In response to questions put to him by members of the parliament, Finance Minister Arun Jaitley has made a shocking revelation. According to the minister, as many as 70 percent of the total number of ATMs in the country are unsecure and prone to being hacked. The statement comes at a time when India finds itself facing a sharp rise in the number of cyber attacks and is extremely worrying.
The questions were tabled by Dr. Sunil Baliram Gaikwad and Shri Gajanan Kirtikar, M.P.s regarding “Secured ATMs”, on the 3rd of February. In their queries, the MPs asked whether the government was aware of the fact that over 70 per cent of Automated Teller Machines (ATMs) are not secured on account of lack of upgradation of ATM software. The MPs also asked whether the RBI has issued any directives to the government with regards to the upgradation of software of ATMs.
In response, Arun Jaitley said that the government was well aware o the situation and that steps were being taken to correct the issue. Citing the Reserve Bank of India (RBI), the FM said that banks have been apprised of the situation and have been taking steps to upgrade the software of their ATMs. The process is more complicated than it seems on the surface because of the fact that the upgradation process also involves the vendors who have sold the machines to the banks in the first place.
He also said that:
While the Windows XP Operating System (OS) is no longer supported by Microsoft, the vendors providing the ATM software that runs on the XP OS, are providing their solutions for managing overall vulnerability of ATMs.
Apparently, this is applicable to almost 70% of the ATMs. He also went on to say that considering that ATMs run on a closed user network, they are less vulnerable than they appear. He also said that directives had been issued to ensure that all banks and White Label ATM Operators start processing EMV Chip and PIN cards by September 30, 2017 for enhancing security of card transaction at ATMs.
On the topic of whether the RBI was doing anything to address what is possibly an untenable situation, the FM said:
RBI, as the authority to regulate and supervise the Payment Systems in the country, has advised all Scheduled Commercial Banks to implement appropriate systems and controls to secure the operating system of ATMs. RBI has issued Cyber Security Framework on 2nd June, 2016 covering best practices pertaining to various aspects for cyber security for IT infrastructure for banks.
The news comes at a worrying time. ATMs systems in Europe have been facing a similar malady wherein they were remotely attacked and forced to spew out cash. There have also been various incidences of banks being hacked remotely and money transferred to other accounts. With a surge of cyber attacks that have been affecting ATMs in Europe — which are decidedly safer than many of their Indian counterparts — the fact that Indian ATMs are still running outdated Windows XP systems that are no longer updated by Microsoft, is very worrying.