Windows XP Goes Dark; Will Hackers Be Lurking?

As Microsoft finally pulls the plug on its popular Windows XP operating system Tuesday, the computers of millions of online banking users could be more susceptible than ever to fraud.

After April 8, Microsoft will no longer provide regular security patches or technical assistance for Windows XP. Although everyone saw this coming -- Microsoft has been very clear about XP's expiration date since it launched the operating system in 2001 — close to a third of all U.S. consumers still have it on their PCs, according to Net Applications. If about half of U.S. consumers bank online, as the Pew Research Center says they do, millions of computers being used to bank online are vulnerable to hackers exploiting any holes they can find in XP.

The demise of XP is no surprise. Microsoft has been issuing warnings about it on a regular basis and even ran a helpful countdown clock. Microsoft supported XP longer than any previous operating system (the next-longest was Windows NT, which it supported for eight years).

Microsoft has also been upfront about the risks to those who don't upgrade. "If you continue to use Windows XP after support ends, your computer will still work but it might become more vulnerable to security risks and viruses," the company states on its website.

In a joint statement in October, the Federal Financial Institutions Examination Council warned banks about the risks of continuing to run XP on their computers. "Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorized additions, deletions, and changes of data," the regulators stated.

But while banks can and presumably have upgraded their own PCs, they have little control over what their customers do. Online banking users still holding onto XP machines due to lack of funds, inertia, a dislike of Windows 8, or lack of awareness, will be easy prey for hackers.

Experts say this is a medium risk for banks. "These consumers will be more vulnerable, but banks should be used to dealing with consumers whose desktops are infected with malware," says Avivah Litan, vice president of Gartner Research. "In this sense, it's business as usual. The banks need to be able to detect malware-based sessions and react accordingly."

Banks also need to have a layered fraud prevention strategy so that if a piece of malware succeeds in logging into an online banking session from a customer's computer, other fraud detection and prevention software and layers can kick in to mitigate the damage, she says.

Jacob Jegher, senior analyst at Celent, believes XP machines are not an alluring target for hackers because the operating system's market share is falling. (According to Net Applications, XP usage dropped from 38% in May 2013 to 28% in March.)

"If XP drops to a very small number, it becomes less interesting," he says.

Jegher also observes that because XP is mature, many of its vulnerabilities have already been discovered. And any exploited weaknesses in the code could be detected by anti-malware and antivirus software, he says.

"I have a computer running Windows XP at home, and I have no issues banking online with it," he says. "A year from now, I'll still be OK with it."

Some of the newer operating systems may be more vulnerable to cybercriminals than XP because the weaknesses have yet to be exposed and, therefore, have yet to be fixed.

"If you're running the latest and greatest Windows 8 computer and you've had it for three months, you're open to all kinds of malware, spyware, and Trojans," Jegher says.

There are a few things banks can do to mitigate the risk of having armies of online banking users entering their sites from potentially infected PCs.

First and foremost, they can encourage their customers to upgrade.

The Bank of Washington in Lynnwood, Wash., for instance, set up a web page alerting customers to the end of XP. "Using Windows XP after April 2014 will be an 'at your own risk' situation," the bank warns. It advises consumers to install a newer version of Windows. "Windows 8 is the latest, but Windows 7 is a very capable and user-friendly operating system," the $123 million-asset bank states. "Windows 7 also has a more traditional Windows user interface, as Windows 8 introduced many design changes."

Some of the largest banks have the technology to identify what operating systems customers are using to access online banking and put additional controls in place for those customers, for instance, by not allowing them to upload files.

Some banks are working with Microsoft and PC manufacturers to provide discounts to encourage people to upgrade. "It sounds a little Big Brotherish, but customers usually think it's great when they get the feedback, because they'd much rather be protected than have their accounts compromised," says Mercedes Tunstall, practice leader of Ballard Spahr's Privacy and Data Security Group.

For most banks, by watching closely and putting appropriate controls in place, XP should not be a problem, Tunstall says.

"It could be a crisis if people are not paying attention," she says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER