The Reserve Bank of India's initiative to enhance online banking security through the .bank.in subdomain has been marred by allegations of a significant data leak. A security researcher claims that the designated registrar for these domains, the Institute for Development and Research in Banking Technology (IDRBT), failed to secure its registration portal, potentially exposing sensitive information of bank employees and compromising the very security measures intended to protect customers, as reported by The Register.A security researcher, operating under the pseudonym "Srikanth L" and affiliated with CashlessConsumer, has alleged that the IDRBT's Domain Registration Portal, the exclusive registrar for India's .bank.in namespace, exposed over 33 unauthenticated API endpoints. This alleged vulnerability could have allowed unauthorized access to bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of 5,576 bank employees. The researcher also found that many Indian banks' .bank.in domains lack crucial security protocols like DNSSEC and DMARC, and some websites are hosted on shared servers internationally. The portal reportedly operated with these security flaws for 13 months without a proper audit.While IDRBT has since reportedly addressed the vulnerabilities, the initial exposure could have potentially facilitated phishing and DNS spoofing attacks, undermining the RBI's efforts to combat fraud.Source: The Register
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds