Lack of strong laws makes ATMs vulnerable to cyber attacks

The country needs a dedicated digital payment law and a cybersecurity framework

India needs a legal framework to direct banks to safeguard their infrastructure against cyber attacks, say experts, as a large number of the country’s 200,000-plus ATMs run on an outdated software of Microsoft. 

Since April 2014, Microsoft has not been offering support for machines running on its Windows XP platform, making devices vulnerable to cyber attacks by hackers. But, banks continue to operate ATMs running on the defunct software putting to risk the banking ecosystem, besides data and money of millions of customers. 

“The absence of cyber security framework for ATMs is like a dream come true for hackers. For banks, updating the software of ATMs and putting in a place a cyber security framework should be a mandatory provision, not an optional exercise,” says Pavan Duggal, a cyber law expert. 

“The country needs a cyber security law that defines the duties of the stakeholders, starting from the banker to users,” he added.

In the recent past India’s banking system has seen vulnerabilities exposed by cyber attackers, who earlier leaked some 3.2 million debit cards of customers across the country. The hackers inserted a trojan through a vulnerable ATM that compromised the data of customers. 

Majority of the ATMs are managed by financial and technology services providers such as Financial Software and Systems (FSS) and FIS Global and not by the banks. FSS and FIS Global purchase the ATM machines from companies such as NCR and Diebold. FSS manages 35,000 ATMs for 30 major banks in India. 
 

NCR is reportedly the biggest ATM machine provider in the country with a 47 per cent market share. 

Some of the existing ATMs are migrated from the old system to Windows 7 during the past couple of years. But, the number is very small. 

While most of these ATMs run on outdated systems, what worries experts is the absence of a cyber security framework to prevent any kind of crime.

“Modern day ATMs have enhanced security features, such as encrypted hard-drives that can prevent hackers from targeting these machines. However, for older ATMs that is still running on Windows XP, protecting against hackers is more challenging, especially when the ATMs are already deployed in all sorts of remote locations. While the ATM’s money is locked inside a safe, the computer generally is not. Without adequate physical security for these older ATMs, the attacker has an upper hand,” says Atul Anchan, director — systems engineering (India) at Symantec. 

During the past four weeks, cyber crimes related to financial institutions and banks have gone up sharply, says Duggal. “Unless there is a penal consequence, such incidents will keep happening.” 

Duggal adds that the country needs a dedicated digital payment law as well as a cyber security framework to prevent such crimes, since the Information Technology Act, 2000 is silent on cyber security.