Windows XP is a bigger hacker threat than Heartbleed

If you've been fretting about the Heartbleed bug, your time would be better spent protecting yourself against a bigger hacker threat that doesn't have a creepy name: Wiindows XP.

As we reported earlier this week, Microsoft discontinued its extended support for Windows XP on April 8. That means the Seattle software giant will no longer provide security updates and patches for the product. That, in turn, makes retailers who use XP in their credit and debit card payment processing instantly more vulnerable to data hackers, according to the Payment Card Industry Security Standards Council.

"This is a big deal," said J. Joseph Finizio, executive director of the Retail Solutions Providers Association, a technology trade group. Retailers, restaurants, and other businesses use XP-based systems to manage back-shop operations such as inventory and payroll and to run front-of-store cash registers and payment card processing.

Businesses regularly upgrade their equipment, software, and operating systems, for example to Windows 7, or 8.1, which Microsoft will continue to support for years to come. But not every business is equally diligent about security, and upgrades cost money. Consequently, "probably hundreds of thousands of retail locations worldwide are still using XP," Finizio said.

"XP is now a particularly juicy target for hackers, because they know vulnerabilities will no longer get fixed by Microsoft," Jacob Ansari, technical director at 403 Labs, an information and security-compliance consulting firm, said.

Consequently, XP is a much bigger threat than the Heartbleed bug. Here's why.

  • "Heartbleed is big, but it's something that will be addressed with patches, and in three months it will mostly be eliminated," Anton Chuvakin, research vice president at Gartner, the information technology research and advisory firm, said. "XP is a slow-motion disaster that will keep striking for the next three years."
  • XP is a stealth threat operating behind the cash register, where consumers don't expect an Internet security risk; Heartbleed has its own website. 
  • Hackers pay attention to such esoterica as end-of-support operating system dates. "If anyone has been organizing for the demise of XP, it's the bad guys," Ansari said, and they've got months and years to do their work now. With patches already being deployed, the window of opportunity is fast closing on crooks who want to use Heartbleed. 

Protecting yourself from security treats is now an everyday chore. Our guide to Internet security will make the job easier. 

Here's how to protect yourself.

While shopping. The businesses most likely to still be using XP are smaller, independent, mom-and-pops who may be reluctant or simply slow to pay the cost of upgrading. Major retailers, on the other hand, "are all over this," Finizio said. Ask the manager or owner if the store's payment processing system uses XP.

Pay by credit card at businesses that you know or suspect are still using XP, because, if data is stolen, it's easier to resolve unauthorized credit charges and replace a compromised card than it is to repair debit card fraud, which can mess up your underlying checking account and result in penalty fees all over from bounced checks and automatic bill payments.

Some experts advise that you always pay by credit card and never use your debit card at the cash register. We think that's too extreme. Instead, use your debit card as a credit card, which means that you swipe it through the reader without punching in a PIN number. Yes, hackers could still steal your data, clone your debit card, and use it like a credit card, too, to make unauthorized charges—but they won't have your PIN to withdraw cash via an ATM.

At the bank. As of January, 95 percent of ATMs used Windows XP, but banks are in the process of upgrading their cash machines. In the meantime, major banks such as Bank of America, Chase, and Wells Fargo have bought another year of extended support from Microsoft to secure their machines while they upgrade.

Microsoft says the "large majority" of ATMs that are still running Windows XP are without support. "However, ATMs are operated in more highly‐secured environments than most Windows XP computers, so security vulnerabilities are much harder to exploit," Pat Telford, a consultant at Microsoft, told Consumer Reports.

For these reasons, we believe you'll be safe using major-bank ATMs for the next year, especially since the banks are on the hook for fraud, meaning your liability is essentially zero.

At home. Your personal computer is at risk now, too, if its operating system is XP. The only way to ensure security is to stop using it today and upgrade to either Windows 7 or 8.1. But because most older computers can't run 8.1, we recommend buying a new PC, which will have the latest Windows or Apple operating systems pre-installed on them. Use our Computer buying guide to find the best models for your needs and budget.

—Jeff Blyskal

Copyright © 2005-2014 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.