
India’s largest bank SBI leaked account data on millions of customers - mandliya
https://techcrunch.com/2019/01/30/state-bank-india-data-leak/
======
kumarharsh
This situation is so bad in India, that I can't even begin to summarise it...
The biggest culprits are financial institutions themselves - they have such
stupid requirements for passwords - need to change it regularly, can only
contain @#!, need one caps, one small, one number, can't be the same as last 5
times, can't be shorter than 8 chars, but can't be longer than 15 chars
either(!?!), etc - that you are either forced to write it down somewhere, or
need to necessarily use a password manager. For the less computer savvy
people, the second option is a non-starter, so they resort to the first
option. And then, these stupid banks and mutual fund companies actively try to
sabotage the working of password managers, and even disabling paste on
password fields.

And then, there are incredible incidences like this: I received an SMS from a
loyalty program a few weeks back:

Login at www.raymondrewards.com with your mobile no. & password <base-64
encoded string> for program benefits. Update your birthday & get 750 bonus pts
in your birthday month.

And I just sank in utter despair.

~~~
victor106
Honest question:- Does a typical Indian care about privacy/security?

When I was their I had my colleagues mention that most of them find any kind
of password a burden to use a service that they see usage drop significantly
if they enforce strong password requirements. I don’t think that is a reason
not to, I am just saying what the reality seems to be. Hopefully it’s just a
subset of population and most of them (increasingly) care about security.

Also are privacy/security laws enforced as strongly in India as other parts of
the world?

~~~
ketanpkr
> Honest question:- Does a typical Indian care about privacy/security?

It depends, what you mean by "privacy". A vast majority of Indians grow up in
an environment with lack of privacy in personal life. Imagine 3-4 people (or
more) in a family growing up in a 2 room accommodation.

Most people I know, have no issues giving away PII: phone numbers, addresses,
income-tax identifier, aadhar (social security numbers, for those unaware).

> Also are privacy/security laws enforced as strongly in India as other parts
> of the world?

Not quite. Law enforcement, and the general public is not really aware of a
lot of these laws. Right to privacy being a fundamental right was something
that was debated in the courts in 2017.

~~~
victor106
> A vast majority of Indians grow up in an environment with lack of privacy in
> personal life. Imagine 3-4 people (or more) in a family growing up in a 2
> room accommodation.

That is a good perspective on how your social life in the real world
indirectly effects your online world. Thanks for sharing

~~~
screye
Yep.

Grew up with 6 people in a 2 bed apartment and our family income put us
squarely in the middle class.

My neighbours at one point, had ~8 people in a 1 bedroom. I used to think of
myself as the one with the big house.

Privacy was a dream. My parents themselves didn't get privacy, let alone us
kids.

------
godelmachine
This reminds me of my client.

We have SBI as our client and often they raise issues to us. Most of their
technical staff is a joke, coz they don't even follow the basic etiquette
during a call.

For ex - The engineer from SBI allowed me to have control of her server, and
in a carefree manner called her BF. She knew I would take about 45-50 min to
fix her issue, so she went on gossiping with her paramour in the regional
language, and all of her lovey-dovey talks were audible to me loud and clear.
She didn't even bother to mute her mic. In the same state of passion, she went
to have her lunch without bothering about me (She's supposed to be at the
server while I am working). After some time her server got locked coz I was
pondering over the notes from my computer. I had to wait for the next 30 min
for her to finish her lunch and be back at her cubicle to unlock the server.

------
Dravidian
Not just SBI,I bet every nationalized bank in India has pathetic security.
I've worked with some of them & I will say that if you want to sleep
peacefully don't keep your money in a nationalised Indian bank; unfortunately
private banks are out of reach for majority of the population.

Anyway, it's not that a criminal needs to target the banks for sensitive data
when the govt has made it easy by giving a central depository of citizen data
in the name of Aadhaar; for the ease of use -it is linked with bank accounts &
mobile numbers as well!

~~~
mhb
Bill Gates is a big fan of Aadhaar:
[https://www.gatesnotes.com/Development/Heroes-in-the-
Field-N...](https://www.gatesnotes.com/Development/Heroes-in-the-Field-Nandan-
Nilekani)

~~~
plinkplonk
Easy to be a fan when all the harm falls on other people on the other side of
the world.

~~~
edge17
Also easy to be a critic when the harm falls on other people on the other side
of the world. There is a cost to inaction as well.

~~~
nindalf
Hi. I'm an Indian saddled with an Aadhaar account. Am I allowed to be a
critic?

~~~
sbmthakur
Certainly. It's a free country after all. There's already an army of "critics"
in Indian Supreme Court who want Aadhar to be thrown into the bin under
Article 21.

~~~
kamaal
It won't happen any time soon or even ever. There are already talks of a
Universal Basic Income by two major parties. They need this kind of
infrastructure to roll out their scheme soon.

In short it will be mostly activist rage on Twitter, and beyond that nothing
much actually.

------
niyaven
From the looks of the screenshots in the article, it's possible they are using
MongoDB (json format, $oid field). Old versions had insecure defaults [0].

I'm currently in India, in the finance field, and I think it could happen to
my company (passwords on post-its, computers left with unlocked sessions, some
servers accessible from any employee - or anyone inside the office
actually...). Security is sometimes tough to advocate, and raising awareness
is easier said than done.

[0]
[https://news.ycombinator.com/item?id=13374715](https://news.ycombinator.com/item?id=13374715)

~~~
eponeponepon
Honestly, this could happen at any company, for all the same reasons - in my
experience, any workplace that isn't actually, or at least run as if it were,
military is _rife_ with subpar physical security.

And I can't claim not to be part of the problem - I'm forever wandering off to
get coffee without locking my screen, holding doors for people I _kinda_ think
I _might_ recognise... every security sin you can name, I'm guilty of it at
some point. And so are you. Yes, you. No, probably not you, Mr. Schneier.

~~~
Consultant32452
I have an amusing anecdote about the military and password security. I worked
with some folks on a base once and everyone used the same keyboard pattern
such that if I knew the first character of a password, I knew the whole
password. This pattern was openly shared as a way to "remember" otherwise
impossible to remember complex passwords.

~~~
hotsauceror
So do I. Worked at a contractor hosting multiple sensitive/classified document
repositories for one of the service branches. One of their attorneys'
passwords expired for the document review platform. So this highly-qualified,
TS/SCI cleared person accessing sensitive data emailed a bunch of our IT
support and PMO distribution lists - basically an unknown number of anonymous
third-party personnel - with an angry request to "reset [my] password back to
[pass1234]! Right now!"

One thing I learned is that, with the exception of those directly concerned
with the firing of weapons in anger, most military personnel don't give a hoot
about operational security, and they HATED our IT department who did.

~~~
pkaye
What about the nuclear launch codes being all set to 0000000.
[https://gizmodo.com/for-20-years-the-nuclear-launch-code-
at-...](https://gizmodo.com/for-20-years-the-nuclear-launch-code-at-us-
minuteman-si-1473483587)

------
sremani
You have to wonder because SBI is the biggest and possibly best run public
sector bank of India.

Given the employment structure of Public Sector Banks, its always a challenge
how the tech infrastructure is maintained.

~~~
nindalf
My understanding was that most of this tech is built and maintained on
contract by Infosys or some other company. Is that not the case?

~~~
worldexplorer
It seems like 'Nucleus Software' has many asian bank clients but cannot see
SBI in the list
([https://www.nucleussoftware.com/customers](https://www.nucleussoftware.com/customers))

------
pjf
Quote: "But the bank had not protected the server with a password, allowing
anyone who knew where to look to access the data on millions of customers’
information."

------
forkLding
The disregard for security is so bad, I was actually surprised. How does
India, a giant in terms of providing technology and tech workers have such bad
standards?

And I quote: "The passwordless database allowed us to see all of the text
messages going to customers in real time, including their phone numbers, bank
balances and recent transactions. The database also contained the customer’s
partial bank account number. Some would say when a check had been cashed, and
many of the bank’s sent messages included a link to download SBI’s YONO app
for internet banking."

Most importantly why wasn't this tested for security purposes and instead
allowed to go live with adequate QA?

~~~
quantummkv
> The disregard for security is so bad, I was actually surprised. How does
> India, a giant in terms of providing technology and tech workers have such
> bad standards?

Most of these data leaks and hacks occur on nationalized banks/govt
institutions. Thanks to various legacy decisions such as quotas on everything
other than skills and merits, politics, decades of socialism, etc, the actual
skill tech workers (or any kind of skilled workers) go to private institutions
or immigrate out. You won't hear any private institutions of having data leaks
with such frequency. Private sector companies have high standards. Many of the
high performing and skilled people across USA are Indians.

What not many people understand is than up until the last two decades, the
only comfortable job in India was in the government. Private sector jobs were
few are far between.

Therefore, parents often pressurized kids to get into government services so
that they can get official cars, manors and "benefits", without having to do
any work. You can imagine what kind of people get into government institutions
with such a culture. Rank idiots and rote learners. No one in India is
surprised by such shoddy inefficiencies in a govt agency. It's basically
expected.

Politicians do not try to change this culture as it benefits them immensely
and because of opposition pushback. Modi has been trying to offload more and
more government agencies into the private markets, but the sheer amount of
bureaucratic pushback is not helped by the opposition trying to portray him as
a crony capitalist to earn political brownie points.

------
KorematsuFred
There is no concept of privacy in Indian banks. My father in law owns a
business that has to deal with large sums being exchanged through checks. Now,
unlike USA bounced checks in India are as good as lost money. So most people
will simply refuse to accept checks. Since my father in law does large number
of transactions with nearly every bank in town he simply calls up the manager
and asks "Does Mr. X has Y money in his account ?", the bank manager then
gladly tells him how much money the customer has in his account and based on
statement if the check in en-cash or not.

------
nstart
On another note, tech crunch seems to have done research where they actually
monitored information passing through. Is this an ok line to cross in security
disclosures? It doesn't feel right. Like as soon as you know you are looking
at customer data, realtime or not, you should be closing the
terminal/browser/whatever and reporting it immediately. Assuming you aren't a
paid for by company security researcher that is.

Curious what the more canonical opinion is on this.

------
sabujp
I remember I was in the NRI section of a SBI bank in Kolkata maybe ~20 years
ago and we needed to get a travelers cheque transaction completed before their
closing (bank strikes happen often so timing was critical when we were there,
after days we were finally able to get into the bank to do business). Anyways,
we were discussing things and the bank manager learned that I was good at
computers and I kid you not, he asked me (a customer) to help him with some
errors that his computer was making. I obliged because at the time I just
didn't care and wanted my transaction to go through. IIRC there was a
.com/dll/ocx error, nothing wanted to mess with by looking for a file, trying
to run regsrv32, etc. Luckily a reboot fixed the problem ..but yea you can see
how screwed up things are there. Things have definitely gotten much more
strict recently but I'm sure there are still lots of these shenanigans
happening amongst employees

------
ramshanker
Reading from the article, this was READ ONLY access. So privacy implication
only. It doesn't make it any less sinful though.

~~~
vijaybritto
Privacy only? What do you mean? If you had requested in details in sms often
your account can be profiled with some basic parsing. The hacker can create
highly accurate targets for social engineering. This is a massive blunder.

~~~
nindalf
He meant, it could have been worse. They could have _changed_ your details.
The phone number associated with your account, for example. Or they could have
added transactions.

------
iamgopal
When their key software was in needs of urgent upgrade, my friend has to drive
two wheeler to their server location and had to replace couple of file using
USB sticks.

------
scandox
Is that MongoDB again?

~~~
1024core
That's what I'm thinking! I bet it's MongoDB too.

------
edge17
Are there any websites that give deeper technical briefs about these large
security breaches?

This article provides a little bit of information, but often times these
articles provide little to no information about the nature of the breach,
point of weakness, etc.

~~~
sbmthakur
[https://krebsonsecurity.com/](https://krebsonsecurity.com/) has a lot of
technical details on various breaches. But I doubt if they will cover this
case.

------
3pt14159
Sigh. I'm starting to half-seriously long for a bank that doesn't use
computers at all. Maybe just for encrypted communication between bank staff. I
don't really think Canadian banks are all that much safer either.

~~~
alex_anglin
Why do you think Canadian banks are insecure?

~~~
3pt14159
I've just seen enough shoddy work in the financial sector. The money is safe.
The information isn't. Not in the long run, anyway.

------
onemantaker
Actually we can trust the security researcher or hacker! Not the SBI bank you
donot know when the impose fines and min balance fine

------
known
A quick look at the audit trail would have prevented this leak;

