Story updated to reflect latest events.After NDTV Gadgets reported today on a loophole that allowed access to ICICI bank account statements on the internet, the bank appears to have fixed the problem.
ICICI seems to have changed how the e-statements are generated under net-banking. Directly visiting a URL that NDTV Gadgets found vulnerable, now gives a "cannot find server" message. Earlier, we were able to access monthly statements of other customers using very basic information about their accounts.
A spokesperson of ICICI bank, India's second-largest bank with subsidiaries around the world, said in a statement on Friday evening, "ICICI Bank would like to clarify that it has thoroughly checked its website and there is no vulnerability. The bank has robust systems and processes to ensure the highest standards of privacy and confidentiality of customers' data. We will investigate the said report and take appropriate actions if required."
An independent researcher, Ayush Ghosh, contacted NDTV Gadgets with information about the flaw in ICICI Bank's security protocols which allowed account statements to be accessed without logging into net banking. Journalists at NDTV Gadgets independently verified that this could be done. The method did not work for one customer, but three account statements could be accessed.
When NDTV Gadgets contacted ICICI Bank's Sujit Ganguli, Sr. General Manager, Head-Corporate Communications and Brand this morning, he said he was not aware of this vulnerability. A bank representative later told NDTV Gadgets that ICICI was working urgently to correct the problem.
While we are not revealing the exact methodology for obvious reasons, our readers should know that the method of the hack was exceedingly simple. It needed just a bit of copy-pasting and information that people don't usually think twice before sharing. You did not need to be logged in to net-banking to repeatedly exploit the loophole and you did not need to have any coding knowledge, or any sort of technical know-how.
Ghosh, who works at BookMyShow in Bangalore, contacted NDTV Gadgets with the information, which he says he noticed when operating his own account. Before contacting NDTV Gadgets, Ghosh said he tried to warn ICICI by emailing them on the contact IDs provided on the bank's website. He said he got no response.
It is worth noting that no one could access your account itself and so could not have carried out malicious transactions, or take any action other than seeing your account statement.
However, a person could - till the vulnerable URL began throwing up an error - access your monthly account statement, which includes all financial transactions, along with your name and address. This is of serious concern as with access to a person's address and information like the "last three transactions" anyone can possibly call the bank and misrepresent themselves as the account holder. Alternatively, someone could call ICICI customers and pretend to be from the bank and "authenticate" themselves using the information available on these statements.
New Delhi-based cyber-security consultant Dominic K. spoke to NDTV Gadgets and discussed the multiple layers of security that banks have in place, which include multi-factor authentication, encryption, secure connectivity - SSL and HTTPS and identity management systems. He added, "We have not heard of any serious attacks that were successful. These are industry practices that meet global standards."
In light of the discovery of this flaw, it is advisable that bank customers ensure that they use strong passwords and enable multi-factor authentication wherever possible. It is also advisable not to share passwords or even more basic details like bank account number, customer id or personal details as listed with the bank.