RBI instructs banks to remove Windows XP OS from all ATMs
Banks are advised to immediately set up appropriate controls to check the vulnerabilities of all ATMs in the country. June 2019 is the deadline for all ATM machines to upgrade to Windows XP OS.
To make transactions more secure by plugging in Windows XP operating system errors, the Reserve Bank of India (RBI) has asked all banks in the country (excluding regional Grameen Banks) to update the OS on all ATM machines. By June 2019. The top bank has issued a circular to all commercial banks detailing the timeline for compliance with the orders.
The latest document mentions a ‘Confidential Circular’ dated April 17, 2017, which raises concerns about ATMs running on Windows XP and / or other unsupported operating systems. It also referred to an advisory dated November 1, 2017 where banks were advised to immediately set up appropriate controls to be counted in the illustrated list of effective controls.
According to the latest circular issued on June 21, the RBI has found a slow progress on the part of banks in tackling security issues and the top authorities are taking it seriously. “As you can imagine, vulnerabilities arising from bank ATMs operating in unsupported versions of the operating system and non-implementation of other security measures could potentially adversely affect the interests of the bank’s customers, in addition to such incidents, if any, affecting the bank’s image.” The RBI says it adds a deadline for taking action and a deadline for meeting targets.
RBI says banks should implement security measures such as BIOS passwords, disable USB ports, disable auto-enable features, apply latest patches to operating systems and other software, terminal security solutions, time-based admin access, etc. by August 2018. Implementation of an anti-skimming and whitelisting solution must be completed by March 2019. The final step to upgrade all ATMs, including the supported version of the operating system, must be completed by June 2019.
Further, the RBI advised banks to implement “periodic upgrades so that in case of existing ATMs running on unsupported version of operating system, (i.) Not less than 25 per cent of them will be upgraded by September 2018, (ii) not less than 50 per cent of them by December 2018. These will be upgraded, (iii) not less than 75 per cent by March 2019 and finally, (iv) all of them will be upgraded by June 2019 “.
For those who don’t know, Microsoft pulled support on plug-ins in Windows XP on April 8, 2014, which weakens systems running on the OS. Last year, WannaCrypt, one of the biggest malware attacks in recent years, hit several industries, including infrastructure services, banks, telecom companies, airports and hospitals in 99 countries and 200,000 computer systems worldwide. At least two new strains of malware infections that exploit vulnerabilities in older Windows software such as XP and Windows Server 2003 have been found to be the cause of the attack.