Tuesday, April 22, 2014

Guest Post: End of Windows XP Support and the Zero Impact it has on ATM machines

I write to demystify the above subject matter. I’ve read (ooh yes I read a lot of geek stuff) enough articles from Kenyan bloggers and columnists as well as international media.

We all know that I’m neither the inventor of the ATM nor the inventor of applications both the ATM and banks run. But I can pride myself in having interacted with both the systems and the ATMs.Windows XP end of life has come to an end, but to both the geek and the layman, that does not mean that it has ceased running on our cobweb infested Pentium Twos and Threes; it barely means that Microsoft has ceased giving patches and critical updates to the Windows XP version.They say upto 95% of ATMs run on windows XP and any person who regularly uses an ATM must have at some point come across that familiar screen when XP is booting up or the legendary wallpaper.Well, I’ll neither dispute that ATMs can be compromised to dispense cash simply because it cannot be done nor because it’s possibility hasn’t been demonstrated but rather because of the following factors that come into play.

While Windows XP support has been discontinued, lets face it, most of the computers running this version of the Windows Operating system have never seen a single patch or update since the initial install. I can bet you that most users don’t even know that service pack 3 of Windows XP did exist. The same applies to the ATMs. Since NCR (NCR has the largest share of ATMs in operation worldwide) installed these machines on their respective sites, they’ve never been updated either with the necessary applications nor the Operating System updates. The best service most of these ATM have had is dusting and replacement of parts that wear out.

There are several cases where demonstrations have been done to show that ATMs can actually be compromised to dispense cash. One of the hacks was achieve by a standard sms via a tethered mobile phone and the other using USB sticks.

Well, I won’t delve into the heart of the two methods but I’ll just mention that they both require USB devices to be physically plugged into the ATM computer. Lets forget the world for a while and focus on Kenya. Of all the ATMs you know of, how many can you think of that reside in an area where they are not well secured such that you can break into them without being noticed? I know of one at Nakumatt Lifestyle owned my Pesapoint and which is located on a busy corridor full of high school kids ‘hanging out in the mall’. All the other ATMs are mostly located inside walls with only the customer- facing screen visible. 

How would you manage to insert a USB device (cable or disk) into the computers managing these machines? Your guess is as good as mine. The only way possible is through the use of bank staff and just to let you know there’s a principle called ‘Dual Control’ when it comes to banks. At least two people will operate the ATMs when it comes to maintenance and replenishment of cash meaning if one of them became compromised and agreed to defraud from the ATM, the other person would most probably not be in on it and would discover any foreign devices on the ATM.

Lets assume the two individuals above did actually participate in the theft which in more than one way is possible, the fraud would be detected in less than two days since most ATM reconciliations (yes, for the noob, everything that goes in or out of a bank account has to be counter checked by a human other than the one who made the entry after a specific period of time. They call them teller logs or transaction lists).Now imagine going through all this pain to steal in most cases less than a million shillings from an ATM? It will simply cost you less to learn and work on card skimming (Well not anymore since EMV is finally here.)

The final scenario I can think of is of a hacker attempting to attack the ATM by compromising the target bank’s network. Banks (even Kenyan banks) may not be the best in use of modern technology but you can rest assured that they've invested heavily or at least tried to invest heavily on security systems. So, if you think you can hack into an ATM to steal a few millions, why not hit the jackpot that is the core banking system of your target financial institution?I think you as the reader should be more worried of the Heart Bleed bug but than end of support for windows XP and the ATM saga!

But not everything will be negative, at least not for all of us. All this noise about end of support will generate enough sales for Microsoft and their regional partners.


------
John Macharia is a Systems Analyst with one of the banks and shares insights from a systems implementation point of view in various forums.