XP退休可能危及銀行取款機(jī)安全

XP Windows7

XP Windows7

XP

XP ATM

WindowsXP'sretirementcouldputATMsandmoreatrisk

XP

AfterApril8th,2014,Microsoft(MSFT)willendsupport,includingautomaticsecuritypatches,forits13-year-oldWindowsXPoperatingsystem.Thismaysoundlikeaninconvenienceprimarilyforgovernmentagenciesandaginguncles,butanothermajorsetofWindowsXPusersaretheautomatedtellermachinesandcreditcardsalessystemsthathandlebillionsofdollarsoftransactionsdaily.

201448

Microsoft

13

Windows

XP

WindowsXP

Whilemajorretailersandbanksarelikelytobewell-preparedfortheendofXP,financialsystemsbasedonthesoftwarearealsointhehandsofafar-reachinghodgepodgeofindependentATMoperatorsandsmallbusinesses.Despiteamplewarning,industryanalystsandinsidersagreethathighcostandinconveniencewillkeepplentyofthesesmallerplayersrunningoutdatedsoftwareformanymonthstocome--withseriousimplicationsforthesecurityoftheirsystems.

XP

JerryNevins,co-owneroftheKansasCitycocktailbarSnow&Co.,isclosetothedilemma.Snow&Co.boughtapointofsalesystemlessthanayearagofromthepaymentsservicerMicros--onlytobetoldwithinafewmonthsoftheneedforanupgradetoWindows7,atacostof$1,700forthesingle-storesystem.Luckily,Snow&Co.wasstillunderaserviceagreement,soitsupgradewasfree.ButasNevinsputsit,"Ifyou'reasmallbusiness,anunexpected$1,700mightbelike,eh,I'llgoaheadandtakemychances."Moreover,Nevinsdescribesa"hugeline"ofMicroscustomerswaitingforanupgrade.He'scrossinghisfingersthatSnow&Co.willbeupgradedbeforetheApril8deadline.

Snow&Co

Micros

Windows7

1700

1700

Coststoretailcreditcardprocessorswillvarywidely,saysJohnBerkeleyofMercuryPaymentSystems."IfyouhavetherighthardwareyoucanjustupgradetheOS,butforsomemerchantsupgradingfromXPtoWindows7canmeanallnewhardware,"likelycostingmuchmorethanthat$1,700.

MercuryPaymentsSystems

1700

ThechallengesofupgradingbecomeevenbiggerinthecaseofATMs.ATMmanufacturersareofferingsoftwareupgradesformachinesstillbasedonXP--thoughsomeofthosehavebeenavailableforlessthanamonth.Butthecosttoupgradecanbestaggering.

ATM

ATM

XP

ATM

AccordingtoJayWeber,vicepresidentinchargeofNorthAmericandebitandATMsystemsforFISGlobal,"AnATMmachinepurchasedinthelastfiveyears...wouldonlyneedasoftwareupgradeof$4,000to5,000permachine."ThatsoftwarecostissohighinpartbecausemuchspecializedsoftwarewrittenforWindowsXPcan'tbeeasilyportedtoanewoperatingsystem.ButATMs10yearsoldormorewouldneedtobecompletelyreplaced,andWebersaysthatnewhigh-endATMscancostatleast$50,000to$60,000perdevice.

FISGlobal

ATM

ATM

40005000

ATM

WindowsXP

10

ATM

ATM

ATMoperatorsandbusinessownersarelargelybeinglefttodecideontheirownwhethertoupgradeornot,saysWeber."Organizationsaretryingtolookattheinvestmentoftheupgradeandweightitagainsttheirperceivedrisk"--andmanyseemtobereadytotaketheirchances."[April9th]isgoingtocomeandgo,andtherearegoingtobesomemerchantswhohaven'tdoneityet,"saysBerkeley.Weberspeculatesthat"it'sgoingtobeatrickleapproach,aslowerramp-up,"withmanysystemsgoingwithoutanupgrade--andremainingofficiallyinsecure--throughtheendof2014.

ATM

2014

Thishesitancymaybeworsenedbecauseoperatorsaregettingmixedmessagesabouttheirrisk.ThePaymentsCardIndustrySecurityStandardsCouncilhasissuedpublicwarningsabouttheneedforretailerstoupgradetheirpointofsalesystems,buttheircurrentsetofstandards,whichareusedtodetermineeligibilitytooperateoncreditcardnetworks,donotrequireit.AndWeberhimselfseemssanguine:"Theriskishardtoquantify.There'salotoftechnologyinplaceinthemarketplacetohelpmitigatetherisk,"suchasthe"fairlyclosedtelecomenvironment"thatmostpaymentsystemsoperateon.

thePaymentsCardIndustrySecurity

StandardsCouncil

ButBogdanBotezatu,seniore-threatanalystfortheanti-malwaresoftwarecompanyBitdefender,couldn'tdisagreemore.Hetalksabouttheissuewiththebarelysuppressedterrorofafatherwatchinghisteenagesondrivesoloforthefirsttime."They'renotpanicky,"hesays,"andactuallythatmakesmepanicky."

XP

XP

Bitdefender

Botezatu,whohauntsundergroundhackingforumstokeepaneyeonloomingsecuritythreats,claimsthathackersaregearinguptoraidsuddenlyinsecureXPmachinestheminuteMicrosoftsupportends."Whenanoperatingsystemisannouncedasreachingitsendoflife,[hackers]arefranticallylookingforexploits,becausethentheycanuseitindefinitely,"hesays."It'stheholygrailofmalware."

XP

WindowsXP

Totakefullestadvantageofthesituation,black-marketvendorssellingnewXPexploitshavebeenstockpilingthem,waitingtoreleasethemuntilafterMicrosoftisnolongermonitoringandrepairingsecurityflaws.Thoughthird-partysecurityfirmswillcontinuetoupdateanti-malwareprogramsforXP,usersnotrunningorupdatingsuchsoftwarecouldbepermanentlyvulnerabletoanever-growingsetofexploits.MercuryPaymentSystems'JohnBerkeleyconfirmsthat"Ifahackerdiscovers[avulnerability]amonthortwoaftertheendof[XPsupport],theyhavemoretimetoexploitthat."

XP

XP

XP

Theseexploitscouldrangefromstealingcreditcardinformationfromsmallvendorstoevenmoredramaticformsoftheft,manyofthemeasilycircumventingexternalsecuritymeasuressuchasthesemi-closedpaymentsnetwork.BotezatusaystherehavebeenreportsofanATMexploitthroughamobilephoneconnectedthroughanATM'scardreader.HealsocitesalegendarystuntbythesecurityexpertBarnabyJackattheBlackHatsecurityconferencein2010,wherehedemonstrateda"Jackpotting"hackthateasilyemptiedanXP-basedATMmachine.AccordingtoBotezatu,Jack,whodiedin2013,neverrevealedthenatureofthisexploit,meaningthatitcouldremainanunpatchedvulnerabilityinXP-basedmachines.

ATM

ATM

2010

XPATM

2013

XPATM

Mosttroublingofall,BotezatupredictsthatunsecuredXPmachinesofallkindswillbecompromisedbyhackerstoformnewbotnets.Thiskindofsystem,inwhichhackedsystems'processorsareputtonewtasksunbeknownsttotheirowners,canbeusedforeverythingfrommassiveDenialofServiceattackstominingcryptocurrency,and