Banks maintain and secure a mass amount of data for their clients
and employees. This stewardship should not be taken lightly. This not only
includes the customer’s confidential data, but also the client’s confidential
financial data. In addition to the statutory issues, there may be civil
liability issues. The data and leverage that is a product of a breach have
significant value.
Target/Opportunity
India, as with any nation, has banks throughout its borders.
India’s largest and highly rated bank, State Bank of India (SBI), recently experienced
an issue. SBI had 500M clients across the globe with 740M accounts. They also
had an insecure server. This was, thankfully, detected by a security researcher.
Anyone could have accessed the server. This might have turned out much
differently, as the server held the financial data on millions of its clients.
This included bank balances and recent bank transactions for two months. This
data was from SBI Quick. This is a text message and call-based system. People
are able to call in to get their data on their account(s). Each day the service
archives the data. Each day contained millions of text messages. The server was
based in Mumbai in a data center.
Misconfigurations
The server contained relatively important data. This should
have been secured in some form, however, it was not. The server did not utilize
a password. All the potential attackers had to know was the server’s address. If
this simple task was done, they would be able to see all the text messages, client
phone numbers, bank balances, recent transactions, and partial account numbers.
It, unfortunately, is unknown how long the server was not protected. SBI was
quick in their response once they were informed and secured the server.
Questions
It’s curious why the server was misconfigured in the first
place. With this type of data and the direct harm, it could have inflicted,
seemingly more care would have been applied to this. Also, it is unknown how
long the server was in this state. In theory, this could have been since it was
placed online. This builds and adds to the case for a secondary review of the
work done. The second set of eyes would definitely have assisted in removing or
minimizing the risk.
Resources
Beau HD. (2019, January 31). India’s largest ban SBI leaked
account data on millions of customers. Retrieved from https://it.slashdot.org/story/19/01/31/0426238/indias-largest-bank-sbi-leaked-account-data-on-millions-of-customers
Kolochenko, I. (2019, February 1). India’s largest bank sbi
leaked account data on millions of customers. Retrieved from https://www.informationsecuritybuzz.com/
Modupe, B. (2019, January 31). Account data of millions of
sbi customers, the largest bank in india leaked. Retrieved from https://www.btcnn.com/general-news/account-data-of-millions-of-sbi-customers-the-largest-bank-in-india-leaked/
No comments:
Post a Comment