News Analysis

Nearly a third of ATMs in the country run on old operating systems

Radhika Merwin | Updated on August 16, 2018 Published on August 16, 2018

Despite constant nudging by the RBI, banks have been tardy in implementing appropriate control measures

The fraud of over Rs 94 crore at Pune-based Cosmos Co-operative Bank, involving the breach of the firewall in servers that authorise ATM transactions, has brought the focus back on the banks’ tardiness in bolstering control measures at ATMs. Despite the RBI’s constant prodding on upgrading ATMs and strengthening security measures, about 30 per cent of the 2 lakh-odd ATMs in the country still operate on Windows XP and other unsupported operating systems.

In its June 2018 circular, the RBI had highlighted the vulnerability arising from bank ATMs operating on an unsupported versions of operating systems and non-implementation of other security measures. It had also set specific timelines for tightening the control measures, failure of which would lead to stringent supervisory action.

Modus operandi

According to various reports and industry experts, the fraud at Cosmos Bank was part of a highly orchestrated global fraud (warned by the FBI) by cyber criminals. From what is known, at the heart of the fraud was the setting up of a proxy Switch to approve fake transactions.

Normally, once the card is fed into the ATM, the card data hits the Switch, which then issues a prompt for your PIN information. Once this is entered, it again goes to the Switch for authentication of this data. The Switch also connects to the bank’s Core Banking Solution (CBS) to check whether there is sufficient balance in the bank account, among other things. Once this is done, the ATM dispenses cash to you.

In the case of the fraud at Cosmos, the fraudsters had developed a proxy Switch that bypassed all these checks and authorised fraudulent transactions.

It was in November 2015, that Cosmos Bank decided to replace its existing Electra-based legacy payments solutions — with that of BPC Banking Technologies. According to a press release on the BPC website, BPC was to manage the turnkey project with deployment of SmartSwitch, SmartATM, SmartIssuer, SmartGuard, SmartMerchant, Biometric as well as e-commerce solutions covering online transactions. Established in 1995 and based in Russia, BPC has completed implementation of the new payment platform at Cosmos about 5-6 months back, according to industry sources.

Lax control measures

While the sophistication with which the fraud was committed at Cosmos indicates that it was pulled off by professional and ingenious hackers, it nonetheless brings the attention back to the existing gaps in the security measures at existing ATMs.

According to Navroze Dastur, MD, NCR Corporation, a leading ATM manufacturer in the country says, “all ATMs will need to be updated to Windows 10. However, upgrading the existing Windows XP units, which are about 30 per cent of the existing ATM fleet in the country (or 40,000 units), is top priority.”

Banks also need to implement anti-skimming solutions at ATMs to reduce fraudulent transactions.

Skimming is a technique used by criminals to copy personal data from the magnetic strip on an ATM card. Essentially, the card details are captured at the ATM and used to produce counterfeit cards for fraudulent cash withdrawals.

RBI’s mandate

Taking note of the lacunae in the control measures at ATMs, RBI’s June notification had set specific timelines for upgrading operating systems of ATMs and implementing various security measures. It had stated that despite its confidential circular to banks in April 2017, there had been slow progress on tightening control measures at ATMs.

Security measures such as BIOS password, disabling USB ports, disabling the auto-run facility and applying the latest patches of operating system and other softwares was to be implemented by August 2018. Banks had to put in place anti-skimming solutions by March 2019 in all ATMs.

Banks have to upgrade all their ATMs with supported versions of operating system in a phased manner — 25 per cent upgraded by September 2018, 50 per cent by December 2018, 75 per cent by March 2019 and all ATMs by June 2019.

The high cost of upgrading and replacing old ATMs may be one of the reasons for banks’ tardiness in this respect. According to market players, while upgrading an ATM may cost anywhere between Rs 60,000 to Rs 1 lakh, replacing an old ATM would cost Rs 3 lakh. The average life of an ATM is about 5-7 years, and ATMs, including those operating on Windows XP and more than 7 years old, would be around 60,000 currently, according to market players.

Published on August 16, 2018

A letter from the Editor

Dear Readers,

The coronavirus crisis has changed the world completely in the last few months. All of us have been locked into our homes, economic activity has come to a near standstill. Everyone has been impacted.

Including your favourite business and financial newspaper. Our printing and distribution chains have been severely disrupted across the country, leaving readers without access to newspapers. Newspaper delivery agents have also been unable to service their customers because of multiple restrictions.

In these difficult times, we, at BusinessLine have been working continuously every day so that you are informed about all the developments – whether on the pandemic, on policy responses, or the impact on the world of business and finance. Our team has been working round the clock to keep track of developments so that you – the reader – gets accurate information and actionable insights so that you can protect your jobs, businesses, finances and investments.

We are trying our best to ensure the newspaper reaches your hands every day. We have also ensured that even if your paper is not delivered, you can access BusinessLine in the e-paper format – just as it appears in print. Our website and apps too, are updated every minute, so that you can access the information you want anywhere, anytime.

But all this comes at a heavy cost. As you are aware, the lockdowns have wiped out almost all our entire revenue stream. Sustaining our quality journalism has become extremely challenging. That we have managed so far is thanks to your support. I thank all our subscribers – print and digital – for your support.

I appeal to all or readers to help us navigate these challenging times and help sustain one of the truly independent and credible voices in the world of Indian journalism. Doing so is easy. You can help us enormously simply by subscribing to our digital or e-paper editions. We offer several affordable subscription plans for our website, which includes Portfolio, our investment advisory section that offers rich investment advice from our highly qualified, in-house Research Bureau, the only such team in the Indian newspaper industry.

A little help from you can make a huge difference to the cause of quality journalism!

Support Quality Journalism
This article is closed for comments.
Please Email the Editor
You have read 1 out of 3 free articles for this week. For full access, please subscribe and get unlimited access to all sections.