India Tells Banks to Migrate ATMs From Windows XP.

The Reserve Bank of India (RBI) has notified all local financial institutions to exchange the operating system of the ATMs that still run Windows XP. They will be subject to regulatory sanctions if they do not meet the deadline – by June 2019. The Bleeping Computer obtained a copy of the notification sent by the RBI. Banks will have to implement some security measures before replacing Windows XP with another newer system.

In the first phase, which lasts until August 2018, banks should implement password in the BIOS of ATMs; disable USB ports; apply the latest security patches, and limit the access time of administrators. In the second phase, which runs until March 2019, institutions will have to take steps to prevent card cloning and will apply whitelisting to release critical access only to certain users. Last year, 70% of ATMs in India were still running Windows XP. The RBI warned banks about security risks as early as 2014 when the system lost support from the tech giant Microsoft.

“The slow progress on the part of the banks in dealing with these issues was seen seriously by the RBI,” the notice said. “The vulnerability of ATMs running an unsupported version of the operating system … can adversely affect the interests of customers.” This problem is not limited to India. According to a Trend Micro report, most ATMs in the world still run Windows XP or XP Embedded, whose extended support version ended in 2016.

Banks are reluctant to upgrade because, to replace the operating system, they need to swap the entire computer behind the ATM – and that’s expensive. Also, old ATMs cannot be upgraded remotely. An IT employee needs to visit each of them to apply security updates manually, and their time is also expensive. This means that banks have no incentive to upgrade Windows XP, nor to stop using it – at least not on their own. That is why the RBI decided to set a timeline; other countries may need to do the same.

-Sunilkumar choudari