Govt admits 70% ATMs are not secure, but there's hardly anything it can do about it
The government has admitted that nearly 70% of ATMs in the country are not safe and are vulnerable to various kinds of cyber-fraud.
In a written reply to a question asked in the Lok Sabha on 3 February, Finance Minister Arun Jaitley has accepted that these ATMs continue to run on Windows XP Operating System which is no longer supported by Microsoft. Microsoft support for Windows XP, in fact, ended in 2014.
Concerns were regularly expressed regarding the security of ATMs running on unsupported operating systems and this is possibly the first time that the government has formally admitted the threat. However, in a bid to prevent panic, the government's statement has tried to dilute the concerns.
Jaitley told the Lok Sabha that according to the Reserve Bank of India (RBI), banks are taking steps to "upgrade the software based on the agreements/contracts with their vendors".
Third-party vendors who provide ATM software are providing solutions for managing the "vulnerability of ATMs", Jaitley said.
The finance minister also added that ATMs are inherently less vulnerable because they run on a closed user network.
However, following the data breach that affected over 32 lakh debit cards in the country last year, cyber security firm Kaspersky had said that banks in India have a very cavalier approach to cyber-security. The delay in upgrading ATM software also appears to be a manifestation of the same attitude.
According to a research by Kaspersky Lab, ATMs with outdated software "can be easily hacked, malware can be installed & funds can be stolen".
Although RBI is the regulator of the banking system in the country it has little say in this matter. All that it has been able to do so far is to advise banks that they should implement "appropriate systems and controls to secure the operating system of ATMs".
It had also come out with a Cyber Security Framework in June 2016, which specifically asks banks to monitor operating systems. However, the banks are yet to follow through.
There are a little over two lakh ATMs in India and a three-layer mechanism is behind their installation and maintenance. While customers identify ATMs with specific banks, payment technology companies like Financial Software and Systems install and maintain them on the behalf of the banks.
They, in turn, buy ATMs from global provider firms like NCR and Diebold. NCR says that the onus of upgrading from Windows XP to Windows 7, lies with the banks.
Matter of time, a lot of time
Migration to a new software is said to be a humongous process that also involves heavy expenditure. It is not clear how soon will banks and ATM operator companies be ready for that kind of investment, especially after demonetisation.
ATM companies have approached the RBI seeking compensation from banks for losses incurred during the recent recalibration of ATMs. They have also sought compensation from banks for revenue loss due to lower ATM transactions.
Edited by Jhinuk Sen