Time to upgrade

Microsoft moves on from Windows XP, leaving ATMs at risk

After April 8, Microsoft will no longer offer security upgrades and technical support for its Windows XP operating system. Although Microsoft has been issuing warnings about retiring XP for two years, this is likely to cause disruption. XP still holds 29 to 30 per cent share in desktops and laptops. Apart from household personal computers and small businesses, XP is used in offices on old desktops connected to newer servers. Withdrawal may have an especially severe impact on banking, since automated teller machines (ATMs) are at serious risk. Over 90 per cent of the world's ATMs run on XP, giving it a near-monopoly in this very specialised segment. A few ATMs use embedded chips - this XP version is supported until 2016. But the majority will be at risk after April 8. Crackers and hackers are very familiar with the quirks and weaknesses of this elderly operating system, which makes it a popular target. Once Microsoft's support stops, XP users will be on their own against new viruses and malware.

The implications are obvious if crackers take over ATMs or XP desktops in banks. There are also big risks if crackers can take over a large number of household personal computers. Microsoft India estimates about 650,000 personal computers run licensed XP in India. The number is far higher if pirated systems are included. About 140,000 ATMs are deployed across the country and 85 per cent are on XP. The Indian Banks Association (IBA) also estimates about 35 per cent of terminals in bank networks are on XP. The RBI has issued warnings about this and banks must maintain business continuity as they upgrade. But given the tight timetable and the sheer number of machines at risk, industry experts say at least 60 per cent of ATMs will be running XP after April 8, and full transition may take months.

Apart from being a threat, this is an opportunity for the ATM equipment industry, given the need to replace so many legacy ATMs. A new ATM costs upwards of $3,000, or approximately Rs 1.8 lakh. Banks and ATM vendors may also explore rental models rather than outright sales. The compulsion to upgrade could induce banks to acquire state-of-the-art technology, jumping several generations in software and hardware. New ATMs use touch screens with swipe, zoom and voice-activated technologies. There have already been some installations of biometric ATMs, using fingerprints. This enables access for tech-challenged and semi-literate customers. Experimental near-field communications (NFC) ATMs also allow customers to just wave an NFC-enabled phone to withdraw cash. Banks will have to find compensating short-term controls while managing the transition. They will need to monitor ATM usage logs and network traffic continuously and they may also need to find ways to isolate Windows XP subsystems from other systems and networks. This enforced review and upgrade could eventually lead to a far more secure and technically sophisticated financial industry. But the banking and finance industry will heave a collective sigh of relief if the transition from XP is carried out smoothly without any major cyber assault.