-4

I know many banks using Windows XP on almost computers for staff working, WinXP has many security vulnerabilities. But rarely seriously problems occured with thier system.

Is there good Firewall and IPS Solutions was seperated thier system from outside? Any kind of attacks in real time could be affected this systems?

Thanks! :)

user1403528
  • 11
  • Many security vulnerabilities? Which known security vulnerabilities are currently present in Windows XP? – scai Mar 19 '14 at 14:57

2 Answers2

2

It's not all that bad. First of all I don't think that Windows XP is more vulnerable than any other software product in the consumer market with the same complexity. Quite to the contrary. An up to date installation of Windows XP is probably as good as it gets for most of us.

Don't forget that newer versions of Windows are also vulnerable, most of the time even by the same exploits. The reason for this is the large codebase all of them have in common. Other operating systems like Mac OS X and Linux have their issues, too. They are just not as targeted as Windows is, because they are not quite as widespread.

In the case of ATMs Windows XP is just fine. ATMs are operated very differently than a typical PC is:

  • They are set up by corporations that have an interest in keeping them safe
  • There are no users surfing on dubious websites or opening mail attachments
  • Only software that is needed, is installed. You don't expect a big office suite, a modern browser and other things to be installed on such a system. This vastly minimizes the attack surfaces.
  • They are not exposed to a LAN with potentially infected machines. The only way the user can interact with the system is by pressing one of ten or so buttons.
  • There is probably a whole lot of network monitoring going on, so any unusual traffic will raise an alert.
  • Most vulnerabilities can be mitigated with proper configuration, e.g. by using EMET. I fully expect that these systems are administrated by experts.

Furthermore they are just dumb terminals after all. The ATM itself is not bookkeeping your account, but is only sending the appropriate commands to the bank, where all of the important stuff is happening. In Europe, where chip cards are widely spread, there is additional security as the chip card gets involved into any transaction, so the other side can be quite sure that someone with a valid card is standing in front of the ATM.

Does all of this mean that ATMs are perfectly safe? No, of course not. There have been instances where ATMs were exploited. But as soon as you start to inform yourself about security, you are going to notice that there is no perfect security. Its always a tradeoff and you need to balance correctly.

By the way: Maybe you want to listen to the most recent episode of Security Now, which is a podcast dedicated to (digital) security.

Karol Babioch
  • 1,247
  • 8
  • 10
  • 1
    XP stops being capable of an "up to date" installation as of April 8, 2014, which matters. And other of your statements ("corporations that have an interest in keeping them safe", "probably a whole lot of network monitoring", "proper configuration, e.g. by using EMET" and "fully expect that these systems are administered by experts") are questionable assumptions which are contradicted by the history of embedded XP appliances. Lack of accessibility and scrutiny has always led to astoundingly poor practices with ATMs, voting machines, medical machines, ... – gowenfawr Mar 19 '14 at 14:45
  • Microsoft is going to continue the support for selected groups, e.g. banks. The April 8, 2014 deadline only matters to the consumer market, where it makes sense for most people to upgrade, because newer versions have more security features built in by default. Sure my assumptions are up for debate, but I don't think they are completely irrational. There are a lot of negative examples for embedded XP appliances. But the same is true for basically any other operating system. Remember all of the Linux multimedia hubs in planes that were crashing all of the time? Not as relevant, but still a fail. – Karol Babioch Mar 19 '14 at 14:51
  • I think you are making some assumptions about Banking environments you would hope to be true (how do you remote support machines if they are not on a network - how do you get patches to them if there is no connection to the ousdie world?) and also assuming that Mafia and Crimeware do not have the resources and skills target specific attacks. EVM (chip and pin) is not a panacea – Eric G Mar 19 '14 at 22:43
  • Yes, most of the things mentioned above are assumptions. I'm not working in this sector, so I can't know what exactly is going on there. Nevertheless its considered to be good practice, and I *really* do think that banks and insurance companies are quite good at balancing risks vs. expenses. As already mentioned ATMs got "hacked" in the past, but I don't expect them to suddenly throw out money on April 9, 2014. In regards to the network: Once again I don't know any details, but I would guess they use a VPN and block everything else. That would be my guess at least. – Karol Babioch Mar 19 '14 at 23:02
  • @EricG, you don't need connection "to the world" for this. Only point-to-point connection to single secure machine that monitors ATMs and distributes patches. This automatically eliminates problems with pretty much any remote vulnerability unless that secure machine itself is compromised. – Oleg V. Volkov Jan 15 '16 at 10:03
1

Yes, not connecting them to the Internet is a great firewall. Additionally most of the systems are just dumb terminals connecting to the bank's mainframe systems that actually track the banking information. Compromising a local connection could potentially allow for unauthorized changes to be made on the mainframe systems, but would require that you have physical access to the terminal.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110