Reserve Bank of India Issues ATM Edict: Upgrade, or ElseRBI Sets Strict Deadlines for ATMs to Incorporate Security Measures
In response to Indian banks' "slow progress" in addressing outdated ATMs, the Reserve Bank of India - the country's central bank - has ordered all banks in India to upgrade their ATMs by June 2019, if not before. (See: As ATM 'Jackpotting' Spreads, India Sizes Up Security)
Per a timeline issued by the central bank, Indian banks have to implement a host of security measures by this August and upgrade all ATMs with a supported operating system in a phased manner within the next 12 months.
This isn't the first time that RBI has signaled to banks that it expects to see ATM security improvements. In an April notification to banks, RBI highlighted concerns about any ATMs still running Windows XP - for which extended support ended in 2012 - and other unsupported operating systems.
RBI's latest notification, dated June 21, is addressed to banks from R. Ravikumar, chief general manager at RBI, who writes: "As you may appreciate, the vulnerability arising from the banks' ATMs operating on unsupported [versions] of operating [systems] and non-implementation of other security measures, could potentially affect the interests of the banks' customers adversely, apart from such occurrences, if any, impinging on the image of the bank."
He adds: "In order to address these issues in a time-bound manner, banks and white-label ATM operators are advised to initiate immediate action in this regard."
Despite RBI's April ATM security mandate, only a few banks appear to have responded. The delay is likely in part due to the sheer quantity of ATMs installed throughout the country. For instance, the State Bank of India, the country's largest bank, as of March 2017 reported having about 59,300 ATMs across India.
Nevertheless, many Indian banks' CISOs are welcoming RBI's new mandate, saying it gives them fuel for convincing their board of directors to invest in ATM upgrades. "I have been struggling with the board for the past two years with respect to ATM software upgrade," says a CISO of a bank headquartered in Tamil Nadu. "RBI's deadline will now make the matter easier for me to get board approval," he says.
Information security practitioners say that upgrading ATMs will also help blunt jackpotting or cash-out attacks, in which attackers infect machines with malware and instruct them to dispense all of their cash. Such attacks are much more difficult to block if machines are running outdated operating systems with well-known vulnerabilities.
RBI's Requirements for Banks
RBI says banks must implement the following security controls by these dates:
- August 2018: Implement security measures such as BIOS password, disabling USB ports, disabling auto-run facility, applying the latest patches of operating system and other software, terminal security solution, time-based administrator access, and so on;
- March 2019: Implement anti-skimming and whitelisting solutions;
In addition, banks must upgrade all of their ATMs to use a supported version of an operating system. RBI says that a bank must upgrade all ATMs running on unsupported operating systems on the following timeline:
- September 2018: 25 percent of ATMs;
- December 2018: 50 percent of ATMs;
- March 2019: 75 percent of ATMs;
- June 2019: All ATMs must be upgraded.
RBI to Banks: Show Us Your Plan
Banks are required to carry a copy of RBI's circular before their boards of directors at the next board meeting, along with the proposed action plan for implementation of these measures.
A copy of every board-approved compliance and action plan - outlining the bank's control measures - must also be returned to RBI by July 31, Ravikumar says.
"As the implementation of the foregoing control measures would also require field visits to the ATMs, banks should plan and implement these measures in an optimal manner," he says.
Any violations of RBI's timeline and mandated compliance will subject banks to supervisory enforcement action, under applicable provisions of the Banking Regulation Act of 1949, or also the Payment and Settlement Systems Act of 2007.
Cleaning Up the Sector
Many CISOs say that RBI's "get tough" strategy is precisely what's required to clean up the banking sector's ATMs. "Unless the ecosystem is clean the problems will keep surfacing," says Ratan Jyoti, CISO at Ujjivan Small Finance Bank. "For instance, despite putting in place the best security measures, if I have my customer use another bank's ATM, which isn't secured, my customer will lose money."
Security practitioners say such moves will also help to safeguard banks' reputations. "The challenge isn't just the financial loss such an attack can cause," says Ratan Jyoti, CISO at Ujjivan Bank in India. "It can also be a damage to the company's reputation when it becomes known that a breach has happened. The large network [of banks] and interdependence are other challenges. This move hopefully will erase such issues."
Significant Work Required
Many newer banks will face fewer challenges to meet RBI's new requirements, thanks to using newer ATMs running Windows 7 and with anti-malware tools. But banks running ATMs on outdated software face a huge upgrade challenge. "There is a vast network of ATMs running across the country. Those banks which until now haven't taken initiative in this direction will have a tough time," says one IT manager of a Mumbai-based bank, speaking on condition of anonymity because he wasn't authorized to discuss his bank's security controls.
Ujjivan Small Finance Bank's Jyoti says some of the controls being mandated by RBI - including setting BIOS passwords and disabling USB ports - are overdue. "The security measures announced are good. In India, various malware attacks were done using USB drive," he says.
In addition to redesigning ATM hardware to ensure that all input/output and external ports can only be accessed via a lock and key, other security measures will also be required. These include network segregation, strong security controls between networks, updated operating systems, regular patching and deep packet inspection of incoming and outgoing traffic.
Many banks will also need to invest in physical anti-skimming controls, which for the first time are being required by RBI, and which are designed to help prevent ATM card data from being stolen by attackers and turned into counterfeit cards. "This will be a little expensive for banks but there is little choice," Jyoti says. "In the long run the measures will benefit the ecosystem."
RBI Mandates Additional Controls
Upgrading ATMs, however, isn't purely a technical or implementation challenge. Another issue will be how banks find enough security and field personnel to visit all of the ATMs that are in need of upgrading.
As Indian banks rush to address RBI's June 2019 deadline for ensuring all of their ATMs have mandated security controls and are running a supported operating system, experts say the lack of skilled resources at their disposal will no doubt continue to be a challenge.
"Usually it's a small team [that's] sanctioned for [the] information security function," says Dinesh Bareja, COO at Open Security Alliance. "This leaves the CISO without much quality time for risk management."