About the SA Blog Network



Opinion, arguments & analyses from the editors of Scientific American
Observations HomeAboutContact

The Day the World’s ATMs Stood Still—or Didn’t

The views expressed are those of the author and are not necessarily those of Scientific American.

Email   PrintPrint

Image courtesy of Shaners Becker, via Wikimedia Commons.

You’re probably on tenterhooks wondering what will happen to your reliable, convenient ATM on April 8, the day Microsoft officially sticks a fork in its hugely popular Windows XP operating system.

You’re not? Did you know that more than 75 percent of the world’s automated teller machines use XP? And that an outdated operating system no longer supported by its maker is more difficult to secure, keep compliant with government regulations and run with newer software? Now can you feel the tension? That’s more like it.

As of tomorrow, Microsoft will no longer provide security updates or technical support for Windows XP, which the company released in October 2001. There are about 420,000 ATMs located in banks, bodegas and shopping malls throughout the U.S., and only about one-third of them are likely to have upgraded to Windows 7 or 8.1 before XP officially becomes a relic.

The security implications of not upgrading from Windows XP are unclear. ATMs won’t necessarily become a target for hackers as soon as April 8 arrives. But XP will become less secure over time because Microsoft will stop issuing security patches. This means ATMs will be easier to infect with viruses and generally more hackable. You might not be worried about someone exploiting XP with malware to empty the corner ATM—that’s the ATM owner’s problem. You’ll have plenty to worry about, however, if that same malware steals your card number and PIN.

Individual ATMs tend to hold about $160,000 or so in cash, another reason cyber criminals are less likely to invest the time and money to break into them as opposed to the back-end computers that process ATM transactions, says Nicole Sturgill research director at CEB TowerGroup, a provider of advisory services to banks and other financial institutions. Investigators, for example, traced one of the biggest ATM heists of all time back to a security breach in credit card processing firm RBS Worldpay’s computers, she adds. The thieves used counterfeit cards to steal $9 million from at least 2,100 machines in at least 280 cities worldwide.

Even if most ATM owners aren’t ready for the April 8 deadline, the push to move cash machines beyond XP is generating “the most activity I’ve seen in the ATM world in the past 12 years or so,” Sturgill says. “Consumers are becoming more digital and have less patience for a large, dumb box.”

ATM makers such as NCR jumped at the chance years ago to use Windows on their devices. As a commodity—as opposed to a custom-made—operating system, XP lowered the cost of their machines and broadened their appeal. Now NCR is encouraging its customers to migrate to Windows 7, which can accommodate touchscreen swipe gestures and other capabilities that make ATMs more like a mobile phone or tablet, says Robert Johnston, director of enterprise software marketing for the U.S.’s top ATM supplier.

Whether your local ATMs will be ready for life after XP depends on a number of factors, cost in particular. Banks looking to spice up the ATM experience at their branches are more likely than the corner grocery store to invest the tens of thousands of dollars needed for the higher-end systems that remember user preferences, dispense a variety of denominations and include more teller-like capabilities.

ATMs made within the past five years would need upgrades of $4,000 to $5,000 per machine to ensure the software running on them is compatible with newer versions of Windows, reported March 31.

No amount of software upgrades will be able to extend the lives of Windows XP kiosks a decade or older—they’ll need to be replaced.

Ultimately, April 8 will be a landmark day in the history of ATMs. It just won’t feel like one.

Larry Greenemeier About the Author: Larry Greenemeier is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots. Follow on Twitter @lggreenemeier.

The views expressed are those of the author and are not necessarily those of Scientific American.

Rights & Permissions

Comments 16 Comments

Add Comment
  1. 1. GordDavison 8:09 pm 04/7/2014

    I am suprized that important systems would use such an operating system. I would expect that they would require 100% control over their software and would have devrloped there own systems or grown it from Linux where they have complete access to the code and compilers.

    Link to this
  2. 2. Jerzy v. 3.0. 4:34 am 04/8/2014

    It is not just ATMs, it is, among others, power plants.

    I am also amazed why government is spending millions on paid product instead of Linux, why Microsoft for years is able to get away with its bug-ridden product, and why the Government is unable to enforce continued support of Windows XP – it is important customer of Microsoft, to begin with.

    Software is some strange area where common business sense doesn’t apply. As one comedian remarked “you accept things you wouldn’t allow on a bag of dog food”.

    Link to this
  3. 3. singing flea 5:18 am 04/8/2014

    Anyone who bought Windows XP knew it was not going to be around forever. At any rate, the problem with Microsoft software is not so much with the operating system, it is the third party apps that run on the system. Microsoft licensed the technology to anyone who wanted to write apps and drivers for windows. That is reason that Apple never could compete with Microsoft. In the PC world, Apple is still a niche product for people who can’t handle the open aspect of Windows. The real geeks know how to secure a windows box and can get thousands more of programs and hardware that will work on Windows. There is no reason that ATMs can’t remain secure as long as the applications are written properly in the first place. The weak point is the card companies and banks.

    Link to this
  4. 4. jtdwyer 6:42 am 04/8/2014

    My understanding is that OS security patches most often do not represent new exposures within the software (although these can occur with functional enhancements and error corrections) – they represent existing exposures that hackers have discovered & exploited. While not providing functional enhancements & error corrections will reduce the incidence of new security exposures, there are likely existing weaknesses that may eventually be exploited by hackers – those weaknesses will no longer be closed by security patches.

    Link to this
  5. 5. rdj999 10:42 am 04/8/2014

    “Cash registers”. It’s been a while but not that long since I happened to catch a glance at them booting XP.


    Seems like another potential target (pardon the pun) to me.

    Link to this
  6. 6. JonnyLin 2:19 pm 04/8/2014

    I believe most of these machines run the embedded version of XP, which is mostly locked down, and has another 5 years of support in the licenses.

    From what I’ve seen, open source doesn’t have much edge over proprietary in terms of security.
    The reason to use Windows is because Microsoft provide a much better enterprise support package than any Linux equivalent.

    Link to this
  7. 7. Chris Miller 2:42 pm 04/8/2014

    You’d have much the same problems if you were trying to run a 10-year-old version of Linux. And Linux isn’t ‘free’ (as in ‘free beer’). If you want support (as government and commercial organisations do) you have to pay someone like Red Hat to provide it.

    Don’t you think that if large organisations could save millions by moving from Microsoft to Linux, someone, somewhere would have successfully done it by now?

    PS JonnyLin is correct that most ATMs and similar systems run the ‘embedded’ version of XP, which remains supported. That’s not to ignore the fact that there are still millions of XP workstations out there that will become increasingly vulnerable.

    Link to this
  8. 8. SciDave550 4:00 pm 04/8/2014

    This situation isn’t really new. Corporations, government agencies and (yes) banks have always been slow to upgrade their systems. It isn’t always a lack for money. This was over a decade ago when I did some IT work as a student and it was common, at the time, to enter a bank and see a system running software on either OS/2 or DOS.

    It’s not that managers don’t realize that their system is outdated and needs to be upgraded. It’s not always that they don’t want to spend money to do so either. Sometimes the software they use is mission critical and they can’t find an alternative. Either it can’t run on a newer more secure OS or the original developer is no longer in business.

    Open source may not solve the problem either. We all like the idea especially where it means we can create our own software but realistically, it’s a pain in the butt. Just because you write the code doesn’t mean there aren’t maintenance cost. Sometimes businesses have created their own software to run on Windows XP and the original development team is n longer there. There may be great documentation but it still means that you have to hire people to go through that and update the package.

    This is difficult even if there are software packages available that do what you once developed in-house. So even if you would like to transfer to a commercial package you still have the problem of data migration, a path to which may not exist. If it doesn’t then you either have to 1) hire programmers to develop a migration strategy or 2) hire programmers to upgrade the in-house application.

    What we have to keep in mind is that this isn’t like buying a new laptop because it’s old and can no longer run Windows 7/8. There are many more factors to consider. Is it a concern that so many institutions have outdated machines? Yes it is. And it is going to be like that way for some time until they can solve their own individual problems.

    Link to this
  9. 9. hkraznodar 5:36 pm 04/8/2014

    In a profit driven society, which is to say all of the ones that don’t fail in short order, there is strong impetus to keep requiring upgrades periodically. The best way to force an upgrade is to stop supporting the older versions or in the case of hardware, built in obsolescence.

    Link to this
  10. 10. Jerzy v. 3.0. 4:25 am 04/10/2014

    Chris Miller, you don’t know what you are talking about or are paid by MicroSoft to spread obfuscation.

    Vitually all companies which run big servers switched to Linux.

    And what maintenance costs? I uploaded Linux to my laptop 5 years ago and it runs with no crash and no maintenance. Because people who did it were not getting money from maintenance, so they did it good. When you get any real world object, desk, chair etc, do you have to constantly maintain it? Do you need to hire a skilled carpenter to keep your furniture from crashing every several weeks? No, and neither does Linux. The whole mess off endless crashes, fixes and updates is a thing of specifically Windows.

    Link to this
  11. 11. Chris Miller 12:34 pm 04/10/2014

    Sadly, Jerzy, I don’t get paid by Microsoft. I do get paid by large corporates to keep their systems secure – both Unix-based and Microsoft. This article is about XP – that’s not a server operating system.
    There’s a world of difference between installing your own OS on your own laptop and maintaining thousands of systems. But if you really haven’t applied any updates to Linux in 5 years, I strongly advise you to get off the Internet before you hurt yourself.

    Link to this
  12. 12. Jerzy v. 3.0. 6:29 pm 04/10/2014

    @Chris Miller
    I hope your employees don’t get a word that you promote bug-ridden Windows over Linux. And that you confuse “updates requiring no user effort” with “no updates at all”.

    I understand your position – a person whose job is maintenance of computer systems is afraid that his job will vanish when more people switch to Linux. Sorry about it, I don’t wish you bad personally.

    Link to this
  13. 13. BarackBoxen 12:42 am 04/11/2014

    Cash Registers not really affected. Many “Point of Sale” PC based terminals are operating with Windows XP. They have to be PCI compliant or there can be severe fines from the credit card company.

    Link to this
  14. 14. Chris Miller 11:06 am 04/11/2014

    I’m afraid you suffer from the typical delusion of a certain type of Linux zealot that your system is perfect and anyone who doesn’t use it is an idiot. You are, of course, completely mistaken (Heartbleed, anyone?), but long experience has taught me that irrational delusions cannot be changed by rational argument. Still, I’m glad you’ve changed your stance from Linux requires “no maintenance” to “updates requiring no user effort”, a bit like Windows, in fact.

    I don’t ‘promote’ any OS and have no role in maintenance of them (though, unlike you, I don’t demean those that do). Security is (at most) 1% dependent on which OS you use and 99% how you use it. Idiots who believe that their system of choice is so secure that precautions are unnecessary are the greatest danger. You may learn this once you have gained a little experience.

    Link to this
  15. 15. PhilipBond 7:07 pm 04/16/2014

    Sometime back I read Britain’s Trident Submarines operated Windows.

    Link to this
  16. 16. raxcard 5:17 am 01/7/2015

    Thank you very much for publishing the title blog “Debit Card for Perfect Money, Bitcoin and Web money ATM Cashout Card” and Keywords tag “Bitcoins ATM Card, Perfect Money ATM Card” types of article. I like your article very much. I want share my website details to you please give me some information to increase performance like as your website.

    Link to this

Add a Comment
You must sign in or register as a member to submit a comment.

More from Scientific American

Email this Article