95% of ATM machines still use Windows XP, and will be exposed to vulnerabilities after April 8

The world's ATM machines will soon face a major issue on April 8th: The end of support for their operating system. According to BusinessWeek, 95 percent of active ATMs in the world, or nearly all of the 420,000 currently operating in the United States, run on Windows XP - a system which Microsoft is officially ending support for in under 90 days. 

Despite being one of the most frequently used consumer technologies in the world, many ATMs run on outdated operating systems. and with the April 8th deadline looming, their owners must make the upgrade. But this may be easier said than done for many of the machines, which run on outdated hardware that may struggle to keep up with a newer OS, like Windows 7. According to Suzanne Cluckey, the editor of ATM Marketplace, "A lot of ATMs will have to either have their components upgraded or be discarded altogether and sold into the aftermarket—or just junked." 

The machines that aren't promptly upgraded could face significant security vulnerabilities as more and more weak points in the OS are uncovered. And while Microsoft promised to continue support for Microsoft Security Essentials until 2015, the operating system as a whole will still lack regular security patches - something which could end badly for the machines which thousands deposit cash into every day. Small shops which lack the resources available to larger businesses would be hit the hardest, as they're the slowest to change. And while consumers are protected under industry protections, those operating the machines will be hit the hardest by any malicious attacks.

Hopefully ATM operators will heed these warnings and upgrade as soon as possible: The malware infection rate for Windows XP is already almost six times higher than Windows 8 systems, and despite pleas from the Chinese government for Microsoft to continue support, and a warning to the Indian banking industry that details 'major risks' if they don't switch operating systems, those less than tech-savvy operators may still see their ATMs face a significant threat.

Source: BusinessWeek | Image via Shutterstock - ATM Machine

Report a problem with article
Previous Story

Valve: Consumer virtual reality hardware coming within two years

Next Story

Google reveals its smart contact lens for people with diabetes

92 Comments

Commenting is disabled on this article.

Once again its not like Microsoft flipped the switch off overnight. There has been a lot of time to migrate.

95% huh? odd... because there are still over 20% using OS/2 STILL!!!!! YES OS/2! I have a friend who still runs support on the OS/2 ATM networks... OS/2 has been dead for a very long time... IBM will still patch it for a fee though

Lets just remind everyone that it's XP Embedded... and we have a local grocery company (Save On Foods) still using windows 2000 embedded. It's sad, but they won't spend the money to upgrade. Sears still uses dos programs.

>>95% of ATM machines still use Windows XP, and will be exposed to vulnerabilities after April 8

Regions is especially bad about this. All of their ATMs run Windows XP. They really need to upgrade to Windows 7 SP1.

ReimondX said,
>>95% of ATM machines still use Windows XP, and will be exposed to vulnerabilities after April 8

Regions is especially bad about this. All of their ATMs run Windows XP. They really need to upgrade to Windows 7 SP1.

FYI they run XP embedded which is supported until 2016 or 2018. Also MS will still make custom updates for XP if you have a $250,000 a year contract. The banks have that covered too.

They are in good hands unlike Grandpa risking his life savings on his e-machines from value-depot bought in 2005 using financial sites with IE 8.

Cashpoints DO connect to the internet in a secure VPN kinda way. The basis of it all is they are wired straight to a Host computer through a dial up connection, and this host computer acts like the machine's ISP, and security barrier, and is wired to the bank through another dial up telephone network to the bank's computers, which have all the database stuff on. The same way handheld cashcard terminals in shops are wired via a dial up connection most of the time to a host or provider. It is more of a telephone network rather than straight internet access though, although they can be connected to the web for maintenance and updates through an internet VPN. The host processor is similar to an Internet service provider (ISP) because it is the gateway through which all the various ATM networks become available to the cardholder.

Source: I'm an IT guy who works with modern touchscreen tills, cash registers, and have had some experience servicing ATMs.

Edited by Tidosho, Jan 17 2014, 3:42pm :

I think finding replacement parts like monitors etc. is a much bigger problem than running an outdated OS on these machines.

95% is complete and total bull****, maybe across america it's that figure, but in other countries that use NCR machines, the majority do not run windows xp, in fact the majority don't even run windows.


Obviously non of this has anything to do with Microsoft. They have announced this way ahead of time and any company, without exception, not ready only has themselves to blame.

Support for Windows XP Professional for Embedded Systems, which i imagine is what the ATM's are using ends on December 31, 2016.

Even after then do they really need upgrading? i imagine the ATM's are not accessible on the public internet, and its not like you can do anything on them...

It would be interesting to know if they ever are patched anyway, especially with service packs.

Yes all the ones around here use XP. Quite often I see the local ATM (machine) crashed with an XP desktop that has an error box on it. Have seen Win98 ones as well (still). If these are not replaced/upgraded now they are not going to be in a couple of months either.

why they wouldn't upgrade it to windows 8 based apps, many people might not like the interface but for touch screen and tiles makes perfect match for ATM machine.

trojan_market said,
why they wouldn't upgrade it to windows 8 based apps, many people might not like the interface but for touch screen and tiles makes perfect match for ATM machine.

Because all the logic is written in Visual Basic 6 circa 1999 with MS Access for the database. That is what Diebold uses in its voting machines and from comments on Slashdot say they do not want to change as they brings in trillions in revenue with that ancient secret sauce. Funny the bank calls massive debt revenue which has not even come in yet ... hmm see how the financial crises started in 2008?

Anyway what a damn mess but at least XP embedded can be locked secure and I heard wont even work if a keyboard is attached and will set a tampering alarm if you dare plug one in. It is not the same as XP home installed on el-cheapo 2005 edition computers that Grandma uses at home.

yowanvista said,
Don't they actually run those embedded versions of windows?

Yes, but the embedded version is just a version where they can pick specific layers and features of the OS to use.

Windows XP Embedded is still Windows XP, even if they aren't running the shell (Explorer) or have other subsystems installed.

So, Windows Embedded today is the same code and OS as Windows 8.


If you are thinking about Windows CE, it was designed specifically to run on low end hardware; ATMs and other kiosks usually have plenty of computing power, so there was no need for WinCE, also considering some of the physical hardware is x86 that predates WinCE and was originally running Win9x or OS/2 - which some still are running.

Correct me if I am wrong, but aren't ATMs on a private secure network to the bank? Its not like they are connected to the internet.

froggyliver said,

Correct me if I am wrong, but aren't ATMs on a private secure network to the bank?
Its not like they are connected to the internet.


Correct. It would be utter stupidity for any cash machines to be connected to the internet.

Nah, I'm pretty sure you were on some watch list already. As is everybody, regardless of whether they committed or even just thought or searched for anything "suspicious".

You know what would be great for ATMs? Windows 8.1 in Kiosk Mode.

How would you manage to withdraw cash without a Start menu?

It's not like those things are connected to the Internet. They're usually on separate VLANs that only have access to a few servers.

I doubt they get updated anyway. I've seen a few running Windows 2000 last year.

I don't know what to make of the BusinessWeek article...

Microsoft still sold Windows 3.1 for embedded systems up until a few years ago. Official Windows XP support is ending, but MS will still fix security holes for clients who pay for the fix. A large scale bank (which have loads of other MS licenses) has a lot of pull in getting those fixes released for their machines for little or no cost.

Additionally, I doubt your average ATM is connected to the wider Internet waiting to be hacked into. If they were I'm sure there would already be hacker groups who exploit the machines directly with runners instead of using skimmed bank cards in the middle.

Most ATMs will probably be running Windows XP in 2020

Exactly! Until recently, some ATMs where still running OS/2 (which is a better OS for this task anyway). This is a just a sensationalist article.

I was thinking the same thing, there's even older systems running the show down at your local mart (or mine at least). The tills at my local supermarket run an OS from the nineties!

LogicalApex said,
I don't know what to make of the BusinessWeek article...

Microsoft still sold Windows 3.1 for embedded systems up until a few years ago. Official Windows XP support is ending, but MS will still fix security holes for clients who pay for the fix. A large scale bank (which have loads of other MS licenses) has a lot of pull in getting those fixes released for their machines for little or no cost.

Additionally, I doubt your average ATM is connected to the wider Internet waiting to be hacked into. If they were I'm sure there would already be hacker groups who exploit the machines directly with runners instead of using skimmed bank cards in the middle.

Most ATMs will probably be running Windows XP in 2020

^This...

Most ATMs are in a closed system without entry points. This is why you can still find the occasional ATM running Win9x or OS/2 which have no support and nonexistent security in comparison, and they have not been any concern or threat without physical access to the ATM.

If someone is going to take a crowbar to an ATM, it will be noticed and they would probably rather just take the money.

If there are 'critical' systems still running WindowsXP, like an ATM that is not a closed system, Microsoft gives these companies the ability to get patches and support forever. It is only the consumer and small businesses that are losing XP support and updates.

This article is pure garbage to incite outrage and fear, or it is written from a point of pure ignorance.

Steven P. said,
Except some ATMs have been hacked via usb port as well

Ya, easier than the crowbar, but they still are just compromising physical access to a poorly designed machine.

Hopefully they have fixed this 'slight' design flaw in most ATMs.

There was a news report less than a month ago about a team of hackers who compromised atms in this way over here in The Netherlands.

Steven P. said,
There was a news report less than a month ago about a team of hackers who compromised atms in this way over here in The Netherlands.

Not good.

I remember stories of hackers doing this in the UK, but it was a specific type of ATM, I wonder if it is still the same case design that never got updated by the bank.

Side Note:
God I miss a good long stay in Europe. I used to spend a few months based out of Belgium every couple of years and haven't had the time to get back since about 2008. My first year there was when the Euro rolled out, so along with everyone else, we hit up the ATMs right after midnight and partied. You mentioning ATMs and The Netherlands brought back some good memories. Maybe I'll make it back there this year.

Mobius Enigma said,

^This...

Most ATMs are in a closed system without entry points. This is why you can still find the occasional ATM running Win9x or OS/2 which have no support and nonexistent security in comparison, and they have not been any concern or threat without physical access to the ATM.

If someone is going to take a crowbar to an ATM, it will be noticed and they would probably rather just take the money.

If there are 'critical' systems still running WindowsXP, like an ATM that is not a closed system, Microsoft gives these companies the ability to get patches and support forever. It is only the consumer and small businesses that are losing XP support and updates.

This article is pure garbage to incite outrage and fear, or it is written from a point of pure ignorance.


I've worked at a bank.... and this isn't true. Some are connected to the internet. They have to update your account information one way or another. I know we had a few that used dial up to send information.

Steven P. said,

Except some ATMs have been hacked via usb port as well


What exactly is the need to put a USB port, on a cash machine? I know you can use a
cash machine to top up PAYG mobile phones direct from our bank accounts, can we
now also use them to recharge phone batteries via USB on them as well?!?

On ultra modern machines they're used for firmware updates and things AFAIK, just like a USB on a TV can be used for firmware upgrades.

bguy_1986 said,

I've worked at a bank.... and this isn't true. Some are connected to the internet. They have to update your account information one way or another. I know we had a few that used dial up to send information.

The majority of them connect directly into dedicated servers at the financial institution.

They use highly encrypted communication over dedicated data lines, and the few that piggy back on existing data infrastructures work like a highly secure VPN connection, direct to the financial servers.

So updating an account, doesn't ever travel on the 'internet', it travels to the financial server that uses internal secure communications to other servers.

The level of security they use is guaranteed by the financial institution, so they take it fairly seriously and this is why your local ATM isn't sitting on an public IP address on the internet.

As for customer concern, ATMs are the least of your worries.

Every store purchase point machine (reader) at every store in the world has significantly more software/firmware flaws that seldom ever get patched.

Store purchase point machines also have far more entry points, from a modified machine by a rouge employee or customer to even the 18yr old cashier that can memorize your card number as you swipe it.

(This reminds me of the early days of the internet when people would be scared about using credit cards online, yet they would go to pizza hut and hand their credit card to an 16yr kid without a second thought.)


Anyway, the bigger point is Windows XP is not a problem. And even if there is some yet to be discovered major flaw that could compromise ATMs, If anyone can afford the premium support options for patches from Microsoft it is probably the banking industry.

I think they missed something too. It's likely that ATMs use XP Embedded, which will still be supported until 2016/2017.

the ATM is not connected directly to the internet, it is routed thru a secure server within the bank itself to get info to update customer accounts.

Pet peeve... the M in ATM stands for machine, therefore there is no need use the word machine after it. It is just an ATM.

kdg said,
Pet peeve... the M in ATM stands for machine, therefore there is no need use the word machine after it. It is just an ATM.

And I'm just curious what the consensus is on how you would say ATM in plural. ATMs, or ATM's.

Xenosion said,

And I'm just curious what the consensus is on how you would say ATM in plural. ATMs, or ATM's.

The former.

edit: I mean, of course, it would be "ATM machines"
/me flees

Edited by Charisma, Jan 17 2014, 2:58am :

Xenosion said,

And I'm just curious what the consensus is on how you would say ATM in plural. ATMs, or ATM's.

It would be ATMs, no? ATM's has a possessive apostrophe...

"I'm probably going to get 1,000 comments about the redundancy of terms in the article" - me, five minutes ago

I hope that the lack of updates doesn't let bad folk steal my PIN number.

JGoldsmith said,
"I'm probably going to get 1,000 comments about the redundancy of terms in the article" - me, five minutes ago

So you knew it was incorrect and published anyway? Strange.

Great article though. Thanks for highlighting an important issue.

Xenosion said,

And I'm just curious what the consensus is on how you would say ATM in plural. ATMs, or ATM's.

ATMs. You would only use an apostrophe if you were referring to a specific machine.

Xenosion said,

And I'm just curious what the consensus is on how you would say ATM in plural. ATMs, or ATM's.

The former, the latter is the Saxon genitive.

JGoldsmith said,
I wouldn't necessarily say 'incorrect' - I just embraced common conversational usage of the term.

which is still incorrect

Xenosion said,

And I'm just curious what the consensus is on how you would say ATM in plural. ATMs, or ATM's.

When is an apostrophe ever used to show plurality?

LogicalApex said,

It would be ATMs, no? ATM's has a possessive apostrophe...
Fully agree, which is why people writing CD's, OS's etc. irritates me too.

JGoldsmith said,
I wouldn't necessarily say 'incorrect' - I just embraced common conversational usage of the term.

How dare you, sir, how dare you...

Xenosion said,

And I'm just curious what the consensus is on how you would say ATM in plural. ATMs, or ATM's.

You're joking, right?

kdg said,
Pet peeve... the M in ATM stands for machine, therefore there is no need use the word machine after it. It is just an ATM.

I need to go to the AT machine and put in my PI number.

People will still screw it up

kdg said,
Pet peeve... the M in ATM stands for machine, therefore there is no need use the word machine after it. It is just an ATM.

My Pet Peeve is when people say theyre going on a "PAT Testing course" so...... your going on a "Portable Appliance Testing testing course? Interesting!

LogicalApex said,

It would be ATMs, no? ATM's has a possessive apostrophe...

Bro, you're one of the 14 people in the world who know that. Welcome to the club!

Fritzly said,

Isn't ATM an acronym for Automatic Teller Machine?


It's short for Automated Transaction Machine. Teller is the silent one from Penn & Teller!

Nashy said,

If the word ends in an S isn't it?

No! Good grief. If a word ends in S an s' is used to show POSSESSION instead of the usual 's

You'd say "The players' uniforms all got wet in the rain."
You wouldn't say "The players' all had wet uniforms."

Lord Method Man said,

No! Good grief. If a word ends in S an s' is used to show POSSESSION instead of the usual 's

You'd say "The players' uniforms all got wet in the rain."
You wouldn't say "The players' all had wet uniforms."

I think the machines shouldn't be using Windows XP! ........wait, what are we talking about?

Some of you really need to lighten up. If you actually took the time to understand the words I used, you'd see I didn't indicate my opinion on the matter either way. An honest poll so to speak.

Lord Method Man said,

No! Good grief. If a word ends in S an s' is used to show POSSESSION instead of the usual 's

You'd say "The players' uniforms all got wet in the rain."
You wouldn't say "The players' all had wet uniforms."

Of course. It's obvious when it's written in front of me. Cheers.

They're only vulnerable from within anyway...
Or with key cards, mods, or whatever but that won't likely change after April.

Fritzly said,
Reassuring....

Actually you can be reassured, since no ATMs use normal WinXP, they use XP embedded. XP Embedded is designed to be a set and forget OS that may never receive updates. The support and security of these highly customized is controlled by the vendor, not Microsoft. This is a misleading article and possibly an intentional effort at scaremongering.

oh yet another ignorance.
I work for the world's leading ATM manufacturer. All the devices I worked so far are all on Windows XP. Few of them on WinCE. Not WinXPEmbd. & there are OS/2 ATMs still out there.