The end is nigh, take cover. As I hope you all know, tomorrow will be Windows XP’s “end-of-life.” Anyone running the OS will stop receiving software updates.
This really shouldn’t come as a shock, Microsoft has been warning about this for quite some time now. But akin to that college final paper you’ve had all semester to write and left until one day before the deadline, many companies just haven’t taken the leap toward updating their OS.
What does that mean? In short, any company whose software is XP-run will stop receiving security patches henceforth. XP-based transaction devices should be most worried — namely point-of-sale systems.
This is according to Chris Pogue, a director at the online security firm Trustwave. He says that an overwhelming majority of point-of-sales systems currently use XP. And this is precisely what many hackers are waiting for.
“They’re going to be looking for systems that are running on XP,” Pogue explained. The moment the updates stop coming will bring “a number of vulnerabilities that [will] go unaddressed.” This is of course dependent on if a hacker is able to bypass security and get into a POS system. If so, this end-of-life will make it that much easier for the hacker to access transaction credentials.
Of course, in terms of security there are thousands of other ways for an attack on a POS system to occur. “There’s a multitude of attack vectors,” Pogue said. “Having an out of date or unpatched system is one of them.” But once an OS updates stop coming that attack vector can only multiply. Numerous Windows-based attacks have occurred in the past, but all were fixed with software updates.
So why hasn’t everyone just updated? Software changes are a business decision — and one that can cost quite a bit of money. “Organizations are focused on keeping the doors open, keeping the lights on,” Pogue explained. “They’re not necessarily focused on the detailed technical components of what their point of sale service does.”
Yet these businesses should be focused on this and make certain their data is truly secure. This means making sure software is updated and receiving patches when necessary. It also means ensuring that all software security measures are properly implemented. “If you have a firewall that’s properly configured, an attacker should never have an opportunity to launch [an attack code],” says the Trustwave expert.
As Pogue sees it, with this change in software scenery comes a need to both make sure the software is up today as well as ensure that upfront security measures are in place.
If not, it could cost a company quite a bit — probably more than the price of the software update. We need only look at the likes of Target and Nieman Marcus who saw widespread security breaches even while their OS was up-to-date. The chances of that kind attack happening after XP’s “end-of-days” is higher. As Pogue says, “It’s certainly going to give the bad guys something else to use.”
The same should be said for ATMs. Yahoo Finance reports that nearly 95 percent of the world’s ATMs run on XP, but it argues that proper safeguards are already in place despite the outdated software. However, hackers are already selling ATM XP exploits on the black market in preparation. One can assume the same for POS systems.
Of course, if you’ve got cash to spend you could just avoid the problem for another year by shelling out £5.5 million to Microsoft. Why, that’s what the UK government did — I guess they didn’t prepare for tomorrow’s software apocalypse and wanted another year to prepare.
But for the thriftier, it’s probably best just to bite the bullet and update. Further, they should make sure the rest of your system’s security is up to date. In general, it’s good to look at these events as times of IT security reflection.
Pogue wants to everyone to remember that while this is important, it shouldn’t be cause for crisis; “The sky is not falling.” This is just a much-needed wake up call.
Of course, if you’re still running XP and aren’t using a proper firewall, maybe the sky is falling.