[BreachExchange] India's largest bank SBI leaked account data on millions of customers
Destry Winant
destry at riskbasedsecurity.com
Fri Feb 1 09:18:58 EST 2019
https://techcrunch.com/2019/01/30/state-bank-india-data-leak/
India’s largest bank has secured an unprotected server that allowed
anyone to access financial information on millions of its customers,
like bank balances and recent transactions.
The server, hosted in a regional Mumbai-based data center, stored two
months of data from SBI Quick, a text message and call-based system
used to request basic information about their bank accounts by
customers of the government-owned State Bank of India (SBI), the
largest bank in the country and a highly ranked company in the Fortune
500.
But the bank had not protected the server with a password, allowing
anyone who knew where to look to access the data on millions of
customers’ information.
It’s not known for how long the server was open, but long enough for
it to be discovered by a security researcher, who told TechCrunch of
the leak, but did not want to be named for the story.
SBI Quick allows SBI’s banking customers to text the bank, or make a
missed call, to retrieve information back by text message about their
finances and accounts. It’s ideal for millions of the banking giant’s
customers who don’t use smartphones or have limited data service. By
using predefined keywords, like “BAL” for a customer’s current
balance, the service recognizes the customer’s registered phone number
and will send back the current amount in that customer’s bank account.
The system can also be used to send back the last five transactions,
block an ATM card and make inquiries about home or car loans.
It was the back-end text message system that was exposed, TechCrunch
can confirm, storing millions of text messages each day.
The passwordless database allowed us to see all of the text messages
going to customers in real time, including their phone numbers, bank
balances and recent transactions. The database also contained the
customer’s partial bank account number. Some would say when a check
had been cashed, and many of the bank’s sent messages included a link
to download SBI’s YONO app for internet banking.
The bank sent out close to three million text messages on Monday alone.
The database also had daily archives of millions of text messages
each, going back to December, allowing anyone with access a detailed
view into millions of customers’ finances.
We verified the data by asking India-based security researcher Karan
Saini to send a text message to the system. Within seconds, we found
his phone number in the database, including the text message he
received back.
“The data available could potentially be used to profile and target
individuals that are known to have high account balances,” said Saini
in a message to TechCrunch. Saini previously found a data leak in
India’s Aadhaar, the country’s national identity database, and a
two-factor bypass bug in Uber’s ridesharing app.
Saini said that knowing a phone number “could be used to aid social
engineering attacks — which is one of the most common attack vectors
in the country with regard to financial fraud,” he said.
SBI claims more than 500 million customers across the glob,e with 740
million accounts.
Just days earlier, SBI accused Aadhaar’s authority, UIDAI, of
mishandling citizen data that allowed fake Aadhaar identity cards to
be created, despite numerous security lapses and misuse of the system.
UIDAI denied the report, saying there was “no security breach” of its
system. (UIDAI often uses the term “fake news” to describe coverage it
doesn’t like.)
TechCrunch reached out to SBI and India’s National Critical
Information Infrastructure Protection Centre, which receives
vulnerability reports for the banking sector. The database was secured
overnight.
Despite several emails, SBI did not comment prior to publication.
More information about the BreachExchange
mailing list