After 12 years, software giant Microsoft has pulled the plug on Windows XP, finally withdrawing support and updates for the operating system on 8 April. In the run up to the deadline, many began to question what the impact on the banking industry was likely to be. Ellie Chambers investigates
To read some of the headlines floating around in the financial industry ahead of Microsoft’s withdrawal of support and upgrades for Windows XP, you might have thought that the end was nigh.
Media outlets were peddling headlines that referred to a ‘scramble’ to upgrade ATM operating systems, warning that ATMs would become ‘vulnerable to hackers’ as of 8 April.
The faint air of hysteria was reminiscent of the doom-mongering around the turn of the century, when it was broadly predicted that all kinds of computer operated systems, unable to cope with the concept of the year 2000, would crash, plunging the world into chaos and darkness.
ATM apocalypse?
If ATMs worldwide had been left open to compliance and security risks, it is likely we would have seen the effects by now.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataBut long before the deadline passed, banks worldwide have been struggling against a tide of scaremongering news stories to put out the message that there were safeguards in place.
Vendors are also keen to dispel fears around the ATM network. A spokesperson for NCR says: "The good news is that ATMs – including those running Windows XP – will continue to function normally after Microsoft’s April deadline.
"Financial institutions that do not migrate to Windows 7 immediately will have plans in place to maintain the integrity and security of their systems.
"NCR has plans to support both financial institutions that do not immediately migrate their ATM networks, as well as those interested in upgrading their user experience through Windows 7."
Peter Svahn, of Bankomat, Sweden’s biggest ATM provider and owned by the country’s five largest banks, says:
"Bankomat is working together with our outsourcing partner and have an existing plan for upgrading to next level of operating system.
"Action has been taken in order to ensure security on the XP platform before the upgrade.
"Security is a vital part for our business."
US banks including PNC and JPMorgan acknowledge that they have purchased extended support from Microsoft.
Lloyds Banking Group, Royal Bank of Scotland, HSBC, Barclays and Santander UK have also negotiated deals.
Adrian Vermooten, head of digital banking at Absa, Barclays’ South African arm, says: "As we’re part of Barclays, and given the depth of our relationship with Microsoft, we have extended our Windows XP support for another 12 months across the whole organisation, not just our ATM space."
Challenges and opportunities
Migrating the world’s ATMs to a new operating system will be a challenge; there are currently an estimated 2.2m of the machines in the world.
Francesco Burelli, partner at Value Partners, says: "The withdrawal of technical support and more importantly to security upgrades to Windows XP will make a large number of ATM systems obsolete.
"A large number of ATMs globally, 95% based on NCR estimates, are running on Windows XP operating system. The upgrade will not just imply a change of operating system but it is likely going to require interventions at hardware level."
Vermooten agrees that the conversion from Windows XP represents a massive overhaul of both hardware and software. He says:
"This is a journey that we started as far back as 2012. The Windows 7 upgrade is certainly not just a software conversion from Windows XP, there’s also a certain amount of hardware upgrade.
"This is a really a significant upgrade and through the process we will replace 3,000 of our 9,000 strong footprint."
Despite the extension to Microsoft’s support, he is quick to state that the rolling out of Windows 7 has been intentionally gradual.
He says: "In rolling out the new platform, one doesn’t want to find out in three months time that you have a glitch and not be able to revert to any other kind of state.
"So despite the fact that we are through all of our Windows 7 testing and it’s looking really good and we are rolling out to all of our devices, we are being really controlled.
"We are not forced to rush because of ongoing support with Microsoft. It’s a great position to in. We didn’t want to take any risks with the Windows 7 upgrade.
"I think we are comfortable at the moment that by the end of Q2 we will be completed. To protect customer experience we only have a small window each month where we can go and do the upgrades, because we certainly put everything on freeze the last week of the month and the first week of the following month.
"We try and keep our environment absolutely stable during that time period for customer convenience so it really only leaves two weeks in the middle of the month when we can do our upgrades."
While acknowledging the difficulties Burelli suggests that far from the crisis the world media has predicted, the change from Windows XP gives the industry an opportunity to overhaul the ATM channel and make a multitude of improvements.
"While these changes are going to increase costs for the industry, they will also offer the opportunity to improve the channel and the functionality of the machines in terms of user experience (e.g. enabling touchscreens) and services available through the channel (e.g. VAS)."
Vermooten agrees with this optimistic take on the mass upgrade. He says:
"Windows 7 allows us to have a much richer customer engagement and we have already started to include that in our ATM stack.
"Our new build going forward starts to leverage the greater functionalities Windows 7 affords us, including greater graphics capability and the opportunity to use a more widget-driven approach, etc."
The effect on internet banking
Despite all this reassurance on the subject of ATMs, there is another channel that the banks and vendors cannot promise will remain safe.
According to the latest statistics from NetMarketShare, nearly 28% of the world’s internet users are still using Windows XP.
This could have huge implications for online banking, as customers banking whilst on out of date operating systems will no longer receive security updates.
Burelli says: "On the internet banking side, the withdrawal of technical support and security upgrades to Windows XP will put at risk all those consumers who are operating on obsolete technology."
In the Netherlands, the wording of legislation reveals that consumers are at risk of being found liable for any fraud that occurs through online banking if they use an out-of-date operating system.
As of 1 January, consumers must meet five conditions to qualify for compensation for fraud.
Gijs Boudewijn, deputy general manager of the Dutch Payments Association says:
"One of our simple rules is; make sure the devices you are using are properly secured. In our explanation we say we expect everyone to use an up-to-date operating system, meaning an operating system that is still being maintained by the supplier, with the security updates.
"As we all know, as of 8 April Windows XP will no longer be maintained by Microsoft. There will be no security updates any more.
"So it is quite simple; in the case that a consumer used Windows XP after 8 April, and there was fraud, the fact that he or she has used Windows XP is one of the factors – just one of the factors, not the only factor – that could lead to a judgment that the customer has acted with gross negligence."
While this has been perceived as harsh new legislation, Boudewijn says that this in fact applies to the whole of Europe, but has been set out in clearer terms than the original legislation
"The legal system is based on the European Payment Services Directive, so that if there is fraud, the banks are liable for this fraud unless they can prove the consumer acted with gross negligence.
"It has generally been perceived as new, stricter rules or legislation. But this is not the case, it is simplification of what was there in the first place, which had been perceived as too complicated for the consumers.
"The law is still the same it’s based on the European Payment Services Directive and we are only trying to make life easier for the consumer, along with the Dutch Consumer Organisation."
Over in South Africa, Adrian Vermooten is at pains to distance himself from this hardline stance, saying: "We certainly haven’t taken that hard a point.
"Every year we provide free of charge anti virus software to all our internet banking customers. That comes with a free subscription for the whole year and we really encourage them to make use of either our free software or one of the other vendor’s anti virus software.
"I think that as Microsoft moves away from providing patches some of that gap – not necessarily all of that gap – will be filled by the companies providing some of the anti virus software. Obviously what might not be happening is patches to breaches in code."
Awareness is key
While banks and vendors have put measures in place to ensure a smooth and secure transition from Windows XP to 7 on the ATM channel, they cannot stop customers from being their own worst enemies.
However, what they can do is raise awareness of the security issues around using outmoded operating systems.
Burelli says: "Typically customers unaware of security risks whose devices are left unprotected against threats are the major risk to their own finances."
One of the roles of the Dutch Payments Association is to raise awareness of the fraud risks around internet banking.
Boudewijn says: "We do a lot of public information campaigns raising consumer awareness of the risks, particularly of internet banking, with malware and phishing and everything."
He advises those using old operating systems to take their devices offline immediately.
"The Consumer’s Organisation says you should disconnect your computer from the internet. It’s not just about banking – all your personal information might be up for grabs by the hackers.
"Disconnect it from the internet and get a new operating system or a new computer.
"Everybody knows that nowadays the internet is not secure, you need certain precautions. What we will do and what we will keep doing is keep up consumer awareness of what they can do together with us to keep it safe.
"At the end of the day it is their responsibility to do that. We cannot force them to install a virus scanner, we cannot force them to buy a new computer and we can only keep informing people of what they can do, what they should do and what the consequences may be if they do not."
And there is hope. Boudewijn believes that the Dutch Payments Association’s efforts have helped cut online banking fraud in the Netherlands:
"What we’ve seen over the past few years is that because internet banking penetration was so high in the Netherlands, we have been very attractive to cyber criminals.
"But with the combined efforts of the banks and the consumers, based on our yearly awareness campaigns, we have finally seen a sharp decrease in online banking fraud.
"The problem is we don’t have a carrot. We only have the stick."