Microsoft’s deadline to end support for Windows XP is April 8, and while most PCs haven’t used the operating system in years, there’s a certain computer you interact with on a regular basis that probably still relies on it.
The 12-year-old software powers more than 95 percent of the world’s cash machines, Robert Johnston, a marketing director at NCR, the largest ATM supplier in the U.S., told Bloomberg Businessweek. Microsoft’s pledge to stop providing patches to address bugs could leave ATMs vulnerable to hacking.
Don’t start hiding your money under the mattress just yet. For anyone fretting about being able to withdraw cash from the corner ATM, here’s a primer on the operating system switch and what it means for your money.
Why is Microsoft ending support for Windows XP?
Microsoft typically supports operating systems for about a decade. Recognizing the popularity of XP, particularly on devices such as ATMs that aren’t replaced as often as PCs, the company agreed in 2007 to extend support to this year.
Continuing to fix Windows XP, which was released in October 2001, every time it springs a leak would cost Microsoft more money than it’s worth. XP no longer meets the needs of modern computing and doesn’t have the cyber-security safeguards in place to protect against the current generation of threats, according to Tom Murphy, Microsoft’s director of communications for Windows.
“XP design and engineering started in the late 1990s,” Murphy says. “Technology travels in dog years, so that’s a long time ago in technology terms.”
Does that mean copies of Windows XP will stop working, and ATMs will shut down?
No. They will keep running, but Microsoft won’t release security fixes for the program anymore. So if a new bug is discovered, ATM operators will need to find a way to squash it themselves.
Will all ATMs be vulnerable on April 8?
This gets a bit tricky. While the vast majority of cash machines run XP, some of those use a variant of Microsoft’s operating system called Windows Embedded. The software is designed specifically for appliances and industrial machines, such as ATMs, cash registers and thermostats. One version of XP Embedded will lose support next week at the same time as the PC platform. Another will keep getting patches until Jan. 12, 2016.
So it depends which version the machine is running, and there’s pretty much no way of knowing whether the ATM you’re typing your pin into is at risk.
How urgent is the problem?
Not very, says Avivah Litan, an analyst at research firm Gartner. Banks with ATMs running XP will “need to get off of it eventually, but it’s not an emergency situation,” she says.
Microsoft’s Murphy would prefer everyone to move sooner because he says third-party security tools aren’t going to cut it. “Our guidance is that all customers need to move off XP,” he says. “It’s an operating system that is old and is not designed to keep people safe and secure.”
How serious is the risk? Should I expect these things to start randomly spitting cash out onto the streets?
Don’t get your hopes up. There are already vulnerabilities in XP and other operating systems. So banks and cash-machine operators have long taken extra security precautions to wall off ATM software from hackers, Litan says. “You can’t just plop your ATM system on top of XP and assume it’s safe,” she says.
Microsoft offers custom tech support to some of its biggest customers that should address any issues introduced by the April 8 deadline. JPMorgan is buying a one-year extension, Bloomberg Businessweek reported.
If my checking account does get drained as a result of using a hacked ATM, am I liable?
Almost certainly not, says Litan. Just keep an eye on your monthly statements, and alert the bank if you spot anything suspicious. “It has no impact on consumers whatsoever,” she says. “I really don’t think anything is going to happen anyway.”