Dixons Carphone is still using thousands of EPOS tills running on Windows XP more than a year after Microsoft’s extended support expired, The Register has learned.
This is not the Embedded flavour of the OS (though even these would present a heightened risk of attack, say security experts) but 7,000-plus bog standard XP systems in branches, visible to customers.
More ReadingDixons, UK's fifth 'emergency service', brushes off Brexit scare storiesDixons Carphone to shut down 134 shopsDixons Carphone CEO dances on rivals’ graves, swipes share from survivorsIs ATM security threatened by Windows XP support cutoff? Well, yes, but …Hilton hotels in credit-card-stealing malware infection scare
More precisely, these in-store tills are HP PCs, most of them D530s, with the now 14-year-old OS installed on their hard drive.
Sources tell us DixCar has no custom support agreement with Microsoft that would enable the retailer to continue receiving regular patches or firmware updates at $200 per PC for year one, $400 for year two and $800 for year three.
“Whilst there shouldn’t be a price on security, there is a price to a large scale refresh, especially with something as key as an EPOS estate,” one said.
As is commonplace in large organisations, some of the background tech is bespoke and that has trouble running on a modern OS or browser, our insider told us.
“Big companies and state agencies need to get much better with the thought of progressive IT. Too many paid too much years ago for solutions that simply don’t work on modern OSs,” the source added.
Weeks ago it emerged that the Welsh Health Services has 20,000 PCs still running on Windows XP, some months after El Reg revealed the NHS in England and Scotland, along with HMRC and the Met also failed to upgrade since support was pulled in April 2014.
Security experts said that running vanilla XP on point of sale terminals is asking for trouble.
Charles Henderson, VP of managed security testing at cloud and managed security services firm Trustwave, said that operating system issues are often exploited by crooks targeting retail environments.
“A point of sale's security posture is only as strong as the foundation of its operating system," Henderson explained. "If the operating system is compromised, it's game over. In point of sale compromise cases that Trustwave investigates, very often it is operating system level issues and malware that exploits these issues and leads to a compromise. Once a vulnerability is discovered in an operating system, malware authors will leverage this weakness almost immediately in the malware they write."
Point of sale vendors, security professionals, and compliance regimes stress timely patching of point of sale operating systems and continuous security testing to ensure critical systems such as retail terminals are not running outdated operating systems or contain any other vulnerabilities.
"The threat of running an unsupported operating system is not only the known vulnerabilities of today but the vulnerabilities discovered tomorrow," Henderson added.
"Existing in an unsupported state translates to potentially being unable to remediate or mitigate the next big vulnerability without migrating to a newer operating system. Migrations under the risk of immediate compromise do not end well," he added.
Andrew Komarov, president and chief intelligence officer, InfoArmor Enterprise Threat Intelligence, a security experts who has looked into several cases of thefts linked to RAM scraper malware on PoS terminals, agreed that running Win XP in retail environments is dangerous.
"XP is not supported anymore, that's why various patch management and security misconfiguration flaws are highly probable, which may allow external bad actors to use them for targeted remote attack," Komarov, said.
"It allows [them] to exploit many 'internal' attack vectors as well, and as practice showed, professional bad actors use [their] own people to infect POS terminals," he added.
Even systems running Windows XP embedded, which is supported until April 2016, are at a heightened risk of attack, according to Komarov.
Dixons told us that for security reasons it will not comment on specific details about its systems.
“We take the security of our customer data extremely seriously and have appropriate proactive measures in place around our till and store estate,” a spokeswoman said. ®