India's Largest bank SBI with Poor Digital Security Practices - Leaked Millions of Customers Account Data
By MYBRANDBOOK
What is the guaranty of the Security of my SBI Account, the countries largest Bank with poor digital security practices ? Absolutely no.
A report from Techcrunch on Wednesday disclosed that the SBI Data Server which is hosted at Mumbai have leaked details of millions of bank accounts information, which had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.This data center has stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500. An anonymous security researcher, highlights that "the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers' information".
The report states that the data was drawn from “SBI Quick” — one of the bank’s free service which allows customers view their account balance, transaction statements and more by sending SMS’s on pre-defined keywords. For example, if for a balance inquiry one message “BAL” to a specific number, the server in return will show the total account balance of the bank account associated with the number.
It is not clear for how long the server was left unsecured. But when Techcrunch reached out to SBI, the glitch was fixed. However, SBI did not comment on the matter.
The TechCrunch team was able to see text messages going to customers through this unsecured server in real time. The data included their phone numbers, bank balances, and recent transactions.The password less database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking.
The bank sent out close to three million text messages on Monday alone.
The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers’ finances.
We verified the data by asking India-based security researcher Karan Saini to send a text message to the system. Within seconds, we found his phone number in the database, including the text message he received back.
“The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to TechCrunch. Saini previously found a data leak in India’s Aadhaar, the country’s national identity database, and a two-factor bypass bug in Uber’s ride sharing app. Saini said that knowing a phone number “could be used to aid social engineering attacks - which is one of the most common attack vectors in the country with regard to financial fraud,” he said.
SBI claims more than 500 million customers across the glob,e with 740 million accounts.
Just before few days SBI accused Aadhaar’s authority, UIDAI, of mishandling citizen data that allowed fake Aadhaar identity cards to be created, despite numerous security lapses and misuse of the system. UIDAI denied the report, saying there was “no security breach” of its system.
TechCrunch reached out to SBI and India’s National Critical Information Infrastructure Protection Centre, which receives vulnerability reports for the banking sector.
It is unclear how long the hosting server was unprotected without any password, but any tech-savvy person who knows where to look could access data of millions of bank account holders of the government-owned State Bank of India.
This is probably one of the biggest data leaks of Indian citizens after the Aadhaar data leak - where over 1.2 billion users data was exposed, back in early 2018.
Nazara and ONDC set to transform in-game monetization with ‘
Nazara Technologies has teamed up with the Open Network for Digital Comme...
Jio Platforms and NICSI to offer cloud services to government
In a collaborative initiative, the National Informatics Centre Services In...
BSNL awards ₹5,000 Cr Project to RVNL-Led Consortium
A syndicate led by Rail Vikas Nigam Limited (abbreviated as RVNL), along wi...
Pinterest tracks users without consent, alleges complaint
A recent complaint alleges that Pinterest, the popular image-sharing platf...
LUMINOUS POWER TECHNOLOGIES PVT. LTD.
FRESHWORKS TECHNOLOGIES PVT. LTD.
ZOHO CORPORATION PVT. LTD.
EXATRON SERVERS MANUFACTURING PVT. LTD.
ICONS OF INDIA : RAMESH NATRAJAN
Ramesh Natarajan, CEO of Redington Limited, on overcoming ‘technolog...
ICONS OF INDIA : SUNIL BHARTI MITTAL
Sunil Bharti Mittal is the Founder and Chairman of Bharti Enterprises,...
Icons Of India : CP Gurnani
Former Managing Director and CEO of the well-known IT service company ...
LIC - Life Insurance Corporation of India
LIC is the largest state-owned life insurance company in India...
TCIL - Telecommunications Consultants India Limited
TCIL is a government-owned engineering and consultancy company...
IREDA - Indian Renewable Energy Development Agency Limited
IREDA is a specialized financial institution in India that facilitates...
Indian Tech Talent Excelling The Tech World - Thomas Kurian, CEO- Google Cloud
Thomas Kurian, the CEO of Google Cloud, has been instrumental in expan...
Indian Tech Talent Excelling The Tech World - NEAL MOHAN, CEO - Youtube
Neal Mohan, the CEO of YouTube, has a bold vision for the platform’s...
Indian Tech Talent Excelling The Tech World - Aman Bhutani, CEO, GoDaddy
Aman Bhutani, the self-taught techie and CEO of GoDaddy, oversees a co...