Security Windows

Windows XP Running Your ATM Or Ticket Machine? Time To Buy Online!

Christian Cawley 16-04-2014

Windows XP goes end-of-life in April 2014, after which Microsoft will no longer release bug fixes. If you’ve upgraded your PC then everything should be fine – but what about your bank? Have they upgraded?


The Risk Isn’t Necessarily With You

Have you upgraded from Windows XP yet Upgrade From Windows XP to a Modern OS in 7 Simple Steps It's time to say goodbye! Microsoft is ending official support for Windows XP on April 8 2014. Are you at risk? If you are still running this ancient operating system, it's time to upgrade. Read More ? If not, you can choose from several different options, but don’t feel that the onus is completely on you to stay secure. While it is important to ensure your home computer system is as up to date as possible – thereby ensuring that your copy of Windows is equipped with all of the latest security updates – it is also important that the companies you do business with are also suitably secure.

Sadly, this hasn’t been happening. For various reasons (usually cost) a vast number of businesses have been spending time burying their heads in the sand rather than coming to terms with the fact that their systems are going to become a lot less secure once Microsoft withdraws support for Windows XP in April 2014.

Although corporate security support has been increased to July 2015, this still doesn’t give businesses who haven’t yet made the necessary upgrades an awful lot of time to purchase and roll out new hardware running Windows 7, Windows 8 or even a Linux or Mac OS X desktop instead. While you might have taken steps to upgrade, the Windows XPocalypse has wider ramifications What The Windows XPocalypse Means For You Microsoft is going to kill support for Windows XP in April 2014. This has serious consequences for both businesses and consumers. Here is what you should know if you are still running Windows XP. Read More .

Among these are the customer-facing systems running on Windows XP. Things like rail ticket machines, ATMs and self-service petrol stations all use XP, and its continued presence represents an open door to digital criminals.

ATMs: Stay Away!

There is a strong possibility that you don’t use ATMs as often as you might have done 5-10 years ago. The proliferation of “cashback” services at checkouts in stores and supermarkets means that queues have gone down and the potential for fake machines has dropped.



However, if you do still visit ATMs to withdraw your wages, you likely do so from a system running Windows XP. If you’ve ever seen one of these machines crash or reboot, you’ll know that behind the simple set of options Windows XP is hiding. Once upon a time it was providing security against intrusion from sophisticated hackers; these days, its presence is arguably as big a headache as the breaches it once helped to prevent.

ATMs running Windows XP are rife for exploitation and should be avoided.

Avoid withdrawing money from an ATM by doing so over the counter at your bank. You might consider using point of sale cashback services too.


Ticket Machines: Buy Your Tickets Online

A similar situation exists for ticket machines on platforms and at bus and tram stations. Unless these machines have been installed in the last couple of years, you can expect to find Windows XP managing the data processing.


Do you trust such a machine with your credit card data?

If you want to purchase tickets, your best bet is to buy online in advance and have them shipped to your door, or else pay for them at the machine with cash.


Don’t Pay At The Pump

Again, petrol pumps at your local gas station may well be equipped to take payment, and if this is the case then your credit or debit card is at risk from the presence of Windows XP.


Such payment points are already a security risk, with scammers around the globe fitting their own card readers in order to skim credit card data.

A rule of thumb should be to avoid these at all costs. If you can’t, it is worth being prepared by setting up a pre-payment credit card with a low balance to be used specifically for paying for gas. Otherwise, pay the attendant.


Windows XP & Medical Records

A more difficult problem to circumvent is the way in which your medical records are stored.

A typical health organization might have robust data servers running one of the more recent Windows Server releases or a Linux server OS. Patient data will be stored in a SQL database, with information backed up daily and stored offsite.

The weak point is with the clinicians and secretaries, where there is a strong chance that at least some computers will be running Windows XP. These leave a health organization wide open to attack.


So what can you do about it?

First and foremost, you should ask your hospital and local doctor (or preferably the manager of the practice) the following questions:

  1. Do you still use Windows XP?
  2. What plans does your organization have when Microsoft drops support in April 2014?
  3. Are you aware that patient data will be at greater risk after this point?

Sadly, there isn’t a workaround for this. Like other businesses, your healthcare team will need to take the correct, responsible steps to ensure the safety of patient data. Should a breach occur and your data is involved, then there may be legal avenues to pursue.

Windows XP: The New Millennium Bug?

15 years ago, the IT world worked itself into a frenzy as it fought to combat the effects of the so-called Millennium Bug (aka Y2K problem) – an issue with the way computers calculate the date that was set to cause chaos come January 1st 2000 (or 1900, if the bug had its way). Although there was plenty of time to prepare for this, many businesses waited until the last few months to apply a fix.

Fast-forward to 2014 and the situation is recognisable, if not identical. Home users are largely protected (there are methods you can employ to “bulletproof” Windows XP 4 Ways To Bulletproof Windows XP Forever Windows XP is slated to be exterminated for good by Microsoft in April of 2014. It is the last stage of a multi-year effort to kill off the operating system. Windows XP is one of... Read More ) but businesses seem to have ignored the many warnings issued by Microsoft about Windows XP going end-of-life and the implications of this. The push to get domestic users onto Windows 7 and Windows 8 has been slow, but it would seem that even if you upgraded tomorrow, your bank, local government authority and hospital would still be running XP, with the impending security failings this will bring.

As such, you need to be careful where and how you use credit and debit card. As a rule of thumb, if you’re attempting to use the card at an exposed location, you should already be cautious of the risks. With unsecured Windows XP installations now providing an added threat, automated payment solutions should be avoided.

Image Credits: Featured Image by Gordon BarnesATM by Jimmy2kTicket Machine by Legoblock,  Gas Pump by SimpsonyiuDoctors Holding Laptop via Shutterstock

Related topics: ATM, Online Security, Windows XP.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Sawood
    May 7, 2014 at 10:40 pm

    Life is too short to stop using a machine because it is running XP. In the extremely rare case your card details were compromised, what bank these days doesn't have robust fraud teams to help return your cash and resolve the problem? There are risks to everything, and only reasonable precaution should be taken. Telling me to work out what OS every machine I interact with is running is absurd.

    Similarly quizzing a UK doctor on the NHS update roadmap is ridiculous - do you think he has time to care about that? Windows 8 won't let him treat a patient any better than XP, he has better things on his mind, and rightly so.

    • dragonmouth
      May 30, 2014 at 8:03 pm

      "In the extremely rare case your card details were compromised"
      Seems like credit card compromise is a rather common occurence.

      "what bank these days doesn’t have robust fraud teams"
      That is a very good question. If the banks have "robust fraud teams", why are credit card records repeatedly compromised???

  2. Colin
    April 24, 2014 at 11:29 pm

    Okay... I'm fed up of the FUD around XP and ATMs.
    1. Bios is locked down to prevent booting from other devices.
    2. OS is hardened and can stop any unauthorised executable working.
    3. Physical access required for any other realistic attack vector.
    4. Never ever ever ever ever connected to a network that can touch the internet. All communication done through host systems.

    Please call an ATM manufacturer for comment before writing such crap.

    • dragonmouth
      May 30, 2014 at 8:00 pm

      "Please call an ATM manufacturer for comment before writing such crap."
      Asking ATM manufacturers about the security of their machines is like asking Vatican its views on marriage - you are guaranteed to always get the party line.

  3. Steve
    April 22, 2014 at 3:30 am

    I find it amazing that any organisation would use a Microsoft operating system to run one app (especially an old one even if it's cut down as the embedded variety). If you want to minimise attacks then reduce your "attack surface". A hardened OS running only running the essential services is required, ideally one purpose built for such uses.

  4. JareLaScorn
    April 19, 2014 at 5:28 pm

    This is not a real security threat. ATMs are not any more vulnerable than they ever were. You would be far wiser to be more worried about your bank ripping you of than a hacker via an ATM.

  5. John W
    April 17, 2014 at 10:27 pm

    Cash machines are usually physically hacked with cameras, fake card slots, skimmers, key loggers - or physically ripped out of the wall with a mechanical shovel . Getting to talk to the Win XP in the machine and telling it to dispense cash is fruitless. It's just a front for the touchscreen or old physical buttons. The Sun Systems lump inside the bank is not going to change any time soon, nor does XP need to.

    Same with all the other stuff mentioned above. XP is all local to the ticket machine, petrol pump whatever. The ATM tells the back office it's had a card inserted and the chip or mag stripe has this code ..... It's the server that listens to the PIN number, the ATM couldn't care less. It just waits for sever authority to dispense cash / ticket / petrol and spit your card out again.

    XP could run on these machines forever running the dedicated hardware. The hardware is so dedicated that "updating" to Win 7 is not an option. The machine will have to be physically replaced.

    Finally, Win XP vulnerability comes from the internet. The guy operating a crane or a lathe with XP will do so for the life of the machine, perhaps 20 years. I have equipment biult in 1998 running Windows NT. It has never had a Microsoft update in it's life. The bigger worry is the Pentium III it is running on!

  6. A41202813GMAIL
    April 17, 2014 at 3:39 pm

    ... Or, Stay Away From EMoney, And Only Deal With Hard Cash, As Much As Possible.

    What A Concept.


  7. Rob H
    April 17, 2014 at 1:59 pm

    Do you really think these organisations have been ignoring the issue? I worked on Y2K for a Bank well in advance of 31 Dec 1999, we found and addressed plenty of potential issues but it would have been stupid to go to the press to say "everything's fixed" and then be made to look incompetent if some minor glitch had cropped up . Y2K was largely a non-event (to the disappointment of the media) BECAUSE of all the behind the scenes work. Only idiots with no knowledge assert that it was a complete scam because nothing failed. Nothing (significant) failed because of monumental efforts made to ensure it didn't. I'm happy to say I was paid a lot to be at work, on standby overnight "just in case" on New Years Eve/morning. I got a good night's sleep!

    Do you really think the OS in an ATM is an off-the-shelf copy of XP? Don't you think it may be a security hardened version stripped of everthing not essential to the function of the machine. Do you think your ATM will be running some ancient version of Internet Explorer - or any version at all? The majority of XP security issues have been with Explorer, device drivers or other applications rather than the core OS.

    I'm not saying there won't be any issues with devices running XP but I was involved with the Bank's ATM manufacturer for a while. They were so keen to control the hardware and software environment that they had special production runs of PC-like motherboards such that they could guarantee every one was absolutely identical. They had an arrangement with Intel such that not only was it a specific model of CPU chip but the stepping level would remain the same so there was no risk of small changes to the silicon impacting the operation of the ATM. (Stepping levels are small changes to the chip circuitry intended to increase yields, improve perfomance, fix bugs etc but are not the major architecture differences that would imply a name change, a bit like when a program version changes from version 3.5.124 to 3.5.125, probably something of very minor importance you can safely disregard).
    After any software changes, however minor, the system would be subjected to rigourous penetration testing.

    You might be more concerned about "Windows for Warships" that runs many of the UK navy vessels, I believe it's based on Windows 2000 and brings a whole new meaning to "Blue screen of Death".

  8. itlives
    April 17, 2014 at 11:54 am

    I think I should point it out that most of the machines mentioned in the article are running the Embedded version of Windows XP, which is still supported even after july 2015. It's not more dangerous to use them, for example to withdraw money, than it was last year. Despite this I fully agree that companies should upgrade as soon as possible.

    • Christian C
      April 17, 2014 at 12:02 pm

      "Most" is the operative word here. Many run the full XP, especially in the UK.

      We've heard this week, for instance, that in the UK the Link organization is pushing through upgrades to W7 throughout 2014 and 2015. This is the sort of decisive action - and announcement - that people need to hear.

      Sadly, Link doesn't manage all ATMs in the UK...

  9. Brandon
    April 17, 2014 at 11:35 am

    Most ATMs are running Windows XP embedded which is still being updated by Microsoft.

    • Kilroy
      April 17, 2014 at 6:12 pm

      Way to keep spreading the FUD (Fear, Uncertainty, and Doubt). As Brandon mentions most of the machines mentioned are running Windows XP embedded which will be supported by Microsoft until January 12, 2016 ( Additionally other than the use of card skimmers the attacks on these machines aren't against the users, but the machines themselves. Getting an ATM to dump its cash trays is worth more than skimming the cards used at the ATM. Trust me, the owners of the ATMs have a vested interest in keeping them secure.

  10. dragonmouth
    April 16, 2014 at 8:53 pm

    If you think that Vista, Win 7 or Win 8 is any more secure today, 4/16/2014, then you have your head burried in the sand. As long as Windows keeps using the same kernel it has used for the last umpteen years, it will not be secure, no matter how many band-aid security updates M$ applies. Windows needs to be rewritten from the ground up, with emphasis on security and Microsoft needs to address vulnerabilities as soon as they are discovered, not when M$ feels like getting around to fixing them.

    "15 years ago, the IT world worked itself into a frenzy as it fought to combat the effects of the so-called Millennium Bug"
    And now pundits, bloggers and the popular press are working themselves into a frenzy over the so-called XP End of Life. If you remember, or maybe you don't, Y2K came and went with a whimper, rather than a bang. There was no need to panic then and there is no reason to panic now.

    • y2k remedies were a success then
      April 16, 2014 at 11:39 pm

      Y2K came and went with a whimper, rather than a bang. Yes it did thanks to some hard work, I spent a few days contracting to a data communication company that I had previously been an employee at, we found a y2k bug that would have crashed almost all of their systems over the world on the evening of 1 Jan 2000, this would have been catastrophic for the businesses who were dependent on them, and possibly for their users too. The mitigation steps we put in place worked as planned and they didn't crash. So the effort investigating the issue was worthwhile. Windows XP poses totally different issues and is not really comparable .

    • pceasies
      April 17, 2014 at 1:03 am

      If you think the security features Microsoft has added since XP haven't improved security, you're naive.

    • Christian C
      April 17, 2014 at 12:04 pm

      "y2k remedies were a success then" is absolutely right. These two scenarios are comparable but for very different reasons, rather than similarities.

    • dragonmouth
      April 17, 2014 at 12:50 pm

      "would have crashed almost all of their systems over the world on the EVENING of 1 Jan 2000"
      Their systems would have crashed one second after midnight the MORNING of January 1, 2000. By the evening of 1/1/2000 it would have been all over, but for the finger pointing. :-)

      "If you think the security features Microsoft has added since XP haven’t improved security, you’re naive."
      "Improved security" is a vague term that sounds great in sounds bites by Microsoft management but is meaningless in real life. If you lock your front door, you add to the secuirty of your house but you do not make it secure. There are still more steps you can and should make to make it secure.

      "“y2k remedies were a success then” is absolutely right"
      Not to argue but part of the success was the remedies but another part was the fact that the problem itself was not as dire as predicted. Having worked for a large Y2K conversion house, I had a front row seat.

      "These two scenarios are comparable but for very different reasons, rather than similarities."
      The only comparison I am interested in is the amount of over-hype in both cases. Millenium Bug was supposed to bring Western Civilization to its knees. XP End of Life is supposed to bring 30% of world-wide Windows installations under immediate and vigourous attack. Western civilization barely noticed Y2K and, as of today, 9 days after M$ decommited support for XP, no wide-spread attacks have occured. Of course, the news could have been supressed out of embarassment. :-)