Your bank’s ATM is running on hugely outdated software, making it vulnerable to attacks by hackers that could lead to theft. And despite having been warned about this for five years now, Indian banks haven’t done anything about this problem. A circular from the RBI issued last week has finally set a time-bound plan wherein banks have to upgrade the software on their ATMs within a year, or face action from the RBI.
How risky is it for an ATM to be running Windows XP? Very, it turns out. As this article in ZDNet points out, unpatched systems are at risk to cyberattacks. One attack, called ATMitch — used to infect banks in Russia with malware — gave hackers access to the bank allowing them to distribute money from customers. Hackers in Taiwan were able to access 41 ATMs and steal $2.5 million. It turns out that these attacks specifically target Windows XP and could be thwarted with a simple software upgrade.
Microsoft first released Windows XP in 2001, seventeen years ago, and stopped supporting the operating system in 2014. This meant that it stopped developing new security patches for Windows XP, which would protect it from software exploits developed by hackers. Despite this, Indian banks continue to run their ATMs software on Windows XP, which is an obvious and glaring security risk.
By July 2013, people were advised to upgrade from Windows XP “immediately”due to security issues.
“The end of support of Windows XP Operating System means that Microsoft will not provide security updates, non-security hotfixes, free or paid assisted support and any online technical support for the Windows XP,” the Computer Emergency Response Team-India (CeRT-IN) said in an advisory. “In the absence of patches and security updates for the Windows XP OS, the computer systems would be at greater risks and could be easily compromised by the hackers.”
After that, another warning was also issued specifically to banks in November 2013, when a study by Ascentius Consulting on behalf of Microsoft found that 70 percent of banks were using Windows XP. “Some 34,115 Indian PSU bank branches are at risk, thanks to their reliance on Windows XP. Windows XP will no longer be supported by Microsoft, beginning April 8, 2014, but the study shows that the penetration of Windows XP in the banking sector is still high at 40-70 percent,” Microsoft said at the time.
In response, the next year the Indian Banks Association stated that it has taken steps to address the issue and that banks are prepared for the Windows XP discontinuation – with the IBA spokesperson at the time saying “banks are definitely well-prepared and the industry is seized of the matter”. However, despite this, the IBA was not able to clarify how many ATMs were running on Windows XP, and as it turns out, even though it’s been four years since then, the issue remains a concern.
The circular – first reported by Medianama – also clearly mentions that the banks were first issued a confidential circular in April 2017, and two confidential advisories in March and November 2017, expressing concerns about the use of Windows XP, yet, no action was taken.
“The slow progress on the part of the banks in addressing these issues has been viewed seriously by the RBI,” wrote R. Ravikumar, Chief General Manager, RBI. “The vulnerability arising from the banks’ ATMs operating on unsupported version of operating system and non-implementation of other security measures, could potentially affect the interests of the banks’ customers adversely.”
The banks now have till the end of July to send an action plan to the RBI, which requires basic security measures by August this year, followed by updation of ATM security starting from September this year, to be completed by June 2019.