End of XP Support: Are Banks Really Ready?Customers, Third Parties Among the Greatest Concerns
Banking institutions should be taking specific steps to prepare for Microsoft's dropping of support next month for the Windows XP operating system, banking regulators have warned. But industry experts disagree on whether the zero-day vulnerabilities and other risks related to XP's demise should be a major concern.
Doug Johnson of the American Bankers Association says the demise of XP support, including security patches, isn't a cause for great concern, as long as banking institutions continue to roll out layered security controls and sufficient vendor management measures called for in the Federal Financial Institutions Examination Council's online-banking guidance
But Tom Hinkel, a compliance consultant at financial services auditing firm Safe Systems, says zero-day XP vulnerabilities are substantial. It's a topic he blogged about back in October, when the FFIEC issued a warning about operating system risks banking institutions are obligated to address (see What Happens When Windows XP Support Ends?).
"There is evidence that hackers have been stockpiling XP exploits for some time," he says. "I'm truthfully baffled that it hasn't gotten more attention. I hope this is just another Y2K scare - more hype than reality. But I don't think that's going to be the case."
According to some estimates, hackers' black-market asking price for a zero-day XP exploit could easily double after April 8, when Microsoft drops its support. Today, zero-day exploits can easily net between $30,000 and $150,000.
But Johnson, who oversees risk, physical and cyber security and fraud deterrence for the ABA, says banking institutions should not get overly concerned about the possibility of zero-day attacks aimed at XP. Attacks against numerous operating systems are happening every day, he says.
"I have a hard time seeing a great deal of threat," he says. "I don't think there is any stockpiling of an XP exploit."
Banking institutions need to follow the same policies and procedures they would for any potential software or online banking risk, including customer education, Johnson says.
In October 2013, the FFIEC issued risk mitigation and regulatory and security compliance considerations related to Microsoft's discontinuation of support for XP. The FFIEC warned banks and credit unions of risks associated with computer systems, servers and payments devices, such as ATMs and point-of-sale terminals, that continue to run XP.
Regulators also noted the need for assessments related to ongoing compliance with authentication and online security guidelines outlined in the FFIEC Information Technology (IT) Examination Handbook, as well as with mandates, such as the Payment Card Industry Data Security Standard.
Specifically, the FFIEC notes the need for:
- Ongoing risk assessments to identify and measure risks that could result from the continued use of XP throughout the organization and at third parties;
- Considering the impact on business continuity and disaster recovery;
- Considering compatibility with other systems and applications, as well as costs and new risks;
- Developing an implementation plan to prioritize changes and monitor related third parties' mitigation and migration activities;
- Monitoring risk and ensuring the effectiveness of controls is tested periodically with results reported to senior management or the board of directors.
Both Johnson and Hinkel say banking institutions, as well as their customers and vendors, do not have to immediately upgrade their operating systems. But eventual migration away from XP is recommended, they say.
Meanwhile, banking institutions need to work with their customers on the issue. "Customer education is important; but the last thing you want to do is create undue concern," Johnson says.
"It would not be prudent to allow customers to conduct high-risk transactions," through an operating system that could have unknown vulnerabilities, he explains. "But institutions need to be prudent as well, and be very willing and able in the high-value market to be responsive."
Regardless of the operating system, banks and credit unions must and are constantly monitoring their high-value and high-risk online transactions, Johnson says, continually "looking for where the vulnerabilities may exist and finding ways to patch those vulnerabilities and their customer systems."
Johnson and Hinkel agree that banking institutions' two greatest areas of risk regarding XP are customers and third parties.
"The eBanking Handbook does clearly state that banking institutions have to manage risk, which includes the customer location," Hinkel says. "So institutions have an obligation there. They have to understand the risks of using the customer's systems."
Banking institutions should ensure their commercial customers have completed an inventory of how many XP devices they have and how many are still being used to conduct online banking transactions, he adds.
And some additional care related to XP vulnerabilities is warranted, at least for the short-term, Hinkel says.
"Forget about commercial reasonableness for a moment," he says. "You are expected to understand the risk of any and all high-risk electronic banking transactions. So if you are certain that a certain banking operating system is going to be obsolete after a certain date, aren't you required to reach out to the customer?"
Johnson also points out: "Clearly, the [regulatory] agencies have shown a greater interest in both third-party and outsourcing risk, and, potentially, part of that is always ensuring that third parties are practicing the same level of security that the banks are in their XP migration."
Layered security controls and due diligence should help address most third-party risks, says fraud expert Avivah Litan, an analyst for consultancy Gartner Research. "This event is not as ominous as it seems," she says. "The banks can put in a lot of layered compensating controls around XP that they should have had in there in the first place. XP already had plenty of vulnerabilities."