With only weeks to go before Microsoft ceases its support for Windows XP, the chorus has hit a new high note warning against the potential vulnerabilities financial institutions face. Only at this point, they’re catching on to the idea that it isn’t just the machines within the institution itself that create risk — it’s those belonging to customers, too.
In its latest “Threat of the Week” post, Credit Union Times takes a look at what happens when customers using Microsoft’s nearly 13-year-old XP operating system access online banking, remote deposit capture and other services. Machines that are no longer protected by first-party patches and security updates:
XP, understand, is a relic, but a widely used relic. It went on sale to the public in October 2001. Right now, it powers nearly one-third of computers in use globally. Upgrade paths for those many millions of computers are unclear. Most of them also are relics, many could not run Windows 7, certainly not Windows 8, the latest version (released in 2012). Bottom line: Come April 9 there still will be millions of computers running XP.
“What new risks will financial institutions face on April 9th,” asked Tom Hinkel, director of compliance at Safe Systems, an Alpharetta, Ga., IT vendor to the financial services industry. “XP will enter a life phase where it forever is in a zero day exploit,” meaning that daily new holes may be poked in the system by criminals, knowing that those holes will remain unplugged as long as Microsoft sticks to its resolve to turn its back on XP.
Some experts ominously say that lately there have been releases of very few XP exploits. The implication is that cyber criminals have been stockpiling exploits – counting down to Microsoft’s end of support – and they will release them after Microsoft’s final patch. So there may be an avalanche of exploits coming on the scene in mid-April.
Indeed, individual users have their reasons for not upgrading by April 8. Those may range from compatibility issues and cost to a lack of awareness or even bad luck, according to an InformationWeek article. It may even be that credit union members have a false sense of security because of existing antivirus software. Even then, one recent report indicates Windows XP users are six times more likely to be attacked than those on Windows 7.
Tom Hinkel, Safe Systems VP of compliance recently presented a half-hour webinar covering the potential risks associated with outside customers who haven’t updated their operating system by Windows XP’s end of life. The full presentation is available here.