The latest document mentions a ‘confidential circular’ dated April 17, 2017 that highlighted the concerns about the ATMs running on Windows XPWhere to buy
5051 and/or other unsupported operating systems. It also mentions an advisory dated November 1, 2017 wherein the banks were advised to put in place, with immediate effect, suitable controls enumerated in the illustrative list of controls.
According to the latest circular, issued on June 21, RBI has found a slow progress on the part of the banks in addressing the security issues and it has been viewed seriously by the apex suthority. “As you may appreciate, the vulnerability arising from the banks’ ATMs operating on unsupported version of operating system and non-implementation of other security measures, could potentially affect the interests of the banks’ customers adversely, apart from such occurrences, if any, impinging on the image of the bank,” the RBI said, adding the timeline for action to be taken and the latest date to accomplish the target.
The RBI said that banks should implement security measures such as BIOS password, disabling USB ports, disabling auto-run facility, applying the latest patches of operating system and other softwares, terminal security solution, time-based admin access, etc by August 2018. The implementation of an anti-skimming and whitelisting solution must be completed by March 2019. The final step of upgrading all the ATMs with supported versions ofoperating system must be carried out latest by June 2019.
Further, RBI suggested banks to implement the upgrades “in a phased manner to ensure that in respect of the existing ATMs running on unsupported versions of operating system, (i.) not less than 25 percent of them shall be upgraded by September 2018, (ii) not less than 50 percent of them shall be upgraded by December 2018, (iii) not less than 75 percent of them shall be upgraded by March 2019 and finally, (iv) all of them shall be upgraded by June 2019".