India tells its banks to get Windows XP off ATMs – in 2019!

And do some pretty basic security hygiene before then

The Reserve Bank of India has given that country's banking sector a hard deadline to get Windows XP out of its ATMs: June 2019.

That's more than five years beyond the May 2014 end of support for the OS.

In a notice to the nation's banks, issued last on June 21st, 2018, the Reserve Bank makes it clear that XP “and other unsupported operating systems” have been on its mind since at least April 2017, when it issued a circular outlining its concerns.

In spite of previous advisories instructing banks to put migration plans in place, things have not moved fast enough for the RBI.

“The slow progress on the part of the banks in addressing these issues has been viewed seriously by the RBI,” the notice said, adding that "the vulnerability arising from the banks’ ATMs operating on unsupported version of operating system and non-implementation of other security measures, could potentially affect the interests of the banks’ customers adversely".

So banks and “white-label ATM operators” have been given the following timetable:

Security measure Deadline
Secure ATMs with BIOS passwords, disable USB and autorun, patch OS and software, secure terminal access, time-based administration access, other measures August 2018
Implement anti-skimming and application whitelisting March 2019
Windows XP deprecation June 2019

The timetable says banks must reach 25 per cent deprecation by September 2018; 50 per cent by December 2018; and 75 per cent by March 2019.

The timetable also requires banks to implement anti-skimming technology, and to use whitelisting on ATMs so only approved software can run on them.

Banks have been instructed to file their compliance plans by the end of July 2018.

Windows XP is finally DEAD, right? Er, not quite. Here's what to do if you're stuck with it

READ MORE

While it's news that ATMs operated by India's banks should be running a modern OS a year from now, the RBI's insistence on implementation of basic security controls is surely a clarion call to crooks seeking a soft target.

The RBI's actions are also something of a vote of no confidence in Microsoft's extended custom support for XP, although with India not known as a world capital of software licence compliance The Reg imagines Microsoft may not have sold many support packages in the nation. ®




Biting the hand that feeds IT © 1998–2018