Hacker News new | more | comments | ask | show | jobs | submit login
India’s largest bank SBI leaked account data on millions of customers (techcrunch.com)
226 points by mandliya 23 days ago | hide | past | web | favorite | 67 comments

This situation is so bad in India, that I can't even begin to summarise it... The biggest culprits are financial institutions themselves - they have such stupid requirements for passwords - need to change it regularly, can only contain @#!, need one caps, one small, one number, can't be the same as last 5 times, can't be shorter than 8 chars, but can't be longer than 15 chars either(!?!), etc - that you are either forced to write it down somewhere, or need to necessarily use a password manager. For the less computer savvy people, the second option is a non-starter, so they resort to the first option. And then, these stupid banks and mutual fund companies actively try to sabotage the working of password managers, and even disabling paste on password fields.

And then, there are incredible incidences like this: I received an SMS from a loyalty program a few weeks back:

Login at www.raymondrewards.com with your mobile no. & password <base-64 encoded string> for program benefits. Update your birthday & get 750 bonus pts in your birthday month.

And I just sank in utter despair.

Cant use password manager either for most of them. example ICICI (one of the biggest private bank) doesnt allow you to paste passwords either. Only way to use password manager is to meddle with view source to allow pasting.

Keepass can auto type and some extensions can prefill without pasting

I don't use the automatic fill option, but LastPass can usually fill on demand even on no-paste sites.

What is the actual logic behind banning pasting, anyway? Is it just anti-scripting? If so, it seems like locking the account after a small number of bad attempts would be enough.

Could probably write a small extension that disables paste blocking

Here's the one I use [1]. My Pakistani bank also does every single thing mentioned lol.

1: https://chrome.google.com/webstore/detail/dont-fuck-with-pas...

Honest question:- Does a typical Indian care about privacy/security?

When I was their I had my colleagues mention that most of them find any kind of password a burden to use a service that they see usage drop significantly if they enforce strong password requirements. I don’t think that is a reason not to, I am just saying what the reality seems to be. Hopefully it’s just a subset of population and most of them (increasingly) care about security.

Also are privacy/security laws enforced as strongly in India as other parts of the world?

> Honest question:- Does a typical Indian care about privacy/security?

It depends, what you mean by "privacy". A vast majority of Indians grow up in an environment with lack of privacy in personal life. Imagine 3-4 people (or more) in a family growing up in a 2 room accommodation.

Most people I know, have no issues giving away PII: phone numbers, addresses, income-tax identifier, aadhar (social security numbers, for those unaware).

> Also are privacy/security laws enforced as strongly in India as other parts of the world?

Not quite. Law enforcement, and the general public is not really aware of a lot of these laws. Right to privacy being a fundamental right was something that was debated in the courts in 2017.

> A vast majority of Indians grow up in an environment with lack of privacy in personal life. Imagine 3-4 people (or more) in a family growing up in a 2 room accommodation.

That is a good perspective on how your social life in the real world indirectly effects your online world. Thanks for sharing


Grew up with 6 people in a 2 bed apartment and our family income put us squarely in the middle class.

My neighbours at one point, had ~8 people in a 1 bedroom. I used to think of myself as the one with the big house.

Privacy was a dream. My parents themselves didn't get privacy, let alone us kids.

How often do you use the airbags, anyway?

From the few I just asked; no.

This is probably why use one-time-password via SMS is so rampant in many many services. This kind of auth has mostly eliminated large scale hacks, however OTP over SMS still won't help targeted hacking. But in general the public at large are rather safe primarily because of this.

Having said that, subscription based startups struggle due to the the compulsory use of OTP and therefore resort to yearly subscriptions rather than monthly (ex: Amazon Prime).

This reminds me of my client.

We have SBI as our client and often they raise issues to us. Most of their technical staff is a joke, coz they don't even follow the basic etiquette during a call.

For ex - The engineer from SBI allowed me to have control of her server, and in a carefree manner called her BF. She knew I would take about 45-50 min to fix her issue, so she went on gossiping with her paramour in the regional language, and all of her lovey-dovey talks were audible to me loud and clear. She didn't even bother to mute her mic. In the same state of passion, she went to have her lunch without bothering about me (She's supposed to be at the server while I am working). After some time her server got locked coz I was pondering over the notes from my computer. I had to wait for the next 30 min for her to finish her lunch and be back at her cubicle to unlock the server.

Not just SBI,I bet every nationalized bank in India has pathetic security. I've worked with some of them & I will say that if you want to sleep peacefully don't keep your money in a nationalised Indian bank; unfortunately private banks are out of reach for majority of the population.

Anyway, it's not that a criminal needs to target the banks for sensitive data when the govt has made it easy by giving a central depository of citizen data in the name of Aadhaar; for the ease of use -it is linked with bank accounts & mobile numbers as well!

That's because Skype is soon becoming the defacto VoIP for Indian govt communication & guess what's the authentication? Yup Aadhaar!

More over Azure is the cloud storage provider for all govt data moving forward.

So not only Billgates would support Aadhaar, NSA & every party benefiting out of privacy abuse would.

Bill Gates in past has supported horrible centralized mechanisms like Common Core. People like Bill Gates do not fully understand countries like India and their knowledge solely comes from "Intellectual Yet Idiots"[1].

[1] https://medium.com/incerto/the-intellectual-yet-idiot-13211e...

Easy to be a fan when all the harm falls on other people on the other side of the world.

Also easy to be a critic when the harm falls on other people on the other side of the world. There is a cost to inaction as well.

Hi. I'm an Indian saddled with an Aadhaar account. Am I allowed to be a critic?

Certainly. It's a free country after all. There's already an army of "critics" in Indian Supreme Court who want Aadhar to be thrown into the bin under Article 21.

It won't happen any time soon or even ever. There are already talks of a Universal Basic Income by two major parties. They need this kind of infrastructure to roll out their scheme soon.

In short it will be mostly activist rage on Twitter, and beyond that nothing much actually.

Remember: privacy invasion is always ok when no ones dying. When it gets that far, then anonymous comments online disappear.

> Thanks to the work Nandan is doing the world is moving closer to the day when everyone will have access to an official ID

So II guess this is mission accomplished? /s

It solved some problems. I had a lot of trouble opening my NPS account without Aadhar.

He's a friend of Nandan Nilekani, that's why

Realistically there is no concept of security and much less privacy in India. you could do a filetype:xlsx PAN aadhaar on Google and tons of files with phone numbers, addresses etc will show up. The central voting list of all voting eligible indians with age, address, gender etc is publicly available to anyone who wants at https://electoralsearch.in/ You just have to give the starting initial like A and leave everything else blank.

Despite terrible service and security, I still opened an account few years ago. Why? Because statements from private banks are not a valid address for various purposes. I was hit hard because I needed a new passport, and they changed the rule last minute (barely any notice) that only nationalized banks are acceptable, and even if I made a new account I still needed multiple months of statements.[1]

So despite the fact I would rather not have a nationalized bank account at all, I'm forced to keep one just in cases something else changed in future without any notice. And that's one reason why many other people prefer to open at-least one (first) account there.

[1] https://timesofindia.indiatimes.com/city/bengaluru/Private-b... [apologies for this terrible website]

This is untrue. The list of documents that are valid as proof-of-address when applying for a passport [1] include electricity bill, water bill, telephone bill, gas connection, election ID, rent agreement among many others. If you're really keen on using your bank passbook for some reason, you'll be happy to know that ICICI and HDFC (the largest private banks) are also accepted [2].

I have an SBI bank account but I've never had to use it for anything in the past half a decade. So I would dispute your claim that it's indispensable.

[1] - https://portal2.passportindia.gov.in/AppOnlineProject/popupo...

[2] - https://portal2.passportindia.gov.in/AppOnlineProject/pdf/Ci...

I was like 20/21 then, without any kind of bills as they were all under parents name. I missed on elections, so didn't have election ID. I had an ICICI account though for years, and it was for a fact rejected back in 2014, and that is exactly why I opened SBI. Maybe they changed the rule now. And that is exactly the reason why I or some of my friends had an nationalized bank account back then. My complain here is that govt keeps changing rules, and SBI is kind of safe choice even though I don't use it for anything.

You could get address proof from local municipality or BDO (if rural area).

And you could get India Post's address proof. Very little known feature but excellent. I have used it once in a city where I was there just for 5 months.

I work with US FIs and security isn't great there either(some don't even have a legit HTTPS cert). Even private Indian banks don't have secured sites, you could still get your details leaked there as well. As for Aadhar, it's no longer necessary for opening an account.

Citibank sends me Credit Card fraud alerts and when I click on those links I end up on links that are not from citibank domain but some third party service. I am then expected to enter my bank login on that site. I always thought this was fishing until the bank support confirmed to me that it is legit.

Many private banks have strange ways of conducting business. I've been receiving calls from ICICI Bank (through private numbers) to verify my Credit Card. The procedure eventually ends with the operator asking me to enter my CVV through IVRS. Now how am I supposed to know if the IVRS(or even the operator) is legit? On one hand we are not supposed to share our details with anyone and the on the other hand the bank itself asks for these details through shady numbers. It's sad that banks don't do anything properly without RBI guidelines.

>unfortunately private banks are out of reach for majority of the population.

Do they have pretty restrictive minimum deposit amounts or something?

Lot of private banks require a monthly minimum balance of INR 10k.

Nationalised banks have zero minimum balance accounts.

SBI has a 5K minimum for most accounts.

banks use PAN number. They didn't ask for aadhaar number.

Btw, I got my PAN number in late 1999, I think.

> They didn't ask for aadhaar number.


The Indian banks, especially public banks, have been hounding everyone with an account for their Aadhaar number for the past 3+ years. It only stopped when the 5 judge bench of the SC ruled last year that Indians have a Right to Privacy and Aadhaar cannot be demanded for everything.

From the looks of the screenshots in the article, it's possible they are using MongoDB (json format, $oid field). Old versions had insecure defaults [0].

I'm currently in India, in the finance field, and I think it could happen to my company (passwords on post-its, computers left with unlocked sessions, some servers accessible from any employee - or anyone inside the office actually...). Security is sometimes tough to advocate, and raising awareness is easier said than done.

[0] https://news.ycombinator.com/item?id=13374715

Honestly, this could happen at any company, for all the same reasons - in my experience, any workplace that isn't actually, or at least run as if it were, military is rife with subpar physical security.

And I can't claim not to be part of the problem - I'm forever wandering off to get coffee without locking my screen, holding doors for people I kinda think I might recognise... every security sin you can name, I'm guilty of it at some point. And so are you. Yes, you. No, probably not you, Mr. Schneier.

I have an amusing anecdote about the military and password security. I worked with some folks on a base once and everyone used the same keyboard pattern such that if I knew the first character of a password, I knew the whole password. This pattern was openly shared as a way to "remember" otherwise impossible to remember complex passwords.

So do I. Worked at a contractor hosting multiple sensitive/classified document repositories for one of the service branches. One of their attorneys' passwords expired for the document review platform. So this highly-qualified, TS/SCI cleared person accessing sensitive data emailed a bunch of our IT support and PMO distribution lists - basically an unknown number of anonymous third-party personnel - with an angry request to "reset [my] password back to [pass1234]! Right now!"

One thing I learned is that, with the exception of those directly concerned with the firing of weapons in anger, most military personnel don't give a hoot about operational security, and they HATED our IT department who did.

What about the nuclear launch codes being all set to 0000000. https://gizmodo.com/for-20-years-the-nuclear-launch-code-at-...

You have to wonder because SBI is the biggest and possibly best run public sector bank of India.

Given the employment structure of Public Sector Banks, its always a challenge how the tech infrastructure is maintained.

My understanding was that most of this tech is built and maintained on contract by Infosys or some other company. Is that not the case?

It seems like 'Nucleus Software' has many asian bank clients but cannot see SBI in the list (https://www.nucleussoftware.com/customers)

Quote: "But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information."

The disregard for security is so bad, I was actually surprised. How does India, a giant in terms of providing technology and tech workers have such bad standards?

And I quote: "The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking."

Most importantly why wasn't this tested for security purposes and instead allowed to go live with adequate QA?

> The disregard for security is so bad, I was actually surprised. How does India, a giant in terms of providing technology and tech workers have such bad standards?

Most of these data leaks and hacks occur on nationalized banks/govt institutions. Thanks to various legacy decisions such as quotas on everything other than skills and merits, politics, decades of socialism, etc, the actual skill tech workers (or any kind of skilled workers) go to private institutions or immigrate out. You won't hear any private institutions of having data leaks with such frequency. Private sector companies have high standards. Many of the high performing and skilled people across USA are Indians.

What not many people understand is than up until the last two decades, the only comfortable job in India was in the government. Private sector jobs were few are far between.

Therefore, parents often pressurized kids to get into government services so that they can get official cars, manors and "benefits", without having to do any work. You can imagine what kind of people get into government institutions with such a culture. Rank idiots and rote learners. No one in India is surprised by such shoddy inefficiencies in a govt agency. It's basically expected.

Politicians do not try to change this culture as it benefits them immensely and because of opposition pushback. Modi has been trying to offload more and more government agencies into the private markets, but the sheer amount of bureaucratic pushback is not helped by the opposition trying to portray him as a crony capitalist to earn political brownie points.

There is no concept of privacy in Indian banks. My father in law owns a business that has to deal with large sums being exchanged through checks. Now, unlike USA bounced checks in India are as good as lost money. So most people will simply refuse to accept checks. Since my father in law does large number of transactions with nearly every bank in town he simply calls up the manager and asks "Does Mr. X has Y money in his account ?", the bank manager then gladly tells him how much money the customer has in his account and based on statement if the check in en-cash or not.

On another note, tech crunch seems to have done research where they actually monitored information passing through. Is this an ok line to cross in security disclosures? It doesn't feel right. Like as soon as you know you are looking at customer data, realtime or not, you should be closing the terminal/browser/whatever and reporting it immediately. Assuming you aren't a paid for by company security researcher that is.

Curious what the more canonical opinion is on this.

I remember I was in the NRI section of a SBI bank in Kolkata maybe ~20 years ago and we needed to get a travelers cheque transaction completed before their closing (bank strikes happen often so timing was critical when we were there, after days we were finally able to get into the bank to do business). Anyways, we were discussing things and the bank manager learned that I was good at computers and I kid you not, he asked me (a customer) to help him with some errors that his computer was making. I obliged because at the time I just didn't care and wanted my transaction to go through. IIRC there was a .com/dll/ocx error, nothing wanted to mess with by looking for a file, trying to run regsrv32, etc. Luckily a reboot fixed the problem ..but yea you can see how screwed up things are there. Things have definitely gotten much more strict recently but I'm sure there are still lots of these shenanigans happening amongst employees

Reading from the article, this was READ ONLY access. So privacy implication only. It doesn't make it any less sinful though.

Privacy only? What do you mean? If you had requested in details in sms often your account can be profiled with some basic parsing. The hacker can create highly accurate targets for social engineering. This is a massive blunder.

He meant, it could have been worse. They could have changed your details. The phone number associated with your account, for example. Or they could have added transactions.

When their key software was in needs of urgent upgrade, my friend has to drive two wheeler to their server location and had to replace couple of file using USB sticks.

Is that MongoDB again?

That's what I'm thinking! I bet it's MongoDB too.

Are there any websites that give deeper technical briefs about these large security breaches?

This article provides a little bit of information, but often times these articles provide little to no information about the nature of the breach, point of weakness, etc.

https://krebsonsecurity.com/ has a lot of technical details on various breaches. But I doubt if they will cover this case.

Sigh. I'm starting to half-seriously long for a bank that doesn't use computers at all. Maybe just for encrypted communication between bank staff. I don't really think Canadian banks are all that much safer either.

Why do you think Canadian banks are insecure?

I've just seen enough shoddy work in the financial sector. The money is safe. The information isn't. Not in the long run, anyway.

Actually we can trust the security researcher or hacker! Not the SBI bank you donot know when the impose fines and min balance fine

A quick look at the audit trail would have prevented this leak;

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact