By David Z. Morris
FORTUNE -- After April 8th, 2014, Microsoft (MSFT) will end support, including automatic security patches, for its 13-year-old Windows XP operating system. This may sound like an inconvenience primarily for government agencies and aging uncles, but another major set of Windows XP users are the automated teller machines and credit card sales systems that handle billions of dollars of transactions daily.
While major retailers and banks are likely to be well-prepared for the end of XP, financial systems based on the software are also in the hands of a far-reaching hodgepodge of independent ATM operators and small businesses. Despite ample warning, industry analysts and insiders agree that high cost and inconvenience will keep plenty of these smaller players running outdated software for many months to come -- with serious implications for the security of their systems.
Jerry Nevins, co-owner of the Kansas City cocktail bar Snow & Co., is close to the dilemma. Snow & Co. bought a point of sale system less than a year ago from the payments servicer Micros -- only to be told within a few months of the need for an upgrade to Windows 7, at a cost of $1,700 for the single-store system. Luckily, Snow & Co. was still under a service agreement, so its upgrade was free. But as Nevins puts it, "If you're a small business, an unexpected $1,700 might be like, eh, I'll go ahead and take my chances." Moreover, Nevins describes a "huge line" of Micros customers waiting for an upgrade. He's crossing his fingers that Snow & Co. will be upgraded before the April 8 deadline.
Costs to retail credit card processors will vary widely, says John Berkeley of Mercury Payment Systems. "If you have the right hardware you can just upgrade the OS, but for some merchants upgrading from XP to Windows 7 can mean all new hardware," likely costing much more than that $1,700.
The challenges of upgrading become even bigger in the case of ATMs. ATM manufacturers are offering software upgrades for machines still based on XP -- though some of those have been available for less than a month. But the cost to upgrade can be staggering.
According to Jay Weber, vice president in charge of North American debit and ATM systems for FIS Global, "An ATM machine purchased in the last five years ... would only need a software upgrade of $4,000 to 5,000 per machine." That software cost is so high in part because much specialized software written for Windows XP can't be easily ported to a new operating system. But ATMs 10 years old or more would need to be completely replaced, and Weber says that new high-end ATMs can cost at least $50,000 to $60,000 per device.
ATM operators and business owners are largely being left to decide on their own whether to upgrade or not, says Weber. "Organizations are trying to look at the investment of the upgrade and weight it against their perceived risk" -- and many seem to be ready to take their chances. "[April 9th] is going to come and go, and there are going to be some merchants who haven't done it yet," says Berkeley. Weber speculates that "it's going to be a trickle approach, a slower ramp-up," with many systems going without an upgrade -- and remaining officially insecure -- through the end of 2014.
This hesitancy may be worsened because operators are getting mixed messages about their risk. The Payments Card Industry Security Standards Council has issued public warnings about the need for retailers to upgrade their point of sale systems, but their current set of standards, which are used to determine eligibility to operate on credit card networks, do not require it. And Weber himself seems sanguine: "The risk is hard to quantify. There's a lot of technology in place in the marketplace to help mitigate the risk," such as the "fairly closed telecom environment" that most payment systems operate on.
But Bogdan Botezatu, senior e-threat analyst for the anti-malware software company Bitdefender, couldn't disagree more. He talks about the issue with the barely suppressed terror of a father watching his teenage son drive solo for the first time. "They're not panicky," he says, "and actually that makes me panicky."
Botezatu, who haunts underground hacking forums to keep an eye on looming security threats, claims that hackers are gearing up to raid suddenly insecure XP machines the minute Microsoft support ends. "When an operating system is announced as reaching its end of life, [hackers] are frantically looking for exploits, because then they can use it indefinitely," he says. "It's the holy grail of malware."
To take fullest advantage of the situation, black-market vendors selling new XP exploits have been stockpiling them, waiting to release them until after Microsoft is no longer monitoring and repairing security flaws. Though third-party security firms will continue to update anti-malware programs for XP, users not running or updating such software could be permanently vulnerable to an ever-growing set of exploits. Mercury Payment Systems' John Berkeley confirms that "If a hacker discovers [a vulnerability] a month or two after the end of [XP support], they have more time to exploit that."
These exploits could range from stealing credit card information from small vendors to even more dramatic forms of theft, many of them easily circumventing external security measures such as the semi-closed payments network. Botezatu says there have been reports of an ATM exploit through a mobile phone connected through an ATM's card reader. He also cites a legendary stunt by the security expert Barnaby Jack at the Black Hat security conference in 2010, where he demonstrated a "Jackpotting" hack that easily emptied an XP-based ATM machine. According to Botezatu, Jack, who died in 2013, never revealed the nature of this exploit, meaning that it could remain an unpatched vulnerability in XP-based machines.
Most troubling of all, Botezatu predicts that unsecured XP machines of all kinds will be compromised by hackers to form new botnets. This kind of system, in which hacked systems' processors are put to new tasks unbeknownst to their owners, can be used for everything from massive Denial of Service attacks to mining cryptocurrency, and would add substantially to the insecurity of the Internet as a whole. "I see a lot of trouble," Botezatu warns.
Whether April 9th brings a plague of cash-spewing ATMs, zombie PCs, and thieving credit-card readers remains to be seen. But Botezatu sounds exasperated that he even has to consider these scenarios. "It's an operating system that was released 13 years ago. Everyone should have started migrating two or three years ago" to avoid the mad rush and risks that come with the end of support. He hopes, at least, that this episode will motivate today's users to think about the future.
"This is going to happen soon with other operating systems," Botezatu says. "You should start upgrading from Windows 7 now."