Hacker
Hacker. Photo by Dreamstime
Text size

Banks around the world, preoccupied with complying with a regulatory crackdown, are about to miss a deadline to upgrade outdated software for automated teller machines. The ramifications are exposure to hackers and malware - unless they pay extra to Microsoft to keep them secure.

No, it isn't a ransom. Microsoft warned that it would be ending support for Windows XP in 2007. But only some 30% of the world's 2.2 million ATMs using the system will have been upgraded to a new platform such as Windows 7 by the April deadline, says ATM maker NCR.

To keep their ATMs and customers secure from malefactors, many banks have reached deals with Microsoft to continue supporting the machines until they can be upgraded. Many have not.

Microsoft isn't naming names and only vaguely stated: "The cost will depend on both the specific needs of the customer and what support they already have in place, so it's different for every customer."

Britain's five biggest banks - Lloyds, Royal Bank of Scotland, HSBC, Barclays and Santander UK - either have, or are in the process of negotiating, extended support contracts with Microsoft, for instance.

London-based Sridhar Athreya at financial technology advisers SunGard Consulting Services said banks neglected to upgrade security systems, after being overwhelmed by new regulatory demands in the wake of the 2007-08 financial crisis.

"They were probably not very serious about the directive that came in from Microsoft. There's a lot of change going on at these banks at this moment in time and they would have seen Windows XP as one more change," he said.
Windows XP currently supports around 95 percent of the world's ATMs.

United States ATMs at risk

About 440,000 - or one-fifth of the world's ATMs - are located in the United States. Many of the banks operating them will still be running their ATMs with Windows XP for a while after the April 8 deadline, said Doug Johnson, vice president for risk management policy at the American Bankers Association.

Also, the queue of banks waiting to upgrade means there aren't enough people to do the work. "There is a little bit of a bottle-neck," said Johnson.

JPMorgan, which has 19,200 ATMs, will start converting its machines to Windows 7 in July, with a goal of finishing by the end of the year. A spokeswoman for the bank declined to say how much JPMorgan is paying Microsoft for the extended XP coverage.

Bank of America also said it would ask Microsoft to extend support for its machines still running on Windows XP.

Citigroup, which has more than 12,000 ATMs worldwide, said it is in the process of upgrading.