ATM

The Reserve Bank of India (RBI), the country's s central banking authority, told local banks to update all ATMs still running Windows XP to a newer operating system by June 2019, or face regulatory sanctions.

This order is part of a notification RBI officials sent to Indian banks on Thursday, June 21. The notification provides a detailed timeline and deadlines for upgrading the country's ATM network.

RBI forces banks to disable ATM USB ports, set up BIOS password

Banks have two months at their disposal, until August 2018, to implement basic security features for ATMs, such as setting a BIOS password, disabling USB ports, disabling the OS auto-run facility, applying the latest OS security patches, setting up a time-based admin access calendar, and more.

Anti-skimming measures are to be implemented by March 2019, according to a copy of the notification obtained by Bleeping Computer.

Of all the proposed security measures, the one that's going to cause the biggest headaches is the one that mandates that all banks use a supported OS for their ATMs.

Currently, most ATMs across India (and all over the world) run Windows XP, an operating system that Microsoft retired in 2014. RBI wants banks to move to a newer, "supported OS" by June 2019.

Indian banks have a year to update all ATM OSes

Indian banks must have a quarter of their ATMs running a modern OS by September this year, a half by December, three-quarters by March next year, and all ATMs by June 2019.

"The slow progress on the part of the banks in addressing these issues has been viewed seriously by the RBI," RBI wrote in its notification.

"In order to address these issues in a time-bound manner, banks and White-Label ATM Operators are advised to initiate immediate action in this regard and implement the following control measures as per the prescribed timelines:"

Sr. No. Control Measures for the ATMs To be completed by
a. Implement security measures such as BIOS password, disabling USB ports, disabling auto-run facility, applying the latest patches of operating system and other softwares, terminal security solution, time-based admin access, etc. August 2018
b. Implement anti-skimming and whitelisting solution. March 2019
c. Upgrade all the ATMs with supported versions of operating system. Such upgrades shall be carried out in a phased manner to ensure that in respect of the existing ATMs running on unsupported versions of operating system,  
i. Not less than 25% of them shall be upgraded by September 2018
ii. Not less than 50% of them shall be upgraded by December 2018
iii. Not less than 75% of them shall be upgraded by March 2019
iv. All of them shall be upgraded by June 2019

An RBI spokesperson declined to comment for this story, deferring to the notification.

The move is an important one. Banks will have to invest serious funds in updating their ATM networks in the coming months.

The RBI's decision didn't come out of the blue either. Officials first warned Indian banks to move away from XP, back in 2014, three weeks before the Windows XP OS was supposed to go end-of-life.

New warnings were sent out in March and September 2017 after several Indian banks suffered from ATM-related security incidents in 2016.

Related Articles:

Hackers Steal $13.5 Million Across Three Days From Indian Bank

Honda India Left Details of 50,000 Customers Exposed on an AWS S3 Server