In a bid to make transactions more secure by plugging the loopholes of the Windows XP operating system, the Reserve Bank of India (RBI) has asked all the banks (except the Regional Rural Banks) in the country to update the OS on all ATM machines by June 2019. The apex bank issued a circular to all the commercial banks detailing the timeline for the compliance of the orders.
The latest document mentions a ‘confidential circular’ dated April 17, 2017 that highlighted the concerns about the ATMs running on Windows XP and/or other unsupported operating systems. It also mentions an advisory dated November 1, 2017 wherein the banks were advised to put in place, with immediate effect, suitable controls enumerated in the illustrative list of controls.
According to the latest circular, issued on June 21, RBI has found a slow progress on the part of the banks in addressing the security issues and it has been viewed seriously by the apex suthority. “As you may appreciate, the vulnerability arising from the banks’ ATMs operating on unsupported version of operating system and non-implementation of other security measures, could potentially affect the interests of the banks’ customers adversely, apart from such occurrences, if any, impinging on the image of the bank,” the RBI said, adding the timeline for action to be taken and the latest date to accomplish the target.
The RBI said that banks should implement security measures such as BIOS password, disabling USB ports, disabling auto-run facility, applying the latest patches of operating system and other softwares, terminal security solution, time-based admin access, etc by August 2018. The implementation of an anti-skimming and whitelisting solution must be completed by March 2019. The final step of upgrading all the ATMs with supported versions ofoperating system must be carried out latest by June 2019.
Further, RBI suggested banks to implement the upgrades “in a phased manner to ensure that in respect of the existing ATMs running on unsupported versions of operating system, (i.) not less than 25 percent of them shall be upgraded by September 2018, (ii) not less than 50 percent of them shall be upgraded by December 2018, (iii) not less than 75 percent of them shall be upgraded by March 2019 and finally, (iv) all of them shall be upgraded by June 2019".
For those who don’t know, Microsoft pulled the plug on support to Windows XP on April 8, 2014 making the systems running on the OS vulnerable. Last year, WannaCrypt, one of the biggest malware attacks in recent times, hit several industries, including infrastructure services, banks, telecom companies, airports and hospitals across 99 countries and 200,000 computer systems around the globe. At least two new strains of the malware infection that exploited vulnerabilities in older Windows software such as XP and Windows Server 2003, were found to be reason of the attack.