-closed payments network. Botezatu
says there have been reports of an ATM exploit through a mobile phone connected
through an ATM's card reader. He also cites a legendary stunt by the security
expert Barnaby Jack at the Black Hat security conference in 2010, where he
demonstrated a "Jackpotting" hack that easily emptied an XP-based ATM machine.
According to Botezatu, Jack, who died in 2013, never revealed the nature of this
exploit, meaning that it could remain an unpatched vulnerability in XP-based
machines.
Most troubling of all, Botezatu predicts that unsecured XP machines of all
kinds will be compromised by hackers to form new botnets. This kind of system,
in which hacked systems' processors are put to new tasks unbeknownst to their
owners, can be used for everything from massive Denial of Service attacks to
mining cryptocurrency, and would add substantially to the insecurity of the
Internet as a whole. "I see a lot of trouble," Botezatu warns.
Whether April 9th brings a plague of cash-spewing ATMs, zombie PCs, and
thieving credit-card readers remains to be seen. But Botezatu sounds exasperated
that he even has to consider these scenarios. "It's an operating system that was
released 13 years ago. Everyone should have started migrating two or three years
ago" to avoid the mad rush and risks that come with the end of support. He
hopes, at least, that this episode will motivate today's users to think about
the future.
"This is going to happen soon with other operating systems," Botezatu says.
"You should start upgrading from Windows 7 now."
No comments:
Post a Comment