SBI Leaks Data of Millions of Customers After Failing to Secure a Key Server

SBI Fails to Secure an Important Server

The State Bank of India (SBI) might not be the biggest bank in the world, but it's still a substantial organization. It has over $400 billion in assets and close to half a billion customers. In other words, people of all walks of life use its services every day. Some of them prefer to communicate with people and organizations on old feature phones because they reckon that modern smart devices present too much of a privacy threat. Others just can't afford a smartphone and are stuck with the buttons, the small display, and the superior battery life.

They can't install YONO, SBI's mobile banking application, but they still need information about their money while they're on the move, which is why the government-owned financial institution has developed SBI Quick – an SMS-based system that works with the help of keywords. For example, you want to find out what your account balance is, and you send a text with a predefined keyword. The system confirms that your phone number matches the one associated with your account and replies with your account balance. If you need another piece of information (e.g., details about your most recent transactions), you send another keyword.

The developers that came up with the system were probably very proud of their work. So much so, in fact, that they wanted to share it with the whole world. Either that or they were the next in a very long line of developers that made a massive configuration blunder when setting up a server on the internet.

SBI's SMS system exposed

SBI Quick operates using a backend server that needs to be connected to the internet. When they were launching it, the people in charge of the project put the whole infrastructure together, they plugged the ethernet cable, and they pressed the ON button. What they forgot to do was think about the security aspect of leaving so much sensitive information on the internet.

Nobody bothered to protect the server with a password, and sure enough, a security researcher who preferred to remain anonymous found it using search techniques that are available to everyone. The unnamed researcher got in touch with TechCrunch who, in turn, informed SBI and India's National Critical Information Infrastructure Protection Centre. SBI representatives decided not to comment, but thankfully, they did acknowledge the issue and placed the server behind a password.

We're seeing the same old silly mistakes

Security experts are finding unsecured servers and databases like this every single day. For reasons that are not perfectly clear, more and more system administrators seem to be leaving tons of data on the internet without any form of protection. Over the last four weeks alone, we have seen several incidents of this type. And it's not like the potential impact is negligible, either.

According to TechCrunch, SBI Quick processes a few million messages every day, and the server stored two months' worth of data. It's safe to say that many millions of SBI customers could be affected, and all of them, especially the ones with higher bank balances, might now be prime targets for all manner of scams.

The unprotected server isn't the only problem

Although SBI's SMS system was publicly available, we don't actually know if anyone else other than the anonymous researcher got to it. In other words, the security error might not affect anyone in the end, especially now that the server is protected and only authorized people can access it.

On the whole, however, SBI might want to start thinking about a more fundamental redesign of SBI Quick. We recently discussed the disadvantages of SMS as a method for sending sensitive information, and we mentioned examples of how the old technology behind it has been abused.

Indeed, exploiting SS7's security flaws is a lot harder than firing up a search engine and finding a database with the front door open. The attackers need to be much more sophisticated and motivated. Nevertheless, the potential for extracting plenty of sensitive data is still there, and SBI shouldn't underestimate it.

January 31, 2019

Leave a Reply