Traps: Preventing Successful Attacks on Legacy ATM Endpoints

Lawrence Chin

Microsoft discontinued support of the venerable Windows XP operating system (OS) in April 2014. This OS had been a workhorse for over 12 years with a foothold on consumers, enterprises, and embedded systems such as automated teller machines (ATMs).

A year later, it was estimated that 75 percent of the world’s ATMs (2.2 million) were still running on Windows XP. Given the quantity of devices and the geographically dispersed nature of the ATMs, it is reasonable to assume that many of these devices have yet to be upgraded from Windows XP as any upgrade project is logistically daunting. And since Microsoft no longer provides software patches for any security holes, these devices are now more susceptible to malware and viruses. Some financial institutions made custom, extended support arrangements with Microsoft for a short timeframe to provide some protection as upgrade plans were put into motion.

Another factor that many banks and credit unions had to consider was the impending Mastercard deadline for Europay Mastercard Visa (EMV) chip-enabled ATMs. Beginning October 2016, liability for fraud will shift to the ATM owner. Consequently, some institutions opted to accommodate both the Windows XP and EMV chip reader upgrades as part of an overall, strategic plan to refresh their ATM technology.   Based on the age of the installed base, this may require both new hardware and software. ATM industry experts have estimated the cost of this upgrade to range from $1,000 to $3,500 per ATM.

For Windows XP-based ATMs that continue to face delays in upgrades, one option would be to add advanced endpoint protection such as Palo Alto Networks Traps. Windows devices are then protected from malware and exploits — without the use of signatures. Traps can disrupt the relatively small number of techniques that malicious entities must use to compromise Windows systems and the remaining Windows XP-based ATMs can be protected even in the absence of future software patches. By implementing Traps, we can help restore confidence in these aging, but still highly visible customer touch points.

In the more general case for financial institutions, Traps can also be used to protect any Windows-based servers, desktops (both physical and virtual), and laptops from malware and exploits. This extends the benefit across the entire inventory of Windows devices from customer-facing ATMs to corporate personal computers and servers.

To learn more about how Traps can protect your endpoints, please visit:

Ignite 2016 register now

2 Reader Comments

  1. Lawrence – ” Beginning October 2016, liability for fraud will shift to the ATM owner. ” – Where is this stated and is it globally? – Does it include Remote ATM only ?

  2. Lawrence Chin

    Mike, Thanks for the question.  That Oct 21, 2016 deadline applies to ATM cards bearing the Mastercard logo and applies primarily to the U.S. (Many countries have already adopted EMV chip cards.)

    That deadline is also found in this document from Mastercard.

    For ATM cards with the Visa logo, the same liability shift date is October 2017.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.

© 2018 Palo Alto Networks, Inc. All rights reserved.