Wednesday, February 26, 2020

Countdown to Windows XP End of Life and Support: Are you still at Risk?

Posted by OnCourse Staff March 24, 2014 4:23pm

Photo Credit: sanand

By: Buddy Arriola, CISA, MsC

According to Microsoft, support for Windows XP ends on April 8, 2014.  This means that starting this date, Microsoft will stop providing technical assistance, hotfixes and security updates to protect Windows XP computers and devices.  Windows XP is widely used and operates not only on computers but on many other devices as well including Automated Teller Machines (ATMs), Point-of-Sale (POS) devices, and medical devices.  When support for Windows XP ends, these devices will become easy prey for criminals.  Hackers target computers and systems with known vulnerabilities and exploit these either to extort money, to steal data, to disrupt services or even just for fun.  “Windows XP vulnerabilities” pose a big threat in information security and is one of the top 10 security issues for 2014, according to SC Magazine for IT Security Professionals.

Risks for continued use of Windows XP

Although Windows XP will continue to work, Windows XP computers and devices will no longer have protection from new malwares and vulnerabilities after April 8, 2014.  This means Windows XP will become vulnerable to hackers and criminals that could lead to potential cybercrimes and information security breaches.  Also, eventually, more and more applications will become incompatible and will stop working with Windows XP.  This could lead to potential system downtimes, work inefficiencies, and significant technical support cost.  According to ZDNet, custom support is available at a minimum cost of $200 per pc for the first 12 months, $500 for the second 12 months, and $1,000 for the third 12 months.    As such, Microsoft suggests upgrading your computer to Windows 8.1 or getting a new PC.  Getting a new PC may be a more cost effective solution due to unreasonably high support cost.  Getting a new PC may also be your only option in some instances because Windows 8.1 is not compatible with older machines.  If you have not already started doing anything, getting new PCs may also be the quickest and surest solution.

Risks for Embedded Windows XP (XPe) devices

A scaled down version of the Windows XP operating system is embedded in many other devices including ATMs and Point-of-Sale (POS) devices (e.g. modern day cash registers) thus making these devices susceptible to Windows XP vulnerability attacks.  Although there are products (e.g. Symantec Endpoint Protection for Windows Embedded) and information security best practice (e.g. Make Windows XP write protected) available that can provide protection against hackers, viruses, and other malicious codes for Windows embedded devices, nothing is foolproof.  Target’s and Neiman Marcus’s systems were compromised by hackers fairly recently or towards the end of 2013 by installing infected POS systems on their network.  The infected systems allowed the collection of payment information after a card is swiped.  According to PC World many criminals are hacking POS devices by attacking the terminals directly from the Internet.  Also, hackers are finding another way into company networks by exploiting other software vulnerabilities.  Determined hackers will try to find a way to break into your system.  As such, it is important to have the appropriate preventive (e.g., change management, patch management, virus protection, and firewall) and detective controls (e.g, intrusion detection and monitoring) to minimize your Windows XPe risks. 

Many banks including Wells Fargo, Bank of America, and Royal Bank of Canada are operating their ATMs on XPe, according to InfoSec.  Fortunately, the End of Life and Support for embedded Windows XP is not until December 31, 2016 giving banks, financial, and other institutions with XPe devices some time to plan and prepare.   Banks and institutions are urged to start planning ahead to better prepare for the December 31, 2016 Windows XPe End of Life and Support date.

Risks for ATM Machines powered by Windows XP

About 95 percent of the world’s Automated Teller Machines (ATMs) are powered by Windows XP, according to a CSO Security and Risk Report published in January 2014.  Of all the ATMs, approximately 420,000 are in the United States.   Unfortunately, many Banks have not started converting their ATMs.  JP Morgan has purchased the costly custom support from Microsoft and plans to begin converting its 19,000 machines starting July 2014, according to the report.  There is a general consensus on published articles on this topic on the Internet that Banks should upgrade their ATMs to more current or modern operating systems in order to minimize their risk and to protect their customers.

Regulatory Compliance Risk

The Federal Financial Institutions Examination Council (FFIEC) expects Banks, Financial Institutions and third party service providers that use Windows XP computers and other devices to follow the FFIEC Risk Assessment and Risk Management guidance to identify and mitigate the risks associated with Windows XP End of Life and Support.  The joint statement by the FFIEC agencies stressed the importance of adhering to the risk assessment and management guidance as defined in the FFIEC IT Examination Handbook in order to ensure the protection of the integrity, availability and confidentiality of customer data.  At a minimum, these should include the following:

  • Identification and measurement of risks;
  • Development and implementation of an appropriate action plan to mitigate the identified risks; and,
  • Periodic monitoring and reporting to ensure risks are reasonably managed overtime. 

Over the last several months, many institutions upgraded their Windows XP computers to more current operating systems based on recommendations from their most recent regulatory exams.  Regulators expect banks and financial institutions as well as third party service providers to address and manage their Windows XP End of Support risks.  If your institution has not done so, make it a priority to perform your Windows XP End of Life and Support risk assessment and risk management in order to meet the FFIEC regulatory requirement.

Summary and Conclusion

Windows XP Life and Support ends in less than 60 days.   Windows XP vulnerabilities and unpatched systems will make it easier for criminals to hack Windows XP computers and devices after support ends on April 8, 2014.   As such, these systems are highly likely going to be targeted by criminals and hackers.   If you are still using Windows XP computers and devices and have not already performed a Windows XP End of Life and Support risk assessment and risk management, you may be at risk after support ends on April 8, 2014. Make it your priority to perform your Windows XP End of Life Support risk assessment and risk management and to upgrade all relevant Windows XP computers, ATMs and other devices to more current operating system(s) and/or more secure platform(s).   Fortunately, there is still time for organizations to complete their migrations before the April deadline if they act quickly enough, according to online sources.   There are online tutorials, industry best practice guides, and migration tools that are widely available on the Internet (see helpful links below for examples) as well as professional help and services to expedite your Windows XP migration. 



Top 10 issues in IT security for 2014,, Doug Drinkwater, December 20, 2013

Windows XP SP3 and Office 2003 Support Ends April 8th, 2014 ,

Upgrade to Windows 8.1 from Windows Vista or Windows XP,

Best Practices for Windows Migration,

ATMs running Windows XP robbed with infected USB sticks – yes, most ATMs still run Windows,, Sebastian Anthony, December 30, 2013

Windows XP still runs 95 percent of ATMs,, Tony Bradley, January 20, 2014

Windows XP support cutoff poses data breach risk for retailers, Jeremy Kirk,  February 3, 2014

Determining which version of Windows Embedded your device is running,  , November 10, 2008,

Symantec Endpoint Protection for Windows Embedded, 


Product Lifecycles,, February 5, 2014

Make Windows XP write protected,

Do ATMs running Windows XP pose a security risk? You can bank on it: Banks' insistence on sticking with Windows XP as their ATM OS of choice is a risky move,, InfoSec Institute, Kim Crawley, February 3, 2014

Windows XP: What to expect once Microsoft shuts down support,, ZDNet, Toby Wolfe, February 3, 2014.


Helpful links for completing your Windows Migration before April 8, 2014:

Free Report on Migrating from Windows XP: Guide for Completing Your Migration Before Support Ends on April 8th, 2014,

Windows XP: For Colleges, It's Time to Move On,, Tommy Peterson, February 10, 2014

Webinar: A Smart Strategy for Streamlining and Accelerating Windows 7 Migrations,

How to Migrate from Windows XP Before Microsoft Pulls the Plug,,news-18038.html,  Fashimida Rashid, January 2, 2014

Windows XP holdouts: 3 reasons you must upgrade now, Yes, now,, PC World, Tony Bradley, December 5, 2013


Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.


OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment

OnCourse Staff's Posts Subscribe to RSS Feed

Flood Coverage – Still a Hot Regulatory Issue
Interagency Statement on Sharing BSA Resources and Challenges
New Jersey's Corporate Business Tax Legislation: A Look at the Impact for Banks
Correspondent Banking: The Challenges of Data Transparency
Regulation E and Business Account Errors
Controls over Employee and Officer T&E Expenses
Is Regulation CC Put on the Back Burner?
Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
The Case of Foreign Banks and Heightened Scrutiny
IRS and New Jersey Tax Audits of Banks
State Taxation of Financial Institutions in Today's Environment
Does your 401(k) Plan need an Audit?
De-Risking of Foreign Correspondent Banks
Same Day ACH Credits – Phase One
FinCEN Finalizes Ruling on Beneficial Ownership and Ongoing Customer Due Diligence
Keep an Eye On Your Chip!
Is the IRS Status of your Defined Benefit plan in Jeopardy?
The Dilemma of Banking Medical Marijuana Businesses and Other Indirect Risks
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
BSA/AML Training: Is your program effective?
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Anti-Money Laundering – The Age of Technology
Top Compliance Topics Discussed at the NJ Bankers Compliance University
Some tips and tricks for dealing with Regulatory Examinations
Updated Regulation E Booklet from the OCC!
Is Flood Disaster Still on the Heat Map?
Have You Implemented Your Plan yet?
FDIC Consumer Newsletter
More Flood Insurance Changes...
Same Sex Married Couples - Ensuring Equal Treatment – Announcement from Consumer Financial Protection Bureau
Truth in Lending (Regulation Z) Annual Threshold Adjustments (CARD ACT, HOEPA and ATR/QM)
FFIEC Releases Revised BSA/AML Examination Manual: So what’s new?
OFAC Consolidates Non-SDN Listings
Coping with HOPA
Coping with the CFPB’s Ability-to-Repay Rule
ABA Survey on Impact of Dodd Frank Compliance
ABA Mortgage Origination Deskbook
Who handles Your Dormant Accounts?
Appraisal Disclosure Rule
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Appraisal Management Companies in Regulatory Crosshairs
All About the Home Owners Protection Act
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
The Credit -- Er, IT Crisis?
Keeping the Balance: IT Security and the Org Chart
IT Security: "IT's" About Process
Wag the Dog
Consumerization of Technology and its influence on Information Security
Detective, Reactive and Preventive: Evolving Your IT Security
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
How do you charge Early Withdrawal Fees on Time Deposits?
Do you still offer NOW Accounts?
Policy Changes Required – Do you Wait until Annual Approval?
Summarizing ACAMS White Paper on EDD and AML Risk Assessments (Industry Survey)
ACAMS to provide Free Webinar
ACBB Changes its Name
Who Do You Give Cash to?
ABA Briefing to Help Banks Address Cyber-security Threats
The OCC Issues Booklet: “A Common Sense Approach to Community Banking”
Safe Deposit Box Contents are not insured – But They COULD Be!
Allowance for Loan Loss Tips and Tricks
FDIC Can Review New Products
Let’s Talk About Overdrafts!
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
Regulation E and NACHA Rules: When you Want to Stop Payment on a Recurring Debit
CFPB Stands Up Against Poor Debt Collection Practices
Don’t Forget the Small Stuff
Double Endorsed Checks: What is the Risk?
Social Media – Will the Regulators Do Spot Checks?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
Is your BSA/AML automated monitoring system up to par?
The Importance of BSA Training
Office of Foreign Assets Control (“OFAC”) introduces the OFAC SDN Fuzzy Logic Search Tool
Filing the New CTR Forms: What you need to Know
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Solutions to Reducing Dormant Accounts at Your Institution
Pandemic Preparedness: Are you testing your Pandemic Plan?
Regulation E Foreign Remittance Rules
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Expiration of Unlimited Deposit Insurance for NIBTAs
Is Your Institution's Marketing UDAAP Compliant?
What is Enterprise Risk Management?
New OCC Guidance Released on Investor Owned Properties
Electronic Work Papers - Why acxell Made the Switch
OCC to Toughen Exams in Response to United States Senate Permanent Subcommittee On Investigations
Clarifying Regulatory Obligations Regarding Continuing Activity SAR Filings
Federal Regulatory Agencies Proposal New Rule
Risk management - Smaller institutions and the benefits of ERM
Strengthening Your Loan Maintenance Monitoring
New Lending Proposal from CFPB
FDIC Reaches Settlement on Overdraft Fees
FRB Guidance on Foreclosures
Loan Denials and Withdrawals – Tips to Sure Up your Process
Regulation O – 5 Easy ways to avoid violations
The Summer of CFPB Proposals
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
Dodd-Frank Rule to Change Legal Lending Limit Monitoring Requirements
The ABCs of a TDR
Supreme Court ruling for the Freeman, et al. v. Quicken Loans, Inc case
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Senior member of House of Financial Services Committee Introduces Overdraft Protection Act
FinCEN is looking to streamline the financial institution reporting process by issuing mandatory E-filing reporting requirements.
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
New Rules Proposal for Servicers Coming from the CFPB
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Banking Solutions: ALLL and GAAP in Agreement
How are the most recent regulatory enforcement trends that banks are facing today affecting internal audit? Why?
What are the most recent regulatory enforcement trends that banks are facing today?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
Regulatory Burden – Managing the Pain
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
TDR or Not to TDR …Much Ado about Nothing?
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
Consumerization of Technology and its influence on Information Security
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
The Proof is in the Pudding: Affects of Dodd-Frank on Community Banks
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
IT Security: "IT's" About Process
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Wag the Dog
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
A Culture of Whatever: On the Path to Proper Governance
The Test Drive: Leasing or Buying a HR IT Platform
Detective, Reactive and Preventive: Evolving Your IT Security
Cracking the ALLL Code: How to Develop the Right FAS 114 Methodology
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Part of the In Crowd: Thoughts on the Dodd-Frank Act
Another One Bites the Dust: Regulators Close 4 Banks
Keeping the Balance: IT Security and the Org Chart
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Welcome to OnCourse
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Credit -- Er, IT Crisis?
Painting a Masterpiece: The Art of the ALLL Reserve
The Law on Your Side: Understanding HR Regulations in 2011
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
No Respite from RESPA