- 70% of India’s ATMs still run on Windows XP and haven't received any security updates from Microsoft in the last three years
- Users need to ask some hard questions to banks. What operating system will they upgrade to? Is there a timeline for these upgrades?
- We could ask these cybersecurity questions to the RBI or one of the many relevant government institutions, including CERT-in
In April 2014, when Microsoft decided to stop support for the widely used Windows XP operating system, banks freaked out. Reason: 95% of the world’s ATMs used Windows XP. Although the banks had some advance notice, the decision created mayhem in the industry and comparisons were drawn to the Y2K scare.
Global banks (such as JP Morgan Chase) came up with a strategy to fix it. They put together a plan to upgrade to Windows 7 over a period of time and, in the meantime, paid Microsoft a lot of money to provide extended support.
When Indian banks were asked about their plans, the Indian Banking Association (IBA) said they were well prepared to handle the situation. They also said they had plans to upgrade to a newer operating system soon. Ideas of moving to an “indigenous” operating system based on Linux (such as Bharat Open Operating System or BOSS) were also floated.
Fast forward to 2017, and 70% of India’s ATMs still run on Windows XP. This means, over the past three years, most of our ATMs have not received any security updates from Microsoft
Fast forward to 2017, and 70% of India’s ATMs still run on Windows XP. This means, over the past three years, most of our ATMs have not received any security updates from Microsoft. That our ATMs are not secure came to the fore when 3.2 million debit cards were hacked last year.
When Microsoft decided to stop support for the widely used Windows XP operating system, they had two new operating systems (Windows 7 and Windows 8) and expected all users to upgrade. This meant no new features would be developed for the system and, more importantly, no bugs would be fixed. This included bugs that leave the operating system (and hence the user) vulnerable.
For all operating systems Microsoft supports, they release updates or “patches” at least once a month. “Patch Tuesdays”, as they are often referred to, are busy days for IT teams all over the world. These teams need to decide which of these updates are suitable for their environment and apply them. Very often, these updates include fixes to serious security issues. This article talks about all the security fixes applied in January 2017 alone.
Who will answer the cybersecurity question?
It is high time we demand answers from banks and other concerned parties to understand how they are dealing with the imminent security threat arising from this issue.
As users, there are some hard questions we need to ask. What operating system will the banks upgrade to? Is there a timeline for these upgrades? What happens if these timelines are not adhered to? And so on.
As users, there are some hard questions we need to ask. What operating system will the banks upgrade to? Is there a timeline for these upgrades? What happens if these timelines are not adhered to? And so on
There is one problem though, it is not entirely clear who can provide the answers. Who really is accountable for this mess?
The logical place would be to start with the banks. While they would certainly want to fix these issues, installation and maintenance of software is outsourced to vendors such as Diebold, NCR etc who make ATM software. Interestingly, Diebold, which has supplied its ATMs to multiple banks including SBI and HDFC, even designed an India-specific machine called the Diebold 450.
It is unclear if contracts with such vendors include operating systems upgradation. Even if they do, it would be a real challenge to upgrade these systems quickly. For instance, a quick look at the specifications of Diebold India’s leading ATM machine tells you that even their current version runs Windows XP.
Since multiple banks and vendors are at play here, maybe we should ask the RBI, which regulates banks in India, these questions. While the RBI has played a key role in mandating security features such as two-factor authentication, the only step it has taken so far is to issue a circular that advises banks to “take immediate steps to implement appropriate systems and controls”. This statement was made in 2014 and there haven’t been any public followups since. It is clear that the RBI looks at this as banks’ responsibility.
Since multiple banks and vendors are at play here, maybe we should ask the RBI, which regulates banks in India, these questions. But given this is clearly a cybersecurity issue, we would do well to approach one of the many relevant government institutions
But given this is clearly a cybersecurity issue, we would do well to approach one of the many relevant government institutions. At the top of the list are the Computer Emergency Response Team (CERT-in) and National Critical Information Infrastructure Protection Centre (NCIIPC). While the former is mandated to respond to cyber incidents, the latter is said to be the nodal agency (as described in the IT Act) for protection of all critical information infrastructure (which includes banking). While it well known within the industry that both agencies assist with responding to cyber incidents, it is unclear what their role is with respect to building secure systems in the first place.
There is an urgent need to fix accountability for handling industry-wide security issues. While the NCIIPC and industry-specific CERTs offer some hope, it will take a while before they are effective. Until then, for a country that performs 88% of its debit card transactions through ATMs, be prepared to continue risking your security on a vulnerable operating system.