‘Don’t Procrastinate’ ATM Windows Upgrade

The clock is counting down to the end of support for Windows 7 – a change that could open the floodgates to ATM hackers if credit unions aren’t paying attention, experts warned.

The countdown ends on Jan. 14, 2020, when Microsoft will stop providing technical assistance and security updates for Windows 7. As a result, credit union ATMs that aren’t running Windows 10 in the next six months could become more vulnerable to hackers and malware.

“There’s a number of credit unions that are biding their time,” Keith Eckert, senior technical product manager for JHA Card Processing Solutions, noted.

Andrew Oasen, senior ATM product manager, debit and ATM processing at FIS, said some of his firm’s clients are on track to have their ATMs running Windows 10 by the time support for Windows 7 goes away. As a whole though, movement has been pretty slow, he said. “But we absolutely have seen a significant uptick in the number of projects to upgrade ATM hardware, ATM software – whatever is necessary to support Windows 10,” he noted.

Credit unions need to get on the ball now, because the time it takes to convert to Windows 10 makes it unlikely that a credit union will have its ATMs ready by January if it hasn’t already started the conversion process, according to Steve Gilde, director of global product marketing at Paragon Application Systems.

“You’re probably not going to be able to get enough resources,” he said. “We’ve already seen signs that the big guys, the B of As and the Chases, they’re approaching people because they need help. And a credit union is probably not going to be able to easily compete with what a Chase or a Wells can offer. If they want to get somebody, they’ll be able to outbid the credit unions for sure.”

Credit unions that also want or need to upgrade their ATM hardware may have a steeper uphill climb.

“I would say if you haven’t started now but you started, say, tomorrow, there’s still some hope,” Oasen said. “The average order time from order to actually getting an ATM installed was somewhere between that 90- to 120-day window. So just to get that hardware out there, you’re talking about, on the longer side, 120 days – almost four months. So the speed is of essence within the next month or two, if you have any hopes of making that date.”

What Credit Unions Need to Do

“First they need to contact to their ATM provider, whether that’s Diebold, NCR or a third-party service company … and have their terminals assessed – where do they stand today, and what do they need to do to get to Windows 10,” Eckert said.

Credit unions that have more than one ATM manufacturer in their ecosystems may have extra work to do, Gilde added.

“If you only had Diebold machines in your portfolio, you would do all your analysis with just Diebold,” he explained. “If you had a two-vendor supply policy and you had both Diebolds and NCRs, well, now you’ve got to go through that analysis with two organizations and talk about what needs to be done, and as you’d imagine, a slightly different language, slightly different references and slightly different circumstances.”

Some credit unions are using the Windows 10 conversion as an opportunity to upgrade their ATM fleets, Eckert said. “They have to have them touched anyway,” he said.

But that upgrade activity hasn’t been very high, according to Oasen. “We are absolutely seeing a few doing so, but at this point it’s really more about ensuring that they could support Windows 10,” he said. “We are seeing customers starting to upgrade to intelligent deposit functionality, so the ability to take an envelope-free deposit, whether it’s cash or check.”

What Could Happen

Credit unions that don’t have all of their ATMs on Windows 10 by Jan. 14, 2020,\ might not face serious risk right away, but that security risk may increase over time, according to Eckert.

“Don’t procrastinate,” he warned. “A lot of credit unions don’t know where their terminals might stand. Some do, but most don’t. Understand what your expenditure is going to be, what upgrades you need to make and how long it’s going to take. Understand it now.”

When Oasen thinks about the risk of not converting in time, he thinks about what happened when support for Windows XP ended in 2014. “There absolutely were attacks on Windows XP devices that were still in the field. If you use that as a baseline, it’s a logical presumption to think that there would be attacks on devices that are still running Windows 7 and no longer getting security updates,” he said.

Because it’s sometimes possible to tell what operating system an ATM is using by looking at its interface, hackers – at least in theory – could be out in force the day after support ends for Windows 7, Gilde added.

Credit unions have been tasked time and time again with ATM upgrades, modifications and pressure to keep up with the technological times, but the move to Windows 10 is a little different, he said.

“It’s not just a Microsoft upgrade for the sake of upgrade; there are enhanced security features,” Gilde cautioned. “There are new things that come with the application that you’ll want to take advantage of, so you could wave that flag and say, ‘We’ve upgraded. We’re done. We’re really smart folks and we’re ahead of the pack, and we’re as safe as we can be.’”

Credit unions that are still running ATMs with Windows 7 after January might be able to purchase extended support services from Microsoft for a fee if they need a few more months to finish converting, though that extra help could get expensive, he said. And that decision comes with its own risks, too.

“You’re just going to have to open up the wallet and pay for extended support. Because nobody will give you any sympathy if you actually go unsupported and then have a problem,” he said. “You’ll just get fired.”