The fraud of over Rs 94 crore at Pune-based Cosmos Co-operative Bank, involving the breach of the firewall in servers that authorise ATM transactions, has brought the focus back on the banks’ tardiness in bolstering control measures at ATMs. Despite the RBI’s constant prodding on upgrading ATMs and strengthening security measures, about 30 per cent of the 2 lakh-odd ATMs in the country still operate on Windows XP and other unsupported operating systems.

In its June 2018 circular, the RBI had highlighted the vulnerability arising from bank ATMs operating on an unsupported versions of operating systems and non-implementation of other security measures. It had also set specific timelines for tightening the control measures, failure of which would lead to stringent supervisory action.

Modus operandi

According to various reports and industry experts, the fraud at Cosmos Bank was part of a highly orchestrated global fraud (warned by the FBI) by cyber criminals. From what is known, at the heart of the fraud was the setting up of a proxy Switch to approve fake transactions.

Normally, once the card is fed into the ATM, the card data hits the Switch, which then issues a prompt for your PIN information. Once this is entered, it again goes to the Switch for authentication of this data. The Switch also connects to the bank’s Core Banking Solution (CBS) to check whether there is sufficient balance in the bank account, among other things. Once this is done, the ATM dispenses cash to you.

In the case of the fraud at Cosmos, the fraudsters had developed a proxy Switch that bypassed all these checks and authorised fraudulent transactions.

It was in November 2015, that Cosmos Bank decided to replace its existing Electra-based legacy payments solutions — with that of BPC Banking Technologies. According to a press release on the BPC website, BPC was to manage the turnkey project with deployment of SmartSwitch, SmartATM, SmartIssuer, SmartGuard, SmartMerchant, Biometric as well as e-commerce solutions covering online transactions. Established in 1995 and based in Russia, BPC has completed implementation of the new payment platform at Cosmos about 5-6 months back, according to industry sources.

Lax control measures

While the sophistication with which the fraud was committed at Cosmos indicates that it was pulled off by professional and ingenious hackers, it nonetheless brings the attention back to the existing gaps in the security measures at existing ATMs.

According to Navroze Dastur, MD, NCR Corporation, a leading ATM manufacturer in the country says, “all ATMs will need to be updated to Windows 10. However, upgrading the existing Windows XP units, which are about 30 per cent of the existing ATM fleet in the country (or 40,000 units), is top priority.”

Banks also need to implement anti-skimming solutions at ATMs to reduce fraudulent transactions.

Skimming is a technique used by criminals to copy personal data from the magnetic strip on an ATM card. Essentially, the card details are captured at the ATM and used to produce counterfeit cards for fraudulent cash withdrawals.

RBI’s mandate

Taking note of the lacunae in the control measures at ATMs, RBI’s June notification had set specific timelines for upgrading operating systems of ATMs and implementing various security measures. It had stated that despite its confidential circular to banks in April 2017, there had been slow progress on tightening control measures at ATMs.

Security measures such as BIOS password, disabling USB ports, disabling the auto-run facility and applying the latest patches of operating system and other softwares was to be implemented by August 2018. Banks had to put in place anti-skimming solutions by March 2019 in all ATMs.

Banks have to upgrade all their ATMs with supported versions of operating system in a phased manner — 25 per cent upgraded by September 2018, 50 per cent by December 2018, 75 per cent by March 2019 and all ATMs by June 2019.

The high cost of upgrading and replacing old ATMs may be one of the reasons for banks’ tardiness in this respect. According to market players, while upgrading an ATM may cost anywhere between Rs 60,000 to Rs 1 lakh, replacing an old ATM would cost Rs 3 lakh. The average life of an ATM is about 5-7 years, and ATMs, including those operating on Windows XP and more than 7 years old, would be around 60,000 currently, according to market players.

Related Topics
comment COMMENT NOW