The Bleeping Computer obtained a copy of the notification sent by the RBI. Banks will have to implement some security measures before replacing Windows XP with another newer system. In the first phase, which lasts until August 2019, banks should implement password in the BIOS of ATMs; disable USB ports; apply the latest security patches, and limit the access time of administrators. In the second phase, which runs until March 2019, institutions will have to take steps to prevent card cloning and will apply whitelisting to release critical access only to certain users.
Meanwhile, the third phase is the migration of Windows XP to more modern operating systems. There are four steps:-
At least 25% of ATMs must be up to date by September 2019; At least 50% of ATMs must be up to date by December 2019; At least 75% of the ATMs must be up to date by March 2019; 100% of ATMs should be up to date by June 2019.
Last year, 70% of ATMs in India were still running Windows XP. The RBI warned banks about security risks as early as 2014 when the system lost support from the tech giant Microsoft. “The slow progress on the part of the banks in dealing with these issues was seen seriously by the RBI,” the notice said. “The vulnerability of ATMs running an unsupported version of the operating system … can adversely affect the interests of customers.” This problem is not limited to India. According to a Trend Micro report, most ATMs in the world still run Windows XP or XP Embedded, whose extended support version ended in 2016. Banks are reluctant to upgrade because, to replace the operating system, they need to swap the entire computer behind the ATM – and that’s expensive. Also, old ATMs cannot be upgraded remotely. An IT employee needs to visit each of them to apply security updates manually, and their time is also expensive. This means that banks have no incentive to upgrade Windows XP, nor to stop using it – at least not on their own. That is why the RBI decided to set a timeline; other countries may need to do the same. So, what do you think about this? Simply share all your views and thoughts in the comment section below.