Your bank machine probably runs Windows XP, and that's about to become a problem


(Lasse Kristensen/Getty)

Chances are good that any one of Canada’s 59,100 bank machines you frequent runs on a soon-to-be out-of-date version of Windows.

NCR, the world’s largest manufacturer of ATMs, recently told Bloomberg Businessweek that around 95% of the world’s automated banking machines run on the Windows XP operating system. The problem is that Windows maker Microsoft has announced that it will drop commercial support of the nearly 13-year-old OS in April. From that original Bloomberg piece:

There are 420,000 ATMs in the U.S., and on April 8, a deadline looms for nearly all of them that underscores how sluggishly the nation’s cash delivery system moves forward. That’s the day Microsoft cuts off tech support for Windows XP, meaning that ATMs running the software will no longer receive regular security patches and won’t be in compliance with industry standards.

But don’t panic and empty your account — ATMs aren’t going to crash in some Y2K-style disaster come April 8. “ATMs will continue to function normally,” Jeff Dudash, a spokesperson for NCR, told me by phone this afternoon.

The core problem is Microsoft will stop providing new security patches for Windows XP (which was not, shall we say, an impregnable fortress in the first place). That’s inconvenient for the owner of an aging desktop PC, but it’s a much bigger deal for financial institutions who need to protect identities and banking information for millions of customers. Microsoft has subsequently agreed to keep supporting some anti-malware features for a further year, but even there says “the effectiveness of anti-malware solutions on out-of-support operating systems is limited.”

NCR cobbled together its guess of how many ATMS run Windows XP by looking at its own customer base as well as consulting independent analysts. It is also in NCR’s interests to stoke this issue, since it hopes customers will sign up for its own suite of security software to bridge the gap. Dudash wasn’t able to break out separate information about the state of Canadian ATMs, but he speculated that with fewer “deployers” in Canada—i.e., we have the Big Five banks instead of the patchwork of many small banks that serve the U.S.—the situation is probably not as bad different (see update) north of the border.

Update, January 24: Dudash emailed this morning with more details on the situation in Canada, and it turns out we’re actually behind the curve compared to the rest of the world: “While NCR expects—at most—1/3 of the world’s ATM deployers to switch to Windows 7 by the [April 8] deadline, we actually expect adoption in Canada to be slightly lower—somewhere around 20%.” This is, in part, because Canadian ATM operators upgrading to Windows 7 must undergo a security re-certification process that their American counterparts apparently don’t.

TD’s spokesperson told me that all of their 2,800 ATM machines do indeed run Windows XP, and that the bank “expects to complete the conversion of its Canadian ATM fleet to Windows 7 by the end of 2015.” RBC said it doesn’t give out such information about its machines, only adding: “RBC is well prepared for April and there will be no customer impact.”

Update, January 23, 5:56 PM: Scotiabank responded but like RBC declined to give specifics, saying only, in an emailed statement: “The bank is aware of Microsoft’s plans to end XP support in April 2014 and has made the necessary investment to proactively put the proper controls in place.”