A human error led to the leak of millions of customers’ data at an Indian public sector bank, raising questions on the merit of Bitcoin over banks.
State Bank of India, a government-owned corporation, forgot to secure essential server information that held customers’ messages, bank balances, transaction details, and other related details. It allowed anyone who knew where to look the data to access and steal it. A security researcher later detected the unprotected server and alerted TechCrunch with the story.
In retrospective, the passwordless server stored two months of data from SBI Quick. It is a service that supported banking via missed call and SMS. A customer wishing to access his bank details would send a missed call or SMS to SBI from his registered phone number. In return, he/she would receive information about their accounts and finances.
Because of no locks, anyone could gain access to the SBI’s Mumbai server. Therefore, he could access customers’ registered numbers, their account details, and recent transactions.
Nevertheless, the Indian bank didn’t respond to the screenshots of the leaks presented by TechCrunch, the media source of the story. There was also no outcry from the SBI customers – at least in response to their tweet – which could mean that not many people know about the data leak.
A malicious actor could any day publicize the SBI customers’ banking details, or sell it to hackers via underground marketplaces online. Such information could be used primarily against people who hold higher account balances. Meanwhile, knowing their phone numbers could enable hackers to orchestrate social engineering attacks. The practice is already pretty standard across the world whereby hustlers siphon off money via human interactions.
However, a security team regularly carries out penetrating testing that uses social engineering routines. SBI must have a group dedicated to detecting these threats firsthand. But realizing that it is the second time in the past 12 months whereby SBI mishandled customers’ data, the bank has begun to appear insincere. The last time it happened, SBI’s lapse had led to the creation of fake Aadhaar identity cards (India’s equivalent of social security numbers).
Anthony “Pomp” Pompliano was quick to highlight the incompetence of mainstream banks after the SBI report went out. The Morgan Creek’s founder said in a tweet that only decentralized financial institutions could provide the best security to customers.