Some financial services companies are looking to migrate their ATM fleets from Windows to Linux in a bid to have better control over hardware and software upgrade cycles.
Pushing them in that direction apparently is Microsoft’s decision to end support for Windows XP on April 8, said David Tente, executive director, USA, of the ATM Industry Association (ATMIA).
“There is some heartburn in the industry” over Microsoft’s end-of-support decision, Tente said.
Say what you want about Microsoft, but when it comes to clear and well-communicated support cycles, they belong at the very top. This is the ATMIA’s own fault for not properly getting ready for the future even though XP’s EOL has been known years and years in advance, and has even been extended a few times.
Even though it’s “their own fault”, in the end they came to the right conclusion – Microsoft is not needed for making operating systems for ATMs.
Edited 2014-03-23 23:25 UTC
1. If it ain’t broke, don’t fix it
2. MS doesn’t have any current offerings that fit the ATM market
Edited 2014-03-23 23:30 UTC
Actually, Microsoft DOES have an answer for ATM operators that need to stay on XP, even – Windows Embedded POSReady 2009.
And it’s supported for several more years, it hits end of support 2019-04-09.
(Not that clinging to XP like your life depends on it is a healthy behavior, but if a bank is in panic mode and can’t migrate to Linux yet, they’ll get a few more years with that…)
I have to wonder which idiot thought it would be a good idea to put a desktop O/S in an ATM, which is such an obvious candidate for the category “embedded”.
Probably an application developer. Why do you ask?
Why the f*ck would you need an “app” on a bloody ATM?!? That’s why the numerous embedded O.S.’s are for!
I agree with RobG, whoever thought this was a good idea is a f*cking idiot and has no business designing/developing software for ATM’s. >:(
Or… they saw numerous possible usages for apps on ATM-like devices that we have today – like what pica linked to nearby: http://www.osnews.com/permalink?585160
(and remember, this started already with OS/2 …plenty of time has passed, plenty rewrites)
One cannot expect to keep sitting on one version of a software indefinately, especially if you are security sensitive. Fixing known vulnerabilites is one thing, incorporating modern techniques to mitigate certain kinds of problems or making it hard for an attacker to actually exploit a problem is another. In the case of XP, the whole security concept is just not up for 2014 and the future.
It’s hard to rejoice about a company that was happy running user-facing financial services on a decade-old desktop OS. It’s the right decision for the wrong reason. They may not get an explicit EOL call from their Linux vendor after 10 years, but that doesn’t mean they don’t have to keep up with the release train.
If they chose Linux because they want better control, like writing their own device drivers, or maintaining their own very-long-term-support distro, then brilliant. But if they want an OS that’ll never need an update, they’ll only find disappointment.
//but when it comes to clear and well-communicated support cycles, they belong at the very top.//
LOL!!!
Don’t know what fantasy land you’re living in…
XP support was originally going to end long before now. They extended it. And now this:
“Microsoft today announced it will continue to provide updates to its security products (antimalware engine and signatures) for Windows XP users through July 14, 2015. Previously, the company said it would halt all updates on the same day as the end of support date for Windows XP: April 8, 2014.”
Yeah… really clear and well-communicated… cause ya’ never know if they’ll change their mind…
…again.
The 2015 date is because they still had to support Server 2003 until that date anyways, which is essentially XP with some services added to it.
“updates to its security products (antimalware engine and signatures) for Windows XP users through July 14, 2015”
Yeah….gotta love that reading comprehension.
This is adding a bit more than one (1) year of the most critical update – antimalware engine.
This should be just about long enough for the ATM to convert/port to another OS.
Hum – what should it be?
Return to OS/2 via eComStation?
Go with QNX and enable BlackBerry devices to become mobile eATM machines of BitCoins?
Go with an embedded version of Windows?
Easiest way to get microsoft to lower price or extend support – Mention migration to Linux…
Edited 2014-03-24 01:16 UTC
“It’s their own fault”.
Exactly what is the “fault” here? It’s not like ATM’s has stopped working or anyone lost a lot of moneybecause of this.
They couldn’t get MS to extend XP support so they’re looking at a different platform that would give them more control.
Seems like a sensible thing to do for an application that even XP is overkill for.
Are you sure? I seem to recall there having been some sort of news about people and banks losing money exactly because someone got in the banks’ systems via one of these ATM’s last year.
That’s because the US hasn’t yet decided to move out of the stone age and switch to two-factor (chip&pin) authentication on all money transactions. This kind of attack would have been mostly impossible anywhere else in the world, as the secret key used to sign transactions never ever leaves the smartcard.
Yeah sure, because chip and pin has never been proved insecure.
You probably want to follow CCC a bit closer if care about chip and pin security.
Read what I wrote again. Then respond to that. I did not claim chip & pin is impervious to all attacks.
Edited 2014-03-24 23:49 UTC
I dunno but even so XP was still supported at that time so it was obviously not because XP was EOL’d.
Don’t these ATMs run Windows XP Embedded? It seems much more appropriate than the plain ‘ol XP the article talks about, and its end of support isn’t until January January 12, 2016.
Edited 2014-03-24 03:34 UTC
Bank ATMs use Windows XP Embedded, which is supported until 2016.
Banks will also continue to use Windows XP for other functions. The only difference, they’ll have to pay extra for support contracts.
Apparently some banks need three more years to finish the migration to Windows 7:
http://www.theinquirer.net/inquirer/news/2334577/banks-negotiate-ex…
XP Embedded isn’t used everywhere. Many ATM’s in Norway use “normal” XP, not XP Embedded.
Most of the recent ‘news’ articles don’t specify, so I wonder what % of cash registers and ATMs are on Embedded XP, and what % are running standard XP?
This article for example from Australia:
http://www.smh.com.au/it-pro/business-it/doomsday-approaches-for-wi…
With less than 20 days to go before Microsoft ends support for the 13-year-old platform on April 8, millions of machines including 95 per cent of the world’s ATMs are still running on it.
About 30 per cent of Australian computers still run on XP
This article claims 95 percent: http://www.theverge.com/2014/1/20/5326772/windows-xp-powers-95-perc…
Switch to the free & awesome OS:^A www.ubuntu.com/download
Its the worlds most popular free OS.
For those who like the Windows look, I would recommend: http://www.kubuntu.com^A & for older computer with lower specs ^A www.xubuntu.com or http://lubuntu.net
despite the fact the complete server infrastructure is Linux based, we decided to go for Microsoft Windows Embedded 8.x and .Net 4.5.x.
Why?
These boxes are no standard ATMs. Well, ATM functionality is provided. But that is only a small part of the functionality. As a consequence the software was quite complex. The System was coded in C# .NET 2.0. Consequently porting would have resulted in major porting efforts = major costs.
Beside a card reader, a touchscreen and a keyboard these boxes used much more devices. Some devices have been custom developed. Drivers exist for Microsoft Windows, but not for Linux based OSes. Another big cost factor.
Greetings,
pica
Sounds like an interesting project to play around with.. too bad you couldn’t explore it further using technologies like mono (C#), NDISWrapper (Win Drivers) and Wine (API/LIB compatibility).
Sadly ReactOS isn’t further along – that system seems perfect for this kind of thing.
another detail:
Device drivers are implemented as Windows system services (http://support.microsoft.com/kb/101501/en-us). Driver and business logic communicate with SOAP over HTTP based web services. First time I saw such a solution
pica
Edited 2014-03-24 11:53 UTC
Interesting. What other devices does an ATM use? Inquiring minds want to know.
http://www.dhl.de/en/paket/pakete-empfangen/packstation.html
These boxes are
* ATM
* parcel service
* DHL web shop front end
Greetings,
pica
Just guessing, but they have integrated cameras to record each transaction, plus I imagine specialized and probably custom communication modems. Security stuff, like alarms and automatic locks and shut-down protection devices. Currency readers and check scanners. Receipt printers.
Here in the UK RBS especially but others such as Lloyds have been hit pretty badly with computer related issues.
http://en.wikipedia.org/wiki/2012_RBS_Group_computer_system_problem… (article from 2012 but they had another failure in Dec 2013).
It seems a general shake up is needed for the whole infrastructure, a lot of modernization.
I completely understand that financial services are heavily regulated with various compliances (PCIDSS) but surely someone high up in banking management must been looking at all those legacy ATM’s with XP, Legacy UNIX servers from the 80’s and thinking we really need to do something about it.
Personally im still amazed that something like Windows XP is the OS of choice for an ATM, it seems so primative when compared to the industrial stuff like QNX and Solaris. I understand why Train stations might use them for billboards but in a customer interactive environment dealing with something people are very serious about (i.e. money) to me it always seemed wrong to use such an unstable OS (i have seen plenty of ATM’s crashed out on the modern UI but hardly any during the OS/2 days).
They simply need to invest heavily into the environment, see that the money spent now will save them in the future, something like QNX or Linux would provide them with something solid for years to come, both at the ATM level and at the organisation level/back office.
I don’t think “primitive” is an issue. An ATM doesn’t have to do much, it just has to do it secure and well. Despite XP being “primitive” I think it’s overkill for an ATM and it provides a lot of attach vectors.
Linux would make much more sense. You can strip off everything that’s not needed leaving just the code you actually need and nothing else that can be exploited.
My guess is XP was chosen because it was easy to develop applications for it.
FWIW, the “application framework” for applications running on ATM’s in Norway (well, most of them) is Java. Yes, a JRE. So the operating system could (in theory) be anything, as long as it has drivers for all the devices in use. I don’t know why XP (and not XP embedded) was chosen.
My local HSBC bank branch has an ancient coin paying-in machine (very handy when you want to cash in bowls or jars of coins because there’s no commission and it goes into your bank account the same day). Bizarrely, it’s so old, it didn’t have a debit card reader, so you had to type your bank account number and sorting code into it (stars replacing the numbers, so you could be paying it into someone else’s account if you made a typo!).
It crashed on me almost like it had a virus – screen had red vertical stripes on it and eventually became unreadable. When the bank rebooted it for me, it came up the Windows XP boot screen, which actually shocked me! So paying in machines run XP as well as ATMs…
I never understood why NCR and Diebold didn’t go to Linux from OS/2. It may require them to rewrite their device drivers and interface software, but it would make the machines easier to use. Generally, NCR and Diebold onsite technicians are more technical than an average person so they wouldn’t have issues using a Linux-based system. Especially if they install a version of X and port their GUI tools to it.
There are several reasons these companies migrated from IBM/Microsoft OS/2 to Microsoft Windows:
1. same Microsoft tool chain
2. same thread semantics
3. long term product road maps
just to name the most obvious three reasons.
Greetings,
pica
Remember: when the machines rise against us, ATMs will lead the charge.
Is endemic industry-wide. In many ways I think people are STILL, even after thirty years of it, failing to grasp the notion that 3 years is obsolete, 5 years is the scrap heap.
XP hitting end of life and people NOT being ready for it despite being told time and time and time and time and time again it’s coming is just another stunning example of this laissez-faire attitude and complete lack of forward planning.
You’re going to see something similar in web development quite soon when PHP 6 comes along, and the “insecure by design” mysql_ functions go the way of the dodo in favor of mysqli and PDO. We’ve been told for EIGHT YEARS to STOP using mysql_ functions, which of course is why 90%+ of books released THIS YEAR, 99% of tutorials online, and the vast majority of systems written with PHP still use them; with no plans even on the table for the migration. It’s quite literally going to take saying “Your program no longer works, PERIOD” to get people to update past 5.3; hell some people won’t even updated to 5.4 because their crappy outdated code hemorrhages errors like crazy on things we’ve been told for at least a DECADE to stop doing.
Then of course everyone wonders why there are security holes in things big enough to sail the USS IOWA through.
Well, that’s because PHP is an inconsistent mismatch of C library wrappers put together in a haphazard manner by people who don’t know what they’re doing.
Most programming languages aren’t quite as awful.
A PHP lover as myself. Nice to read I am not alone.
pica
With free linuxes and BSDs around, I doubt we’ll see critical infrastructure — ATMs, navy ships, utilities control, nuclear panels — using Windows in the future.
This should be the wake-up call the hold-outs needed.
Lazarus and Free Pascal would be perfect for ATMs.
They could run ubuntu with KDE and write the UI with
Lazarus. No need for visual studio or .net.