Yesterday, security researchers announced that security software OpenSSL had a major flaw in its code, and Microsoft dropped support for Windows XP. Despite being ancient in operating system years, XP is still used by anywhere between 75 and 95 percent of ATMs. And OpenSSL protects at least two-thirds of sites on the internet, including huge sites like Gmail, Yahoo, and OkCupid. When one piece of technology becomes so widespread, any change or flaw can pose a problem.
According to Gary Stix at Scientific American, “There are about 420,000 ATMs located in banks, bodegas and shopping malls throughout the U.S., and only about one-third of them are likely to have upgraded to Windows 7 or 8.1 before XP officially becomes a relic,” he writes.
Stix says it’s unclear what might happen to all those XP-fueled ATMs, but it’s possible that hackers could take advantage of the system’s openings to steal your card number and pin when you try to take out money. You’re safer at your branch—big banks like Chase and Bank of America are more likely to upgrade their systems to keep their customers safe. But each machine made in the last five years costs between $4,000 and $5,000 to upgrade to new software, and it’s unlikely the ATM at your bodega is going to drop that kind of cash. And there's no upgrade that will help any machine made over ten years ago: they’ll just have to be replaced.
ATMs aren’t the only piece of everyday life that uses XP either. Nearly 10 percent of the computers in the US government run the operating system, and nearly 85 percent of the computers in the National Health Service in the U.K. rely on it. Almost half the people in China using a desktop or tablet computer are running XP. Without support for the operating system, any computer running it could become an easy target.
But, the OpenSSL bug, Heartbleed, also means that, for at least two years, almost all of the web has been an easy target. The software's meant to encrypt information to keep it safe, but the bug basically allowed anyone who knew about it to access the key that would decode passwords and other sensitive information. It's not clear yet—and maybe never will be—if this security loophole was exploited, and by whom.
As a user, there's really not much to do to protect yourself from any of these problems, either. While you can upgrade your computer, you can’t control what your local ATM is up to. It might be worth checking to see if they’ve made any changes to keep malware from stealing your information when you try to take out a few bucks. And for the OpenSSL bug, GigaOm writes about the very limited options for what web users can do to make sure their information is safe:
If you are a web user, the short answer is not much. You can check the list of sites affected on Github, or you could try a tool from developer Filippo Valsorda that checks sites to see if they are still vulnerable (although false positives have been reported), and you should probably change your passwords for those sites if you find any you use regularly.