The Security imperative – the vulnerabilities you’re exposed to with an outdated OS

September 18, 2018 12:00 PM

As technology progresses, so do hacking methods. If you think of an ATM as a personal computer attached to a safe full of money, the need for modern-day cyber security becomes very apparent.


Unlike old-fashioned safes, ATMs provide cyber-criminals with access to much more than cash – a digital heist can result in stolen data about your institution or customers. When hackers can get into your systems through your network, it’s important to understand why an outdated operating system can pose a potential security risk.


Windows XP: An Open Invitation to Hackers


Microsoft ceased offering support and security updates for Windows XP in April 2014. Since 70% of ATMs in India still run on Windows XP, it means the majority of the ATMs in the country haven’t had a security update in four years.


This is a major security issue because the longer a piece of hardware uses the same OS, the more time hackers have to develop new techniques and malware to infiltrate these systems. And it’s even easier for hackers when the OS hasn’t had a security update in more than four years.


According to Timothy Rains, Microsoft's director of trustworthy computing, "the probability of attackers using security updates for Windows 7, Windows 8, and Windows Vista to attack Windows XP is about 100 percent" which means bad actors can use updates from more current operating systems to reverse engineer extremely effective forms of malware. To make matters worse, these vulnerabilities are often sold to other hackers on the dark web, increasing the probability of Windows XP ATM attacks.


Old Goals, New Methods


While hackers’ methods have shifted more and more from the physical to the cyber realm, their objectives have remained largely the same, and the need to stay current with Software and Operating Systems is more critical than ever before. There are two main goals that ATM hackers generally try to achieve: jackpotting and card data-logging.


These two objectives are not mutually exclusive, and there are types of malware that can help thieves achieve both goals simultaneously.


With physical access to an ATM, an attacker will usually expose the ATM’s USB port or CD/DVD drive and insert a device carrying malware to gain full control of the machine. With remote attacks, a hacker might gain access to the bank network through an inside accomplice or by using spear-fishing techniques to get a bank employee’s login credentials. One use of Trojan horse malware involves installing a mobile phone inside an ATM and using another phone to send SMS commands to the ATM to dispense its cash reserves.


All ATMs need to deploy enhanced security to guard against this, including encrypted hard drives, software whitelisting, BIOS protection and up-to-date operating systems. ATMs that still run Windows XP face additional risks as there many other vulnerabilities that come from a non-supported operating system


It’s Time to Act


Hackers are opportunists, and they choose the easiest target. But why are so many banks using outdated software? Security experts believe the practice stems from a time when physical attacks were a bigger threat than software hacks.


But the truth is, what worked for 2001 doesn’t work for 2018. With malicious attacks on ATMs on the rise, banks should look to remaining compliant with RBI’s control measures mandate beyond 2020 when Windows 7 support ends.