India’s central bank RBI has asked banks to upgrade their ATMs, and uninstall Microsoft Windows XP from all systems by June 2019. The RBI directive, comes four years after Microsoft announced in 2014 that all the versions of the Windows XP build are deemed discontinued. Notably, RBI had earlier highlighted concerns about ATMs running on Windows XP and other vulnerable operating systems in April-17. In a confidential circular to banks, the RBI had raised issues about the ATMs running on Windows XP and other unsupported operating systems.
“A reference is also invited to our confidential Advisory No. 3/2017 dated March 06, 2017 and No. 13/2017 dated November 1, 2017 wherein the banks were advised to put in place, with immediate effect, suitable controls enumerated in the illustrative list of controls,” RBI said in a circular. Notably, following the discontinuation, Microsoft has not come out with rollout of security patches and new features for Windows XP. Further, the company had been recommending the newer Windows 10 OS for organisations, highlighting its improved security measures.
The circular issued by the apex bank accentuates the vulnerability ‘arising from the banks’ ATMs operating on unsupported version of operating system and non-implementation of other security measures’. In addition to the mandate on OS upgrade, the RBI has also called out to banks to implement other security measures such as overhauling BIOS password for all the ATMs, disabling USB ports, and applying the ‘latest patches of operating system’ among others.
While September 2018 has been set as the deadline for at least 25% of ATMs to be upgraded, 50% of the systems must be upgraded by by December 2018. The entire line of ATMs operating in India must be updated to the newest version by June 2019.
The RBI also noted that there has been slow progress on the part of the banks in addressing these issues. “As you may appreciate, the vulnerability arising from the banks’ ATMs operating on unsupported version of operating system and non implementation of other security measures, could potentially affect the interests of the banks’ customers adversely, apart from such occurrences, if any, impinging on the image of the bank,” RBI noted.