Windows XP: bad things live on?

Earlier this month, I have spent a week in Protaras, a very nice resort town located at the Eastern part of Cyprus. It’s a brilliant place for a getaway especially

Earlier this month, I have spent a week in Protaras, a very nice resort town located at the Eastern part of Cyprus. It’s a brilliant place for a getaway especially when you are in need of one. I came a bit ahead of the season, so there were less people in the streets and on the beaches than one may expect.

At first glance, Protaras almost entirely consists of hotels, villas-for-hire and countless pubs, cafes and tourists’ emporiums that are open late into the night. This busy life, however, coexists with empty, under constructed or outright abandoned venues and hotels, which would make one think that Protaras is experiencing some issues. Again, it was just the second week of May, and, according to local workers, the main influx has yet to happen. Still it looks as though Protaras once knew better times than now.

One day while doing some shopping I noticed a peculiar sound, that a cash register had a strikingly familiar chime of Windows XP. My inquiries were left unsatisfied: the girl behind the stand didn’t know whether the register really used Windows XP or not. Actually, from what I saw on a display, the cash, touch-sensitive interface was indeed Windows-based.

Well, using XP isn’t relevant any longer given that Microsoft ended its support on April 8th. Moreover, it’s plain dangerous given the amount of malware targeting Windows XP, including its embedded versions which are used on PoS terminals. The fabulous Target and Neiman Marcus breaches exposed credit cards data of millions people are just two examples. Yes, hackers are more likely to attack larger targets – for now. But the larger retailers’ IT people learn their lessons (even if in a hard way). So bad guys soon will likely switch their attention towards smaller (and much more careless) victims. Probably even as small as these shops for tourists – even the smaller shops and cafes are visited by hundreds on a daily basis, with lots of people using their credit cards for payment.

Even though Windows XP support is expired and this aged OS’s insecurity is widely publicized now, still it is in active use. Just last year more than 90% of ATMs in the United States have been equipped with XP derivatives, and so are lots of Points-of-Sale. Actually, if we take a look here we would see that late in 2008 Microsoft released Windows Embedded POSReady 2009, which is ‘a fancy version’ of Windows XP. This video shows how its ‘relationship’ to XP can be exploited.

However, it barely comes as a surprise that businesses still use XP or its derivatives. First, there comes the common logic: as long as stuff works, it can be used.

Second, Microsoft ceased support of Windows XP less than two months ago. And although the warnings were given way ahead of time, migration has been going (and still is) on at a much slower pace than it should do. Larger entities consider costs, smaller ones expect to stay “invisible by size” – like “we’re too small to be hacked,” which is wishful thinking at best.

By the way, the aforementioned Windows Embedded POSReady 2009 will be supported onwards until 2019 – which would probably discourage its users from deploying something more secure for quite some time.

Using Windows XP is a risk today because hackers apparently will look and find new, yet unknown vulnerabilities in order to reach for other people’s money.

Which, by the way, may be much easier than one would think. As we talked about our vacancies with colleagues, one of them told me about another interesting “resort case”. He visited Dominicana and in a hotel lobby there were two public PCs with internet access and packed with lots of software. Guess the OS installed? Windows XP, right. Now the high spot: people there didn’t mind using these PCs for their banking operations.

And then these people expect that banks will compensate their losses as soon as there are any. Sometimes you start asking yourself, whether banks should do it at all? Or is there a way to prevent people from doing stupid things?

One final note- There is a possibility to protect banks and payment services, along with their  clients, from some problems – from fraud, namely. Late last winter, Kaspersky Lab has rolled out Kaspersky Fraud Prevention platform, which we described back in February. It includes client software protecting transactions on various devices, server solutions that detect fraudulent transactions at the stage of electronic payment processing and several additional services. Its Clientless Engine, in turn, is capable of preventing fraudulent transaction even if end users don’t have any security solution installed on their devices and use some very old and quite insecure operating systems.