Mumbai: The Reserve Bank of India (RBI) has asked banks to update software systems at their ATMs with a security patch released by Microsoft Corp. as a precautionary measure in the wake of the ransomware attack triggered by the WannaCry virus, said two people familiar with the matter. Banks and ATM operators said this could mostly be done remotely without disrupting operations.
The Indian Computer Emergency Response Team (CERT-In), the agency coordinating efforts on cyber security issues, is circulating these Microsoft security patches in India.
The government said on Monday that its computer systems have largely escaped a massive global ransomware attack and that state organizations managing government websites and building supercomputers have installed security patches.
“Our team as well as other ATM operators are working on remote update of patch, whether it can be downloaded and if it is practically possible to remotely push a 60MB file on thousands of ATMs,” said Mahesh Patel, president and group chief technology officer, AGS Transact Technologies Ltd, which makes and runs ATMs. “If all goes well, the update will be completed in the next couple of days. If remote update doesn’t work, then in those cases there will be physical visits required.”
ATMs in India are vulnerable to malware attacks as many of them run on old operating systems.
“A significant number of machines are currently running on outdated operating systems,” said a government official without giving any details. There are about 220,000 ATMs in India.
“A patch is only as good as the next attack,” this person said.
Last year, between 21 May and 11 July, about 3.2 million debit cards were compromised after a malware injection in the systems of Hitachi Payment Services Pvt. Ltd.
Lenders, however, are confident that their systems will be able to withstand this ransomware attack because many are run on private networks and don’t store data.
Ransomware typically logs users out of their own systems and asks them to pay a ransom if they want to access the encrypted data.
The cyber attack, which has affected at least 200,000 computers in 150 countries, shut car factories, hospitals, shops and schools, but has been less severe than anticipated in Asia.
Only if “somebody spoofs the banks’ network and logs into the system and injects the virus, then an attack happens. ATMs don’t have a mail tool. Hence, there is no need for shut them down”, said Shiv Bhasin, chief technology officer, State Bank of India.
Still, there have been reports of breaches in a couple of banks, besides police departments in two states.
“We are currently working with a company which has been affected by ransomware. If one system is affected, it has the ability to infect other systems which are vulnerable. The mode of infection could be anything and we are currently investigating the reason,” said Kartik Shinde, partner, advisory services, EY.
Experts warned that consistently upgrading the software is the only solution against any possible cyber attack in the long term.
“All banks are taking a short cut because it (getting new software) involves a huge licensing cost,” said Dharshan Shanthamurthy, founder and chief executive at SISA Information Security Pvt. Ltd, a global payments security specialist firm. “They have been saying that they will whitelist the IP (allow access from only certain internet addresses) and take other control measures.
“Unfortunately the worst has come true. Microsoft patches are a temporary solution to prevent attack by the current ransomware,” added Shanthamurthy.
Reuters contributed to this story.