Recent SBI Data Breach Highlights Why You Should Not Take Software Security For Granted

06-blog-header2.jpg

It came as yet another shocking news, after the incidents related to Adobe, about 5 years ago, and iCloud, about 4 years ago, when TechCrunch reported in an article on 30-1-2019 that the State Bank Of India had an unprotected server that could allow anyone access to financial information – such as recent transactions and bank balances – on millions of its customers.

The server was hosted in a Mumbai-based data center. It stored 2 months of data from SBI Quick, which is a text message and call-based system that customers use to obtain basic information about their bank accounts.

The largest bank in India and a company which holds a lofty position in the Fortune 500 had, somehow, failed to protect the server with a password.

The result? Well, anyone with the knowledge of where to look for it could gain access to the confidential data on the financial information of millions of customers.

The server had been left thus open till a security researcher discovered this major lapse, and spoke to TechCrunch about it; though s/he did not want to be named for giving the story.

SBI Quick recognizes a customer’s registered phone number through predefined keywords like ‘BAL’ for Current Balance. When customers give a missed call, or text the bank to gain information regarding their accounts, SBI Quick readily gives them the information through a text message. Not only this. SBI Quick can also be used to block an ATM Card, make enquiries regarding car and home loans, and even gain knowledge of the last 5 transactions.

Since the database had no password to secure it from being broken into, one could see, in real time too, all the text messages that were being sent to customers. This included gaining knowledge of customers’ phone numbers, bank balances, and even their recent transactions. The customers’ partial bank account numbers were also contained in the database. One could even get to know when a cheque had been cashed.

TechCrunch conducted a test by contacting India-based security researcher Karan Saini. A text message was dispatched to the system. In a few moments’ time, Mr. Saini’s phone number was found in the database, and also the text message that he received in response.

According to Mr. Saini, the data that was available had the potential to be used for profiling and targeting people who were known to have hefty account balances.

Mr. Saini also opined that knowledge of a phone number could be used to help social engineering attacks — one of the commonest attack vectors in the country with regard to finance-related fraud.

The database was secured at the earliest once SBI was informed of the security lapse.

However, one cannot rule out the possibility of grave damages having been done, or being done, under such circumstances. Especially since it perhaps cannot be told for how long this loophole in security had been present till it was discovered, verified, reported, and rectified.

Just like it had happened in the case of Adobe. Adobe spokesperson Heather Edell is reported to have said that the attackers had obtained Adobe IDs and encrypted passwords for approximately 38 million active users. Password reset emails ensued, but what had happened had already happened.

About 4 years ago, on 31-8-2014, as per Wikipedia, about 500 private pictures of celebrities, mostly ladies, were posted on imageboard 4chan. Those images later got disseminated by users on social networks, etc. It was believed that the images had been obtained because of a breach of iCloud, Apple’s cloud services suite.

Apple, on 2-9-2014, reported that the images had been leaked as a result of accounts that had been compromised – and “a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet" had been used.

These sorts of incidents seem to be happening to large and reputable organizations again and again, despite the social outcry that they cause.

A hurriedly done job, perhaps, to meet a deadline much tighter than it should have been, a case of having to cut corners somewhere, or the overconfidence of being too smart to be outsmarted should never lead any organization to leave itself prone to such security lapses that can put their name and reputation at stake.

At Ascentspark, we put stress on Application Security in all the systems developed by us so that such incidents do not happen to your business, leading to incurring heavy losses, trouble, and most of all, the mistrust of customers, along with a sorry loss of prestige.

We perform both White Box and Black Box Testing as well as Code Audits and Penetration Tests to safeguard against common security pitfalls such as

  • SQL and Code Injections
  • File Upload Vulnerabilities
  • Unprotected Databases
  • Weak or No Encryption of Sensitive Data
  • Protection Against DDoS
  • Unauthorized Escalation of Privileges
  • Cross Site Request Forgery
  • Cross Site Scripting
  • Failure Restrict URL Access

Are you worried about the security of your system and data?

We can help you migrate from legacy systems with weak security to modern, secure, and efficient management systems for your business.

Contact us to perform an audit of your system and plan a corrective action before it is too late.

Posted in Android, Articles, iOS, Mobile App Development, PHP, Programming, Web Development on Feb 01, 2019

Add comment


We would love to hear about your project.

Contact us for a free consultation and quote.

Get started now