The next time you queue up at the ATM for cash—an experience that has become increasingly onerous since demonetisation— it’s not just the long wait that should worry you. There’s a high probability the cash dispenser runs on software Microsoft stopped supporting more than two years back, thus making it vulnerable to hackers. Card details could be stolen—as they indeed were earlier this year–even as you fret about what to do with the solitary Rs 2,000 note the machine dispenses, if you’re lucky.
About 70% of the 202,000 ATM machines in India run on Windows XP, for which Microsoft stopped offering security updates, patches and technical support in April 2014.
“Resilience of the ATMs is low as Windows XP is no longer supported by Microsoft. That means there are no bug fixes, no patches and ATMs are not upgraded to cope with vulnerabilities,” said Vivek Belgavi, partner and leader, fintech, PricewaterhouseCoopers (PwC).
ATM provider NCR said it’s up to the banks to upgrade the software. “Responsibility lies with the banks to upgrade from Windows XP to Windows 7, as has been done globally,” said Navroze Dastur, managing director, NCR India There’s cause for worry, said Altaf Halde, managing director of cybersecurity company Kaspersky Lab. “We have come across malware in unsupported Windows XP systems,” he said. “Almost 75% of ATMs in India use unsupported Windows XP.”
It was revealed in October that 3.2 million Indian debit cards were compromised in one of the largest breaches of financial data in the country. An investigation into the matter is ongoing but the leak may have originated in the use of the cards at the ATMs of a particular bank that had its backend system hacked, according to reports.
Most ATMs in India are not owned by banks but by payment technology and service providers like Financial Software and Systems (FSS) and FIS Global.
These companies in turn buy the machines from global giants NCR and Diebold. Chennai-based FSS manages 40,000 ATMs on behalf of 34 banks, including ICICI Bank, HDFC Bank and State Bank of India. NCR is the largest provider of ATMs in the country with a 47% market share.
“Majority of the ATM deployments in India happened in the last four years while the ATM refresh cycle is seven to 10 years,” said V Balasubramanian, president, transaction processing and ATM Services, FSS. “The ATM providers (like NCR and Diebold) guarantee the hardware and software, but an upgrade has to be done.”
The newer ATMs run on Windows 7, which is on extended support by Microsoft till January 2020, although mainstream support for Windows 7 (Service Pack 1) ended in January 2015.
“All new deployments since the last couple of years have been with the latest Windows 7, which is the most preferred operating system of the corporate world,” said NCR’s Dastur. “Banks are deploying compensating control so that the vulnerability, if any, can be contained and ATMs are secured from potential compromise.” Microsoft’s latest operating system is Windows 10.
Globally, ATMs are replaced every five years and automatically switched to new software. But in India, replacement can stretch to 10 years with older, decrepit machines often relocated and not scrapped.
“Software and hardware refresh cycles need to shrink if India aims to be a digital transactions economy,” said Praveen Bhadada, partner and head of digital transformation at consultancy Zinnov.
Microsoft declined to comment. The banking vertical head at a software vendor said, “There’s lethargy in the system that prevents timely upgrades. Using unsupported software makes ATMs vulnerable to attacks.”