With about 70 per cent of India’s ATMs running on Windows XP, the operating system most affected by Wannacry ransomware, software and security experts have pointed out that governments and organisations need to regularly update the software involved in running key financial and infrastructure systems in the country. The malicious software has affected more than 2,00,000 computers in more than 150 countries.
In February, responding to a question in Lok Sabha on security of ATMs, finance minister Arun Jaitley said: “Reserve Bank of India (RBI) has informed that banks have been taking steps to upgrade the software based on the agreements/contracts with their vendors. While the Windows XP operating system (OS) is no longer supported by Microsoft, the vendors providing the ATM software that runs on the XP OS, are providing their solutions for managing overall vulnerability of ATMs. This is applicable to about 70 per cent of the ATMs. Owing to the fact that the ATMs run on a closed user network, they are inherently less vulnerable.”
As of March, there were over 2.2 lakh ATMs in India, according to data provided by the RBI. Last year too, around 3.2 lakh debit cards were compromised in the country due to a malware attack that affected ATM machines of Hitachi during three months of May, June and July of 2016. The Hitachi ATMs deployed by many White Label ATM players and Yes Bank were affected by the malware.
Microsoft ended support for Windows XP in April 2014, which meant the company stopped providing any security updates or technical support for the OS since then. “Without critical Windows XP security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information. Anti-virus software will also not be able to fully protect you once Windows XP itself is unsupported,” Microsoft had said.
Cyber-security firm HumanFirewall said that on account of high use of pirated Windows operating system in India, it was more susceptible to the attack. “The biggest issue is the rampant use of pirated Windows software, extensive use of Windows XP, and poor patch maintenance, which will cause havoc for India,” the company said.
In a blog on Sunday, Microsoft’s president and chief legal officer Brad Smith pointed out that the incident is a wake-up call for the governments of the world, and that it highlighted an emerging pattern wherein governments are stockpiling cyber vulnerabilities. “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” Smith noted in his blog post.
He added that the attack was a powerful reminder that information technology basics such as keeping computers current and patched were a high responsibility for everyone, and that it was something every organisation’s top executive should support.
Concurring with what Smith highlighted, Software and Freedom Law Centre, India’s president and founding director Mishi Choudhary said that the incident was a “flagrant example” of a global blackmail, which was facilitated by “lax attitude of agencies and organisations on cyber security”. “Not installing regular software updates is the primary cause for such malware to spread like wildfire. This teaches us how something can wreak havoc without attacking the traditionally designated critical infrastructure like a power grid,” Choudhary said.
The Indian Computer Emergency Response Team on Saturday had issued a note back in March about a potential vulnerability from the loophole in the operating system, and advised applying the relevant updates and patches to systems running on Windows. It had said that an unauthenticated attacker could exploit these vulnerabilities by sending specially crafted packets to the targeted server.