RBI alarmed by ATM frauds; asks banks to implement strict security measures

In the wake of rising number of ATM frauds, the Reserve Bank of India yesterday asked banks to upgrade their ATMs or else face action.

All banks are asked to implement a host of security measures by August and upgrade all ATMs with supported version of operating system in a phased manner by June next year.

RBI has directed banks to implement anti-skimming and whitelisting solutions by March 2019.

Skimmers are devices that can be attached over an ATM machine’s card slot to read information from the card. The information collected by such devices is then used for cloning.

Anti-skimming devices prevent the skimmer from functioning. Similarly, whitelisting solutions allow only trusted applications to work on the ATM and block any other application.

In April 2017, the RBI through a "confidential circular" to banks had highlighted concerns about the ATMs running on Windows XP and/or other unsupported operating systems.

"The slow progress on the part of the banks in addressing these issues has been viewed seriously by the RBI," the central bank said in a circular to heads of banks and white label ATM operators, news agency PTI quoted the RBI circular.

The RBI said that the vulnerability arising from the ATMs operating on unsupported version of operating system and delay in implementing other security measures could hurt customers adversely and damage bank's image.

"It may be noted that any deficiency in timely and effective compliance with the instructions contained in this circular may invite appropriate supervisory enforcement action under applicable provisions of the Banking Regulation Act, 1949 and/or Payment and Settlement Systems Act, 2007," the circular said.

Banks and white label ATM operators (Non-bank entities that intend setting up, owning and operating) have been asked to implement security measures such as BIOS password, disabling USB ports, disabling auto-run facility, applying the latest patches of operating system and other softwares, terminal security solution, time-based admin access by August.

The RBI has also raised red flags over the progress made by banks in upgrading machines from the unsupported Windows XP operating system. “The slow progress on the part of banks in addressing these issues has been viewed seriously by the RBI,” the central bank circular said.

In terms of the timelines provided by the RBI, banks have to upgrade 25% of all Windows XP-based ATMs by September 2018 and 50% by December 2018. By June 2019, it has asked the banks to upgrade all ATMs with supporting version of operating system.

There were over 2.06 lakh ATMs across the country till February-end.

According to a report in The Times of India, the cloned cards are being used abroad so that fraudsters can avoid detection.

In a recent case, a home ministry official approached the Delhi Police with a complaint in which her card was found to be cloned and used at an apparel store in the US, the report said.

The complainant alleged that she got to know about the incident when she found several messages of transactions at different US-based stores between 1.35am and 2.09am.

Police suspect that the fraudsters might be using a malware to gather card details that were then used to create a virtual card for online transactions.

Usually, crooks use skimmer on card swiping machine which copies and stores card details. The details can be used for online transactions.