The entire premise of this article is simply wrong.

ATMs run Windows XP Embedded, which will continue to be supported at least through 2016 (if it isn't extended again.)

Some do, some don't. I've definitely seen ATMs which run standard XP (and more that run OS/2...).

Upvoted for OS/2. That was OS/2's claim to fame back when I interned there. And OS/2 could run Windows apps, so you could be using OS/2 without knowing.

I'm sure that's true (and Linux and Windows NT etc), but the headline and lede of this article strongly suggest that 95% of ATMs run a Windows OS that will be lose support next month. That's just not true.

(And frankly, I'd be a little suspect of any numbers sourced from a company in the business of upgrading old ATMs.)

This article http://www.theinquirer.net/inquirer/news/2334577/banks-negot... suggests that the problem lies (at least partly) with other bank computer systems which are running vanilla XP rather than the ATMs themselves which may be on XP Embedded, and that it is a substantial problem, with big UK banks apparently cutting special deals for extended support. EOLing WinXP seems to have turned out to be a nice little source of revenue for Microsoft...

Story: "End of Windows XP support puts 95% of world's ATMs at risk"

Not a story: "Tons of crazy people who have the means to do otherwise are deploying machines that handle money with a 10 year old operating system"

New in no way means secure. I would find it far more shocking if people used windows 8.1 for ATMs.

PS: Also, Windows XP embedded is still supported till 2016 if not longer so while companies need to have a plan in place for upgrading it's not necessary right now.

But, there's a small gap in-between bleeding edge and end of life.

In all seriousness - with modern software, there can be all too small a gap between bleeding edge and end of life.

A piece of software might be supported for 5 years. But perhaps it's 4 years into that period before the new version is available and considered stable enough to use. That gives you less than a year during which you have to upgrade - including any other changes, integration testing etc.

If you're doing stuff The Right Way, you don't wire them up to the public internet, but instead put a VPN router/gateway between ATM and internet uplink to keep out fucktards messing with the internet uplink.

This way, you could run Win98 SE on the ATMs and need not worry about hackers (if your networks are properly firewalled, at least!).

I talked to a Diebold tech when I was Davis. The stuff they do and the customer network setups will make the hair on the back of your neck leap off, run and hide.

I resigned in protest an FTE job at Stanford because this was the exact scenario that was proposed (s/ATM/cash registers, swipe terminals/g). From VPN on a private network to a proposal to internet IPs. No f-ing way.

Wait, they were going to give POS terminals public IPs?

Target hack, I can smell you from here!

Do ATMs get the updates anyway? If I had a computer that does one job, and connects to one network with one modem, I don't think I would put it on the internet just to get windows updates.

Does anyone know how this works, or if they actually get the security updates now?

Right, you would mostly just want to deliver via your private network those updates related to user input. Vulnerabilities in file sharing, TLS, WEP, none of that will matter to an ATM. Oh, and perhaps an update to handle the year 2038 if you have a Unix backend. :)

If win8 can run programs in compatibility mode for winXP what is possibly being run on these ATMs that can't be run on an updated OS? Also I don't think the fact that winXP has "support" makes the ATMs more or less likely to be at risk.

Also can people stop posting links to articles that immediately have popups that try and sell you some stuff and doesn't even let you view the article without signing up for some nonsense?

If you're unlucky, the computer handles interfacing to the ATM equipment (cash transfer motors, bill detection, servos, fill-level detection, etc pp) with a custom PCIe card... which you need a driver for.

And we all know how compatible ancient drivers are with newer Windozes.

I have problems with the 95% figure. Currently I work for the biggest player in the ATM game and every ATM I have seen in our lab has been running windows 7. I am not saying we arent running a crap ton of legacy ATMs but I would say many of our ATMs are running Windows 7 especially if they are for a new customer.

We have ~25% of the ATM market so I think 95% is very skewed, the other players should at least have some ATMs off XP.

Those ATM's will be no more at risk in a few months than they are today, or have been in the past...

Just because the updates stop, doesn't mean the OS is going to start crumbling.

EMC SANs used to run XP Embedded.

Maybe a microserf would know better, but doesnt XP Embedded have Win CE and XP lineages?

even with supported XP, the ATM will still have problem

for example, my ATM machine downstairs can crash twice a day, and each crash can take hours to resolve; usually the technician never come on time or he/she never even bother to come

No, bad planning puts them at risk.