India's Largest bank SBI with Poor Digital Security Practices - Leaked Millions of Customers Account Data
By MYBRANDBOOK
What is the guaranty of the Security of my SBI Account, the countries largest Bank with poor digital security practices ? Absolutely no.
A report from Techcrunch on Wednesday disclosed that the SBI Data Server which is hosted at Mumbai have leaked details of millions of bank accounts information, which had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.This data center has stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500. An anonymous security researcher, highlights that "the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers' information".
The report states that the data was drawn from “SBI Quick” — one of the bank’s free service which allows customers view their account balance, transaction statements and more by sending SMS’s on pre-defined keywords. For example, if for a balance inquiry one message “BAL” to a specific number, the server in return will show the total account balance of the bank account associated with the number.
It is not clear for how long the server was left unsecured. But when Techcrunch reached out to SBI, the glitch was fixed. However, SBI did not comment on the matter.
The TechCrunch team was able to see text messages going to customers through this unsecured server in real time. The data included their phone numbers, bank balances, and recent transactions.The password less database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking.
The bank sent out close to three million text messages on Monday alone.
The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers’ finances.
We verified the data by asking India-based security researcher Karan Saini to send a text message to the system. Within seconds, we found his phone number in the database, including the text message he received back.
“The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to TechCrunch. Saini previously found a data leak in India’s Aadhaar, the country’s national identity database, and a two-factor bypass bug in Uber’s ride sharing app. Saini said that knowing a phone number “could be used to aid social engineering attacks - which is one of the most common attack vectors in the country with regard to financial fraud,” he said.
SBI claims more than 500 million customers across the glob,e with 740 million accounts.
Just before few days SBI accused Aadhaar’s authority, UIDAI, of mishandling citizen data that allowed fake Aadhaar identity cards to be created, despite numerous security lapses and misuse of the system. UIDAI denied the report, saying there was “no security breach” of its system.
TechCrunch reached out to SBI and India’s National Critical Information Infrastructure Protection Centre, which receives vulnerability reports for the banking sector.
It is unclear how long the hosting server was unprotected without any password, but any tech-savvy person who knows where to look could access data of millions of bank account holders of the government-owned State Bank of India.
This is probably one of the biggest data leaks of Indian citizens after the Aadhaar data leak - where over 1.2 billion users data was exposed, back in early 2018.
BHIM to join e-commerce, competing with PhonePe and Google Pay
The government-supported payment software BHIM is getting ready to join t...
The latest version of X helps prevent deepfakes on social medi
To combat deepfakes and shallowfakes, Elon Musk revealed a new update t...
India and Namibia collaborate on a payment system similar to U
Once operational, the platform will enable digital transactions in Namibia,...
Sebi issues show-cause notices to six Adani group firms
Sebi issued show-cause notices to six Adani Group firms, including Adani ...
INFOSYS TECHNOLOGIES PVT. LTD.
CENTRE FOR DEVELOPMENT OF TELEMATICS
JUVAS SOLUTIONS PVT. LTD.
TATA CONSULTANCY SERVICES
Technology Icons Of India 2023: Rishad Premji
Rishad Premji is the son of the Wipro head Azim Premji and was named a...
Technology Icons Of India 2023: Sridhar Vembu
Sridhar Vembu is an Indian billionaire business magnate and the Founde...
Technology Icons Of India 2023: Amitabh Kant
Amitabh Kant is presently the G20 Sherpa of India during its Presidenc...
C-DAC keeps India ahead in IT & Electronics R&D space
Centre for Development of Advanced Computing (C-DAC) is the premier R&...
GSTN aims to integrate indirect tax ecosystem on a shared IT infrastructure
Goods and Services Tax Network (GSTN) has built Indirect Taxation plat...
CSCs enabling rural India digitally empowered
Common service centres (CSCs) are digital access points under the Digi...
TECH DATA, A TD SYNNEX COMPANY
Tech Data Corporation was an American multinational distribution compa...
RAH INFOTECH
RAH Infotech is India’s fastest growing technology value added dist...
IVALUE INFOSOLUTIONS PVT. LTD.
: iValue Info Solutions is a value added distributor, provides solutio...