India needs a legal framework to direct banks
to safeguard their infrastructure against cyber attacks, say experts, as a large number of the country’s 200,000-plus ATMs
run on an outdated software of Microsoft.
Since April 2014, Microsoft has not been offering support for machines running on its Windows XP platform, making devices vulnerable to cyber attacks by hackers. But, banks
continue to operate ATMs
running on the defunct software putting to risk the banking ecosystem, besides data and money of millions of customers.
“The absence of cyber security
framework for ATMs
is like a dream come true for hackers. For banks, updating the software of ATMs
and putting in a place a cyber security
framework should be a mandatory provision, not an optional exercise,” says Pavan Duggal, a cyber law expert.
“The country needs a cyber security
law that defines the duties of the stakeholders, starting from the banker to users,” he added.
In the recent past India’s banking system has seen vulnerabilities exposed by cyber attackers, who earlier leaked some 3.2 million debit cards of customers across the country. The hackers inserted a trojan through a vulnerable ATM that compromised the data of customers.
Majority of the ATMs
are managed by financial and technology services providers such as Financial Software and Systems (FSS) and FIS Global and not by the banks.
FSS and FIS Global purchase the ATM machines from companies such as NCR and Diebold. FSS manages 35,000 ATMs
for 30 major banks
NCR is reportedly the biggest ATM machine provider in the country with a 47 per cent market share.
Some of the existing ATMs
are migrated from the old system to Windows 7 during the past couple of years. But, the number is very small.
While most of these ATMs
run on outdated systems, what worries experts is the absence of a cyber security
framework to prevent any kind of crime.
“Modern day ATMs
have enhanced security features, such as encrypted hard-drives that can prevent hackers from targeting these machines. However, for older ATMs
that is still running on Windows XP, protecting against hackers is more challenging, especially when the ATMs
are already deployed in all sorts of remote locations. While the ATM’s money is locked inside a safe, the computer generally is not. Without adequate physical security for these older ATMs, the attacker has an upper hand,” says Atul Anchan, director — systems engineering (India) at Symantec.
During the past four weeks, cyber crimes related to financial institutions and banks
have gone up sharply, says Duggal. “Unless there is a penal consequence, such incidents will keep happening.”