Question?
How common is XP in ATMs in other countries? And what the other countries doing about it?
The Reserve Bank of India has given that country's banking sector a hard deadline to get Windows XP out of its ATMs: June 2019. That's more than five years beyond the May 2014 end of support for the OS. In a notice to the nation's banks, issued last on June 21st, 2018, the Reserve Bank makes it clear that XP “and other …
Let me answer your question with regards to my home country, Jordan.
- All ATMs I have run across run XP. I could see them booting up in the early morning.
(I have no concrete figures though. Banks and businesses hate to cite these, citing reasons like "confidential" and "none of your business, kid!" ).
- What are we doing about it? If it ain't broke, don't fix it. And if they cared to fix it, they have the administrative hierarchy (boss's boss's boss's boss has to approve, and maybe Central Bank too?)
- But ATM physical security is strong. I once got suspiciously eyed by security guards for curiously eyeing an ATM in maintenance mode (or whatever they call it).
At least, the Microsoft licensee over here ensures that businesses and banks (even major schools too) don't pirate Windows, so we have paid for the licenses.
But it's not the same everywhere in the country. For example, my university are already on Windows 10 Enterprise and Enterprise LTSB, and in the worst, Windows 7. Same story for governmental offices, recently getting 7.
If it ain't broke, don't fix it.
This is exactly the attitude that I encountered with NationsBank and later Bank of America after their merger which involved switching from OS/2 and a Linux variant to Windows. It was... traumatic. Banks are about profit first and stability a very close second. Customers are on the list too, somewhere.
Support for the last release of XP Embedded runs out in January 2019.
AFAIK, most ATMs use the Embedded version of XP, which, if it is using the 2009 service update is supported through January 2019. If it is using XP Embedded SP3, it was supported until January 2016 and Point of Sale version to April 2016.
Still not good, I just wanted to clarify.
most ATMs use the Embedded version of XP
This is what it is supposed to be, but isn't always happening.
The problem in our case is that they use XP Professional, the desktop release. Never seen an ATM on Embedded in our country (though I've seen cash registers running XP Embedded POSReady 2009 and online-exam thin clients at university running RTM XP Embedded (they're on a VLAN, not on the Internet though and are physically locked-up, and even these are slowly getting Windows 10 as they break)
That's more than five years beyond the May 2014 end of support for the OS.
Not for Embedded XP.
Support for the last release of XP Embedded runs out in January 2019.
That's Windows Embedded Standard 2009.
They may have until April 2019 if they're using Windows Embedded POSReady 2009, so a couple more months. Of course they may also be using bog standard XP Professional which was indeed buried years ago...
A lot f ATM's are basically a safe with automated paper handler, a laptop, and a display panel, all inside another secure cabinet. Therefore a lot of ATM's are effectively running a full desktop OS of some description. I must say I don't recall seeing one with an "embedded" version of windows. Indeed why they need such a fat OS at all has always been a bit of a mystery.
Although marketing types now like them to play movies and "rich" experiences with all the associated consequences that brings...
The other week I saw a Windows 95 blue screen on an ATM. (Siemens Nixdorf model)
And train station displays still run on OpenVMS.
("Siemens Nixdorf" was bought by Wincor and named "Wincor Nixdorf", and then Wincor got bought by Diebold, nowadays named "Diebold Nixdorf" - so the ATM is old but still working fine, normally) But don't worry, the bank software stack is written in COBOL and ABAP, dating to the 1960s.
Many technical machines like CNC Turn/Mills are also still running Windows 95/98, those machines are expensive.
I know of lab PCs still running on 368 hardware connected to electron microscope and other expensive lab equipment, of course running Windows 3.1 with data saved to 3.5" floppy disk or data noted down by hand and inputted on a newer Windows PC nearby.
Between arriving and boarding a plane at most airports you'll see at least a couple of PC's running XP (or occasionally even older Windows). Not to mention the common sight at the gate of them printing off the passenger manifest on a dot-matrix printer.
Luckily all just controlling the cattle movement of bodies onto planes rather than anything too safety critical, but still makes you wonder sometimes...
"To:
The Chairman / Managing Director / Chief Executive Officer
All Scheduled Commercial Banks (excluding Regional Rural Banks)
All Small Finance Banks and Payment Banks
White-Label ATM Operators"
Does this mean that Regional Rural Banks are exempt? Take your USB ATM skimmer to the bush and skim away!
ATMs generally use a very locked down version of Windows Emedded.
There are equivalent Embedded Linuxes, but they don't generally support WINE, as they are as pared back as possible to reduce their exposure. So you would need to add the packages manually and maintain them manually.
And XP Embedded had a longer service history, SP3 ran out in 2016 and the 2009 update packet runs out of support in January 2019...
Without knowning exactly which version of Windows XP they are using, it is hard to tell how severe the problem is. That said, they should already have moved or be in the middle of moving to a more modern platform.
When I scroll down the article, the "ink" from the skull's eyes and mouth flows briefly down the page, as though the undead skull of Windows XP had returned from the grave to consume my very soul.
Anybody else getting this? I'm not sure if it's some clever javascript trickery, an artifact of my monitor, or nightmares emerging from the forgotten depths of my subconcious.
"XP was/is the most user friendly version of Windows, Microsoft's pinnacle beyond which much arse gazing stupidity erratically formed the gigantic turd of Windows 10, the end of the proverbial loo roll."
To a certain extent I agree but you forgot Windows 7 which managed to avoid most of the 10 shit but inherited the good stuff from XP. And furthermore is still supported-ish as extended support won't end until January 14, 2020.
When XP was launched, it was derided for its 'Fisherprice' desktop UI.
If it were up to me, I would make Windows a hybrid between Win XP and Win 7. Maybe include Edge from Win 10, but that's all. No data slurping, no auto updates, no Groove Music, no Microsoft Store, no OneDrive hooks on File Explorer. Include classic pre-Vista versions of MS Hearts, Minesweeper and Calc etc. Include Group Policy Editor as a standard feature for everyone, including home users.
No Metro tiles.
You could modify windows 10 to your requirements and add in the old xp games and remove the windows store and apps. You can even get rid of the metro tiles with classic start. You could build a custom install of that and there you go.
An ATM is a large, publicly accessible, box of money. While I understand that banks may not be the most astute operations in the universe, the assumption that banks need to be told how to secure ATMs strikes me as being a bit odd. Do the banks have some way of laying off their theft losses on someone else? If not is there perhaps something else going on here? Are there perhaps companies that profit somehow from forced upgrading of ATMs?
supported by a specific team unrelated to "normal" desktops
supported by an outsourcer/generic ATM provider (even in India) outside the bank entirely
have peculiar change control processes that make fixes difficult to apply.
are remote so when something goes wrong a physical visit is required
However I would support the position that they need to get sorted out eventually. Simply abandoning them does not seem an appropriate management tactic!
If you're willing to pay for it, Microsoft provides patches and fixes for Windows XP Pro until 2020.
It isn't cheap, but in cases where you don't have much choice... you know how it is.
ATMs are more/less PoS devices. Many applications haven't been updated to run on more modern OSs. If they have, the ATM owners (not necessarily the banks who lease them), won't spend the money on upgrading OS and applications until they are made to do so. Why should they? You'd save the money and pocket it yourself, right?
The number of increasing integrity attacks are starting to change minds, not to mention the cost of insuring old software/OSs. As is how much courts are starting to make examples of corporations who aren't being attentive to proper due diligence, and especially those who aren't attentive to proper due care. In-which using and old OS will likely hit the hardest in courts.
If you look hard enough, you can still find Windows XP in the US and western Europe. Mostly with companies who lease out older ATMs. For banks who own their own ATMs, these are likely updated with newer operating systems, and a wealth of physical security add-ons.
The article headline states:
India tells its banks to get Windows XP off ATMs – in 2019!
That seems clear. All ATMs running XP have to be replaced/upgraded to running something newer than XP in 2019. As in no more XP-based ATMs at some point in 2019.
But there's a table in the article that says:
Windows XP deprecation June 2019
That is not, by my understanding of the word "deprecate," the same thing. Time to check my understanding of "deprecate." From Wiktionary:
1, To belittle or express disapproval of.
2. (chiefly computing) To declare something obsolescent, to recommend against a function, technique, command, etc. that still works but has been replaced.
So, depending upon which definition you choose and how you interpret it, India is going to say "Tut, tut" to banks still using XP on ATMs in 2019, or India is going to recommend banks stop installing new ATMs running XP in 2019. It doesn't, to me, read like an instruction to remove ATMs running XP by 2019, just more of the same "you really shouldn't be doing that."
Life is so confusing these days, so maybe I misinterpreted it.
Having been to India briefly, I can say that actually finding an ATM that works and has cash is going to be more amazing than finding one still running Windows xp, thanks to the government's actions on currency control. Also, it's apparently the rats you really need to worry about.
https://www.reuters.com/article/us-india-bank-rat/rat-breaches-bank-atm-in-india-eats-18000-worth-of-cash-idUSKBN1JH31U