back to article India tells its banks to get Windows XP off ATMs – in 2019!

The Reserve Bank of India has given that country's banking sector a hard deadline to get Windows XP out of its ATMs: June 2019. That's more than five years beyond the May 2014 end of support for the OS. In a notice to the nation's banks, issued last on June 21st, 2018, the Reserve Bank makes it clear that XP “and other …

  1. a_yank_lurker Silver badge

    Question?

    How common is XP in ATMs in other countries? And what the other countries doing about it?

    1. Waseem Alkurdi Silver badge

      Re: Question?

      Let me answer your question with regards to my home country, Jordan.

      - All ATMs I have run across run XP. I could see them booting up in the early morning.

      (I have no concrete figures though. Banks and businesses hate to cite these, citing reasons like "confidential" and "none of your business, kid!" ).

      - What are we doing about it? If it ain't broke, don't fix it. And if they cared to fix it, they have the administrative hierarchy (boss's boss's boss's boss has to approve, and maybe Central Bank too?)

      - But ATM physical security is strong. I once got suspiciously eyed by security guards for curiously eyeing an ATM in maintenance mode (or whatever they call it).

      At least, the Microsoft licensee over here ensures that businesses and banks (even major schools too) don't pirate Windows, so we have paid for the licenses.

      But it's not the same everywhere in the country. For example, my university are already on Windows 10 Enterprise and Enterprise LTSB, and in the worst, Windows 7. Same story for governmental offices, recently getting 7.

      1. Robert Helpmann?? Silver badge
        Childcatcher

        Re: Question?

        If it ain't broke, don't fix it.

        This is exactly the attitude that I encountered with NationsBank and later Bank of America after their merger which involved switching from OS/2 and a Linux variant to Windows. It was... traumatic. Banks are about profit first and stability a very close second. Customers are on the list too, somewhere.

    2. big_D Silver badge

      Re: Question?

      Support for the last release of XP Embedded runs out in January 2019.

      AFAIK, most ATMs use the Embedded version of XP, which, if it is using the 2009 service update is supported through January 2019. If it is using XP Embedded SP3, it was supported until January 2016 and Point of Sale version to April 2016.

      Still not good, I just wanted to clarify.

      1. Waseem Alkurdi Silver badge

        Re: Question?

        most ATMs use the Embedded version of XP

        This is what it is supposed to be, but isn't always happening.

        The problem in our case is that they use XP Professional, the desktop release. Never seen an ATM on Embedded in our country (though I've seen cash registers running XP Embedded POSReady 2009 and online-exam thin clients at university running RTM XP Embedded (they're on a VLAN, not on the Internet though and are physically locked-up, and even these are slowly getting Windows 10 as they break)

      2. rg287 Silver badge

        Re: Question?

        That's more than five years beyond the May 2014 end of support for the OS.

        Not for Embedded XP.

        Support for the last release of XP Embedded runs out in January 2019.

        That's Windows Embedded Standard 2009.

        They may have until April 2019 if they're using Windows Embedded POSReady 2009, so a couple more months. Of course they may also be using bog standard XP Professional which was indeed buried years ago...

        1. Anonymous Coward
          Anonymous Coward

          Re: Question?

          A lot f ATM's are basically a safe with automated paper handler, a laptop, and a display panel, all inside another secure cabinet. Therefore a lot of ATM's are effectively running a full desktop OS of some description. I must say I don't recall seeing one with an "embedded" version of windows. Indeed why they need such a fat OS at all has always been a bit of a mystery.

          Although marketing types now like them to play movies and "rich" experiences with all the associated consequences that brings...

    3. Anonymous Coward
      Anonymous Coward

      Some Western-European bank owned ATMs still run Windows 95!

      The other week I saw a Windows 95 blue screen on an ATM. (Siemens Nixdorf model)

      And train station displays still run on OpenVMS.

      ("Siemens Nixdorf" was bought by Wincor and named "Wincor Nixdorf", and then Wincor got bought by Diebold, nowadays named "Diebold Nixdorf" - so the ATM is old but still working fine, normally) But don't worry, the bank software stack is written in COBOL and ABAP, dating to the 1960s.

      Many technical machines like CNC Turn/Mills are also still running Windows 95/98, those machines are expensive.

      1. Anonymous Coward
        Anonymous Coward

        Re: Some Western-European bank owned ATMs still run Windows 95!

        I know of lab PCs still running on 368 hardware connected to electron microscope and other expensive lab equipment, of course running Windows 3.1 with data saved to 3.5" floppy disk or data noted down by hand and inputted on a newer Windows PC nearby.

    4. razorfishsl

      Re: Question?

      Same here in Hk in one of the big banks and win 7

      but the service guy got really annoyed i was watching him.

      I told him it was a public space and he could go fuck himself.... then the bank security turned up.

      time to leave......

    5. Budva

      Re: Question?

      More common than you can possibly imagine.

      But with time they learned to use security solutions that can thwart "MOST" exploits.. not all..

      Sad side? With USB enabled, exploits are totally available in the dark web.

      1. Anonymous Custard Silver badge
        Headmaster

        Re: Question?

        Between arriving and boarding a plane at most airports you'll see at least a couple of PC's running XP (or occasionally even older Windows). Not to mention the common sight at the gate of them printing off the passenger manifest on a dot-matrix printer.

        Luckily all just controlling the cattle movement of bodies onto planes rather than anything too safety critical, but still makes you wonder sometimes...

  2. Mayday Silver badge
    Pirate

    "To:

    The Chairman / Managing Director / Chief Executive Officer

    All Scheduled Commercial Banks (excluding Regional Rural Banks)

    All Small Finance Banks and Payment Banks

    White-Label ATM Operators"

    Does this mean that Regional Rural Banks are exempt? Take your USB ATM skimmer to the bush and skim away!

  3. Anonymous Coward
    Anonymous Coward

    It might not be a big deal

    If they've firewalled it off like nobody's business, hardened the OS, locked everything down using something like Lumension Endpoint Security and used IPSEC left, right and centre.

    1. Anonymous Coward
      Anonymous Coward

      Re: It might not be a big deal

      The liklihood of that? {Snort}

    2. big_D Silver badge
      Paris Hilton

      Re: It might not be a big deal

      We are talking about banks here, they have such a wonderful history on their security, so of course it is all locked down... :-D

  4. tcmonkey
    Joke

    Secure ATMS with BIOS passwords

    Oh that's a good one.

  5. Anonymous Coward
    Anonymous Coward

    Better call the outsourcers

    Eh?

  6. bombastic bob Silver badge
    Linux

    Have a cup of WINE

    I have to wonder if WINE would run their banking software as well as (or better than) XP, and then have a nicely maintainable OS afterwards, without having to "UP"grade EVERYTHING.

    It would make a nice solution wouldn't it? NO NEED FOR WIN-10-NIC!!!

    1. Waseem Alkurdi Silver badge

      Re: Have a cup of WINE

      Wine does, in theory, as many of these programs are XP-era and "look" simple, some even use Java AFAIK, but many IT pros (at least where I live) owe favors (read as: whored to) Microsoft's licensee.

    2. big_D Silver badge

      Re: Have a cup of WINE

      ATMs generally use a very locked down version of Windows Emedded.

      There are equivalent Embedded Linuxes, but they don't generally support WINE, as they are as pared back as possible to reduce their exposure. So you would need to add the packages manually and maintain them manually.

    3. Roland6 Silver badge

      Re: Have a cup of WINE

      Actually the more appropriate solution is eComStation... I seem to remember an article on El reg a while back covering it's ATM push...

    4. Budva

      Re: Have a cup of WINE

      Some banks run the software natively on Linux. No need for WINE. Also the biggest driver producers already have drivers for Linux (old kernels, tough...)

  7. Tchou

    No reason..

    .. at all for a specialzied robot like an ATM to run an OS directed at the masses with all the useless functionalities and vulnerabilities it implies.

    Except drivers and taking the easier path.

    1. Waseem Alkurdi Silver badge

      Re: No reason..

      Back in the day (when XP was released) they didn't have ARM chips (or they weren't convenient enough).

      Besides, ATMs (in civilized nations) often run Windows XP Embedded instead of the full OS, so many attack vectors are cut.

      1. big_D Silver badge

        Re: No reason..

        And XP Embedded had a longer service history, SP3 ran out in 2016 and the 2009 update packet runs out of support in January 2019...

        Without knowning exactly which version of Windows XP they are using, it is hard to tell how severe the problem is. That said, they should already have moved or be in the middle of moving to a more modern platform.

  8. Anonymous Coward
    Anonymous Coward

    El Reg readers from India!

    This is your best opportunity to take photos of ATM BSODs in India, and then submit them here.

    Remember to provide the location, address and maybe a photo of the immediate vicinity.

    1. Waseem Alkurdi Silver badge

      Re: El Reg readers from India!

      And maybe cause some.

  9. gypsythief

    What's with the scary header picture?

    When I scroll down the article, the "ink" from the skull's eyes and mouth flows briefly down the page, as though the undead skull of Windows XP had returned from the grave to consume my very soul.

    Anybody else getting this? I'm not sure if it's some clever javascript trickery, an artifact of my monitor, or nightmares emerging from the forgotten depths of my subconcious.

    1. Waseem Alkurdi Silver badge
      Pint

      Re: What's with the scary header picture?

      Time to get a coffee, it seems?

      (We definitely need a coffee icon!)

      1. John Brown (no body) Silver badge

        Re: What's with the scary header picture?

        "(We definitely need a coffee icon!)"

        Yes, with the dual purpose of highlighting all the java exploit comments :-)

  10. Dan 55 Silver badge

    I'm sure they're running XP POS

    If not in one sense then in the other.

    1. Jude Bradley

      Re: I'm sure they're running XP POS

      Point Of Sale, or Piece of S*** ?

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm sure they're running XP POS

        Yes I believe that's the joke.

  11. Alister Silver badge

    That's more than five years beyond the May 2014 end of support for the OS.

    That's not true for XP Embedded, which is what most ATMs would run, it's still in support for another year.

    And it has very little attack surface compared to the desktop version.

    1. John Brown (no body) Silver badge

      "And it has very little attack surface compared to the desktop version."

      unless they decided the registry hack to make desktop XP appear as PoS as a "temporary" mitigation technique.

  12. 89724102172714582892524I7751670349743096734346773478647892349863592355648544996312855148583659264921 Bronze badge

    XP was/is the most user friendly version of Windows, Microsoft's pinnacle beyond which much arse gazing stupidity erratically formed the gigantic turd of Windows 10, the end of the proverbial loo roll.

    1. cosymart

      India tells its banks to get Windows XP off ATMs – in 2019!

      "XP was/is the most user friendly version of Windows, Microsoft's pinnacle beyond which much arse gazing stupidity erratically formed the gigantic turd of Windows 10, the end of the proverbial loo roll."

      To a certain extent I agree but you forgot Windows 7 which managed to avoid most of the 10 shit but inherited the good stuff from XP. And furthermore is still supported-ish as extended support won't end until January 14, 2020.

      1. 89724102172714582892524I7751670349743096734346773478647892349863592355648544996312855148583659264921 Bronze badge

        Re: India tells its banks to get Windows XP off ATMs – in 2019!

        It takes less clicks to get things changed in XP. Too much spyware in W7. Can't wait for the entire source code for XP to leak or be made open source (unlikely, I know). Maybe ReactOS will be out of Alpha soon...

        1. Roland6 Silver badge

          Re: India tells its banks to get Windows XP off ATMs – in 2019!

          >Maybe ReactOS will be out of Alpha soon...

          Given the way Trump is going, Russia and China might decide to co-operate and get the job done.

    2. Tchou
      Meh

      I would argue that 7 was a better XP, but I get your point.

      To say the truth I'm still searching for a decent desktop OS. Thought I had it with FreeBSD, but I got tired of waiting for drivers.

    3. Anonymous Coward
      Anonymous Coward

      XP had major problems, it was only until SP2 when it became the gold standard

      When XP was launched, it was derided for its 'Fisherprice' desktop UI.

      If it were up to me, I would make Windows a hybrid between Win XP and Win 7. Maybe include Edge from Win 10, but that's all. No data slurping, no auto updates, no Groove Music, no Microsoft Store, no OneDrive hooks on File Explorer. Include classic pre-Vista versions of MS Hearts, Minesweeper and Calc etc. Include Group Policy Editor as a standard feature for everyone, including home users.

      No Metro tiles.

      1. MarkElmes

        Re: XP had major problems, it was only until SP2 when it became the gold standard

        You could modify windows 10 to your requirements and add in the old xp games and remove the windows store and apps. You can even get rid of the metro tiles with classic start. You could build a custom install of that and there you go.

        1. Roland6 Silver badge

          Re: XP had major problems, it was only until SP2 when it became the gold standard

          >You could modify windows 10 ... and there you go.

          Until the next update ...

          One of the nice things with XP and with W7 is that you could customise it and still run updates...

  13. vtcodger Silver badge

    An ATM is a large, publicly accessible, box of money. While I understand that banks may not be the most astute operations in the universe, the assumption that banks need to be told how to secure ATMs strikes me as being a bit odd. Do the banks have some way of laying off their theft losses on someone else? If not is there perhaps something else going on here? Are there perhaps companies that profit somehow from forced upgrading of ATMs?

    1. cosymart

      Suspect The Bank of India is doing some arse grabbing on the lines of: "we told you to fix it so it isn't our fault when it goes TIPSUP"

  14. Anonymous Coward
    Anonymous Coward

    ATMs are generally

    supported by a specific team unrelated to "normal" desktops

    supported by an outsourcer/generic ATM provider (even in India) outside the bank entirely

    have peculiar change control processes that make fixes difficult to apply.

    are remote so when something goes wrong a physical visit is required

    However I would support the position that they need to get sorted out eventually. Simply abandoning them does not seem an appropriate management tactic!

  15. EnviableOne Bronze badge
    Holmes

    What News?

    so basically India is saying move your ATMs from Windows Embedded 2009 (XP) before it goes EoS.

    Sounds like good advice we should all be following

    oh and lock them down to reduce their attack surface

    yet aagin no problems here

  16. Aodhhan Bronze badge

    Look at everything

    If you're willing to pay for it, Microsoft provides patches and fixes for Windows XP Pro until 2020.

    It isn't cheap, but in cases where you don't have much choice... you know how it is.

    ATMs are more/less PoS devices. Many applications haven't been updated to run on more modern OSs. If they have, the ATM owners (not necessarily the banks who lease them), won't spend the money on upgrading OS and applications until they are made to do so. Why should they? You'd save the money and pocket it yourself, right?

    The number of increasing integrity attacks are starting to change minds, not to mention the cost of insuring old software/OSs. As is how much courts are starting to make examples of corporations who aren't being attentive to proper due diligence, and especially those who aren't attentive to proper due care. In-which using and old OS will likely hit the hardest in courts.

    If you look hard enough, you can still find Windows XP in the US and western Europe. Mostly with companies who lease out older ATMs. For banks who own their own ATMs, these are likely updated with newer operating systems, and a wealth of physical security add-ons.

  17. handleoclast

    I'm confused (again)

    The article headline states:

    India tells its banks to get Windows XP off ATMs – in 2019!

    That seems clear. All ATMs running XP have to be replaced/upgraded to running something newer than XP in 2019. As in no more XP-based ATMs at some point in 2019.

    But there's a table in the article that says:

    Windows XP deprecation June 2019

    That is not, by my understanding of the word "deprecate," the same thing. Time to check my understanding of "deprecate." From Wiktionary:

    1, To belittle or express disapproval of.

    2. (chiefly computing) To declare something obsolescent, to recommend against a function, technique, command, etc. that still works but has been replaced.

    So, depending upon which definition you choose and how you interpret it, India is going to say "Tut, tut" to banks still using XP on ATMs in 2019, or India is going to recommend banks stop installing new ATMs running XP in 2019. It doesn't, to me, read like an instruction to remove ATMs running XP by 2019, just more of the same "you really shouldn't be doing that."

    Life is so confusing these days, so maybe I misinterpreted it.

  18. Anonymous Coward
    Anonymous Coward

    Indian ATMs

    Having been to India briefly, I can say that actually finding an ATM that works and has cash is going to be more amazing than finding one still running Windows xp, thanks to the government's actions on currency control. Also, it's apparently the rats you really need to worry about.

    https://www.reuters.com/article/us-india-bank-rat/rat-breaches-bank-atm-in-india-eats-18000-worth-of-cash-idUSKBN1JH31U

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019