In less than a week Microsoft will bring down the curtain on enterprise support for Windows XP after 12 years. Windows XP was the most widely used Operating System from Microsoft up until the year 2010 when Windows 7 stole that title. Most of us have undoubtedly used XP at some point in our lives and it undoubtedly became the de facto OS of choice even for cyber cafes.
Home and office users aren’t the only ones who went all out on Windows XP. Nearly all ATMs run versions of Windows XP and clearly this will raise questions on how exposed banks will be left when the axe falls on 8th April. Whether or not the banks acknowledge and accept this imminent risk is yet to be established but one fact is certain; they will be left with no choice but to migrate their ATMs to a supported version of Windows. On more than one occasion, you will walk up to the ATM lobby only to find the familiar Windows XP screen glowing away instead of the custom bank front end. I have joked at times that while we wait for the machine to come online, we could play Solitaire and see how the bank will like that.
IT security has been a widely discussed topic especially in the financial circles where banks have been at an arms race with fraudsters. This latest development raises questions on banks capability to engage ATM vendors on a seamless upgrade to remain compliant. The Kenya Bankers Association has remained fashionably silent on the matter and so has CBK. Granted, this news caught many regulators unawares but in a fast paced technology-driven industry such as banking, I reckon contingencies ought to be second to nature.
So what happens come April 8th? One thing is for sure, ATMs will continue running Windows XP albeit unsupported, which means if a smart person identified what is known as a 0-day exploit against the OS, it’s game over. Zero-day exploits are generally exploits that haven’t been discovered before and normally the vendor will provide security patches. This time however, Microsoft will leave customers at the mercies of hackers with no security support. However, some banks are in talks to have Microsoft extend the support while they migrate to a supported version. Question though is if Windows 7 has been around long enough to run on embedded systems such as ATMs.
In addition, seeing that the deadline for the migration of mag-stripe ATM cards to EMV cards has slipped not more than once, I can’t wait to see how KBA handles this spanner in the works.
Exploiting an ATM might look nearly impossible from an outsiders perspective. However, when you consider the fact that these are simply computers networked to the bank then the picture becomes even more clearer. Some countries experience very bold attacks to the ATM machine itself eg bombing with small explosives. Kenya has been hit by a spate of ATM card skimming attacks and while this may not be a direct incursion on the device itself, it’s only a starting point.
Recently an attack against an ATM was demonstrated using a mobile phone, forcing the machine to spew out cash. It is important to note this attack implemented a piece of malware running on a vulnerable version of Windows XP. With such attacks becoming more likely due to lack of support from Microsoft, banks will have no choice but to up their game at securing the operating system running on their ATMs.
In conclusion, one vice that continuously erodes confidence in the banks commitment to fight fraud at any front is the fact that they don’t ‘talk’ to each other. Attacks are propagated from one bank to the next in the same fashion unabated. Even organized cartels have sprouted defrauding banks with few or no successful prosecutions seeing the light of day. This simply means that conventional methods of securing our institutions have been overtaken by time and a conscious decision to adopt new and proven Threat Modeling techniques needs to be considered expeditiously.
Cyber Security Evangelist.
About the Writer
Tyrus Kamau is one of the founding members of The AfricaHackOn, an IT security outfit which brings together skilled professionals to show case various elements of cyber security. The very first conference was held on Feb 28th 2014 and received overwhelming support from the industry.
He also was a key consultant in the development of the National Cyber Security Master Plan (NSCMP) working with Booz Allen & Hamilton and the former ICT Board. His input saw him work with various intergovernmental bodies in line with the country’s Vision 2030.
Tyrus is also a part time lecturer at Strathmore University’s iLab where he instructs the Masters in Telecommunication, Innovation & Development. He lectures on Web security, Wireless & Mobile security.