Dixons Carphone still has 7.5k Windows XP EPOS systems Dixons Carphone is still using thousands of EPOS tills running on Windows XP more than a year after Microsoft’s extended support expired, The Register has learned. This is not the Embedded flavour of the OS (though even these would present a heightened risk of attack, say security experts) but 7,000-plus bog standard XP …
I know of several stores that are using a custom DOS EPOS program running on top of XP and there is no way they are going to change that.
The 'no change' has several reasons some of which are the DOS program will not run on anything but win 2k or XP because they are the only systems that have working drivers for the printers. Any change would mean replacing everything from the ground up which is not going to happen.
Everything runs on the internal network with no access to the web - data is transferred to head office by the simple means of physically taking the backup tape there.
You're assuming the flesh sacks that occupy the "air gap" are 100% trustworthy and 100% alert to the risks of introducing infections to the internal network. All it takes is one underpaid till monkey to be offered an envelope of money to "Just plug this USB stick into the till so I can get some diagnostic information". Even if the USB sockets are glued up (as they ought to be on EFTPOS machines, other than possibly a debug USB socket behind heavy physical security) the Ethernet port (or something else) will be accessible...
As the saying goes - the target has to be lucky every time, the perpetrator only has to be lucky once.
It's more than likely they have an external card payment terminal, as most UK retailers do. The POS will ask the terminal for payment, the customer does their business and the terminal tells the POS the payment has been completed. The payment terminals can only be accessed from the POS and connect to the card processors over a private VPN link. All definitely PCI compliant as we have the certificate.
Of course the POS is open to other nefarious activities, but stealing CC info is not one of them.
All utterances of "We take our customers' security extremely seriously" should go on record, resulting in an automatic doubling of any data protection fines eventually incurred. If the statement cannot be made to count for something, all journalists should simply refuse to report it.
Sports Direct also use Windows XP on all their tills, and those things have full internet access.
Source: I work in Sports Direct
Edit: and they run a MSSQL server locally on every EPOS, to minimize the amount of traffic between servers during the day. And I don't believe they ever push out any Windows Updates, as the till are only ever rebooted when they freeze. (which happens a lot)
I have seen, NCP(parking terminals), Tescos Self Checkout Tills and grocery stores still running XP.
I have even seen (maybe 3-4 years ago they may have refreshed) Barclay's bank running windows 2000...
If its not broke, don't fix it and if its secure, i don't see a problem here.
Hmmm... DSG are near the top of my personal most-hated-least-trusted retailer list... But, to be fair, why pick on them for this? Go buy some tools from Machine Mart in Edinburgh and you'll get to show your kids what a real-live green-screen monitor looks like! - running something that looks a lot like DOS! - The actual card system is of course external.
LOTS of people and places in all sorts of situations WON'T be shifting from XP... End of...
Why? Because the 'latest model' doesn't REALLY do anything better for them than the old, and the new pay, pay, pay 'till we bleed you dry systems only appeal to those with a vested interest in selling people 'upgrades' they don't want/need. - Them, and those spending other-people's money who are partial to a fashion statement...
In all honesty, there is little or nothing I'm doing on my office 'admin' machines today that I wasn't achieving perfectly well with a fraction of the 'computing power' well over two decades ago. - Heck we're even running Win98 on our CCTV system! - A system that works perfectly and has proved FAR more reliable than the newer ones that have supplemented it! - In the event of an incident it takes us literally HOURS to get footage off our new 'insurance approved' system and into a format the local police can actually use; and we can only do that in-house at all because we're a TV production company and know how to manipulate the various codecs... When others afflicted with the same system have a problem their footage goes off to a police tech-support unit, it's a few days before it can be viewed at the local station... And yes... Plod do often 'quietly' ask us to help them out!
High time MS - and a few others - started to realise that the cash-cow is not going to stand and be milked to death any more!
All the 'sky is falling' stories are fooling fewer and fewer of the people for less and less of the time - especially where in-house knowledge exists. And the traditional built-in-obsolesence is no longer a feature anyone is prepared to accept... IT is no longer 'glamorous' or 'trendy'... One no longer draws admiring glances from the ladies when one whips one's Wang with it's huge 20Meg hard drive... The computer is a dull-as-ditchwater everyday tool.
- A bit like a broom really, and just as exciting... People buy new heads and handles when the old one ARE really broken; and they tend to buy those that will replace the old directly. All the luminous brush fibres, polymer hande grips, sweep timers and GPS broom location systems (not to mention the racing stripes) in the world, won't change that...
Microsoft really HAVE milked this one to death! - Somehow their business model reminds me of the old old scam where somebody would flog you a piece of cheap infested software then try to charge you a fortune for the antidote. When XP really IS broken (and I suspect they're working very hard to break it!) we'll go elsewhere... And Dixons could be using abacuses and pieces of knotted string for all the real differerence it makes... To anyone but Microsoft and those who flog their products!
What about lloyds pharmacy , still running NT4 POS and even worse the dispensing system is still on NT4 with NO AV and your medical data stored in an Access 95 database that’s not even encrypted !
Pointed out to them for the last 8 years during pen test, “we can’t upgrade as we are running 486 dx2, installing av stops it from working ”
Do you really want them to dispense you your life saving medication ?
What about lloyds pharmacy , still running NT4 POS and even worse the dispensing system is still on NT4 with NO AV and your medical data stored in an Access 95 database that’s not even encrypted !
Pointed out to them for the last 8 years during pen test, “we can’t upgrade as we are running 486 dx2, installing av stops it from working ”
Do you really want them to dispense you your life saving medication ?
Sainsbury's also run XP on POS termianls and PC's running in Sainsbury store bank. Pop into any Sainsbury's that has a mobile phone shop. The Mobile part of the business is run by the bank and yet they continue to use XP as the sales terminal.
I was invited to use the terminal on external websites to compare specs across different phones, this worried me than the POS terminals as suggests all of Sainsbury's is running XP. Would liked to be proved wrong
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
