"No more ATMs running Windows XP," shouts Reserve Bank of India

Vulnerable Windows XP machines have made tremendous attack vectors for bad actors in the past decade, yet some organizations are still relying on the age-old OS that Microsoft no longer supports with security updates.

Banks in India are just some of the organizations making up that list, and while everyone will eventually have to ditch XP in favor of a more up-to-date OS, India wants it out of its ATMs by the end of next year.

A notice signed “the Reserve Bank of India” was sent to various banks across the country last week, informing everyone on the receiving end that new security measures must be implemented. If found noncompliant, banks are told they will feel the long arm of the law on their shoulder.

“The slow progress on the part of the banks in addressing these issues has been viewed seriously by the RBI,” reads the notice. “As you may appreciate, the vulnerability arising from the banks” ATMs operating on unsupported version of operating system and non-implementation of other security measures, could potentially affect the interests of the banks” customers adversely, apart from such occurrences, if any, impinging on the image of the bank.”

As such, the RBI finds it necessary that banks and White-Label ATM Operators “initiate immediate action in this regard.” Recipients are told to implement the following control measures (emphasis ours):

• By August 2018, the targeted banks must implement security measures such as: set a BIOS password; disable USB ports and the auto-run feature; and apply the latest patches
• By March 2019, implement anti-skimming and whitelisting solution and upgrade all ATMs with supported versions of operating system

By September 2018, targeted entities must show proof of 25% progress on the road to compliance, then 50% by December 2018, then 75% by March 2019. By June next year, no excuses will be tolerated not to have these security measures in place, according to the document.

“Any deficiency in timely and effective compliance with the instructions contained in this Circular may invite appropriate supervisory enforcement action under applicable provisions of the Banking Regulation Act, 1949 and/or Payment and Settlement Systems Act, 2007,” the RBI warns.