Earlier this month, I have spent a week in Protaras, a very nice resort town located at the Eastern part of Cyprus. It\u2019s a brilliant place for a getaway especially when you are in need of one. I came a bit ahead of the season, so there were less people in the streets and on the beaches than one may expect.<\/p>\n
At first glance, Protaras almost entirely consists of hotels, villas-for-hire and countless pubs, cafes and tourists\u2019 emporiums that are open late into the night. This busy life, however, coexists with empty, under constructed or outright abandoned venues and hotels, which would make one think that Protaras is experiencing some issues. Again, it was just the second week of May, and, according to local workers, the main influx has yet to happen. Still it looks as though Protaras once knew better times than now.<\/p>\n
One day while doing some shopping I noticed a peculiar sound, that a cash register had a strikingly familiar chime of Windows XP. My inquiries were left unsatisfied: the girl behind the stand didn\u2019t know whether the register really used Windows XP or not. Actually, from what I saw on a display, the cash, touch-sensitive interface was indeed Windows-based.<\/p>\n
Well, using XP isn\u2019t relevant any longer given that Microsoft ended its support on April 8th. Moreover, it\u2019s plain dangerous given the amount of malware targeting Windows XP, including its embedded versions which are used on PoS terminals. The fabulous Target and Neiman Marcus breaches exposed credit cards data of millions people are just two examples. Yes, hackers are more likely to attack larger targets \u2013 for now. But the larger retailers\u2019 IT people learn their lessons (even if in a hard way). So bad guys soon will likely switch their attention towards smaller (and much more careless) victims. Probably even as small as these shops for tourists \u2013 even the smaller shops and cafes are visited by hundreds on a daily basis, with lots of people using their credit cards for payment.<\/p>\n
Even though Windows XP support is expired and this aged OS\u2019s insecurity is widely publicized now, still it is in active use. Just last year more than 90% of ATMs in the United States have been equipped with XP derivatives, and so are lots of Points-of-Sale. Actually, if we take a look here<\/a> we would see that late in 2008 Microsoft released Windows Embedded POSReady 2009, which is \u2018a fancy version\u2019 of Windows XP. This video<\/a> shows how its \u2018relationship\u2019 to XP can be exploited.<\/p>\n However, it barely comes as a surprise that businesses still use XP or its derivatives. First, there comes the common logic: as long as stuff works, it can be used.<\/p>\n Second, Microsoft ceased support of Windows XP less than two months ago. And although the warnings were given way ahead of time, migration has been going (and still is) on at a much slower pace than it should do. Larger entities consider costs, smaller ones expect to stay \u201cinvisible by size\u201d \u2013 like \u201cwe\u2019re too small to be hacked,\u201d which is wishful thinking at best.<\/p>\n By the way, the aforementioned Windows Embedded POSReady 2009 will be supported onwards until 2019 \u2013 which would probably discourage its users from deploying something more secure for quite some time.<\/p>\n Using Windows XP is a risk today because hackers apparently will look and find new, yet unknown vulnerabilities in order to reach for other people\u2019s money.<\/p>\n Which, by the way, may be much easier than one would think. As we talked about our vacancies with colleagues, one of them told me about another interesting \u201cresort case\u201d. He visited Dominicana and in a hotel lobby there were two public PCs with internet access and packed with lots <\/i>of software. Guess the OS installed? Windows XP, right. Now the high spot: people there didn\u2019t mind using these PCs for their banking operations.<\/p>\n And then these people expect that banks will compensate their losses as soon as there are any. Sometimes you start asking yourself, whether banks should do it at all? Or is there a way to prevent people from doing stupid things?<\/p>\n