NEW YORK (CNNMoney) — Banks everywhere are in a race against time to upgrade their ATMs before they become hot targets for hackers.
An estimated 95% of American bank ATMs run on Windows XP, and Microsoft is killing off tech support for that operating system on April 8. That means Microsoft will no longer issue security updates to patch holes in Windows XP, leaving those ATMs exposed to new kinds of cyberattacks.
“This isn’t a Y2K thing, where we’re expecting the financial system to shut down. But it’s fairly serious,” said Kurtis Johnson, an ATM expert with U.S. manufacturer Triton.
If banks fail to upgrade their ATMs to a newer version of Windows by April, customers might be at risk. If hackers discover new flaws in Windows XP, those bugs will go unaddressed, leaving attackers free to exploit them.
It can’t yet be known what hackers could do with a Windows XP ATM after April 8. But the prospect of providing a potentially compromised machine with your account and PIN information is unsettling.
Major banks are now cutting special deals with Microsoft to extend life support for their Windows XP machines while they replace their fleet of ATMs. JPMorgan bought a one-year extension of service and plans to start upgrading ATMs to Windows 7 at Chase banks in July. Citibank and Wells Fargo said they’re also upgrading ATMs, but they wouldn’t provide details about their plans. Bank of America did not respond to requests for comment.
Replacing the operating systems on ATMs is a major undertaking. In the United States, there are 210,500 bank ATMs, about 200,000 of which run on Windows XP, according to Retail Banking Research in London. In most cases, banks must upgrade the software one ATM at a time, and some will need the entire computer inside replaced too. Labor included, it’s a process that experts in the ATM industry say could cost anywhere between $1,000 and $3,500 apiece.
“Once they start using an operating system, they’ll ride it as long and as hard as they can,” said Wes Dunn, a sales executive at ATM manufacturer Genmega.
It might sound odd that ATMs are running on aging software better suited to a home PC. In fact, security experts have chastised the financial industry for putting ATMs on a PC operating system in the first place. They argue ATMs should be using software that is scaled down and less buggy, such as Linux.
But banks long ago decided that Microsoft’s familiar way of displaying windows and text would sit well with customers.
Upgrading to Windows 7 or 8 will give ATMs more of a sleek feel that resembles the latest apps on tablets and smartphones, said Jeff Dudash, a spokesman for ATM manufacturer NCR.
One ATM manufacturer, Diebold, says banks are using this opportunity to add newer card readers to their ATMs that accept more secure chip-and-PIN cards. Those cards have already been adopted worldwide but have yet to grow popular in the United States.
Banks that retrofit their ATMs with new hardware will, in the future, be able to upgrade their entire fleets of ATMs with a click of a button. Modern technology allows companies to push software updates via their networks instead of paying each ATM a physical visit.
Ironically, bank customers have less to worry about from those nondescript ATMs found in malls, bars and tiny convenience stores. Those 208,000 independently-run kiosks, built by Triton, Genmega and Nautilus Hyosung, make up the other half of the nation’s ATMs. And nearly all of them run on an even older, simpler operating system called Windows CE — which Microsoft still supports.