Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Tell HN: Banking security in Indian banks is a joke
18 points by itissid on Dec 13, 2022 | hide | past | favorite | 5 comments
Public mentions of Sim Swapping attacks[1][2][3] on indian retail banking customers is not very new news in India(indeed there is a whole netflix series on it). Now I don't know about you, but these specific attacks don't seem so pedestrian in say the US as compared to India[3]?(although there are scams of identity all the time in the US). Regardless of what's going on I wanted to put out there what I think is the root of the problem. Consider this a PSA.

What is really odd is that Establishing Identity(of Device, and the Person), is really at the core of the problem and no one seems to get it in the indian banking industry but it is not so complex a problem to solve[6]. The irony is that Cell phone lines in india now requires you link to a National Identification number(aka aadhar)[4] if not you have to provide extensive documentation. Opening/Doing changes to your bank accounts is also backed up by extensive KYC norms[5](check out the mentions of V-CIP in [5]). But there is no guidance on the very real problem, which are these attacks after you establish the identity the first time. Banks I have worked with like ICICI, Kotak, Yebank have poor identity practices in general leading to such attacks becoming common place.

Sadly there is nothing on the horizon of establishing identity using modern methods(Zero Trust tech like Duo[6] etc, which I assumed is industrial standard now in many major US banks). You don't necessarily need an expensive Yubikey, most smart phones can do the job. Here is the idiocy of identity establishment process for a typical indian bank:

Anytime I have to open an account, add a joint account holder, change my address or, less commonly, my cell number there is a request to send clear text sensitive documents over email to establish identity and(if you are an indian overseas) an expensive physical document pick up from your location as well to establish identity. This would be fine for the first time you open an account, but makes no sense for later operations. Meanwhile the remaining, sensitive, day to day operations like bank transfers are wide open to aforementioned attacks.

To me, Zero Trust tech like Duo[6] would solve a lot of your identity issues and these attacks for a vast majority of the indian population(india has the youngest population in the world which makes it more tech savvy). Meanwhile grow eyes at the back of your head if you have a bank account in india, cause indian banking system does not seem to have any robust solution to this problem or maybe even care.

[1] https://indianexpress.com/article/technology/tech-news-techn...

[2]https://telecom.economictimes.indiatimes.com/news/telecom-fi...

[3] https://timesofindia.indiatimes.com/city/delhi/cybercrooks-p... by the Times of India and The Deccan Herald)

[4]https://www.indiatoday.in/information/story/heres-how-an-ind...

[5]https://www.rbi.org.in/CommonPerson/english/scripts/notifica...

[6] https://duo.com/product



I would rather have such critical changes to done my account in person coupled with the Aadhaar verification. Banking security revolution you are suggesting has its own merits and demerits and it really doesn’t work for even decent fraction of the population. RBI can do the whip thingie in an instant but then the banks will have to do the magic wand thing.

You know, I saw in my village a gentleman forcing the bank manager to set a password for him on a phone pushed in front of uncomfortable young bank manager because he didn’t know how to sign up to mobile banking and he wanted to use UPI. No, the gentleman didn’t plan to change the password. Later the bank manager told me this is as common as it gets.

I see. This is more of a frustrated rant and I wouldn’t say it’s entirely invalid, but misplaced yes. In a place like India you can’t really think of specs, best practices, and certifications alone. That’s far from ideal, but that’s how it is for a place where a huge challenge is still the “reach and access of modern banking”.

You have mentioned problem, the real problem etc couple of times — seems I missed it in your post.


> Anytime I have to open an account, add a joint account holder, change my address or, less commonly, my cell number there is a request to send clear text sensitive documents over email to establish identity

This is not true. Any of those operations require that you are ALREADY logged in to your account using a username/password that you set up previously. If you do not have access to the online account, then your only way to transact is to actually visit a branch of the bank with your proof of identity (such as a passport or aadhaar card).


Yes, no idea what the OP is going on about.


Better to just say zero trust, identity driven/MFA approach... Duo is not zero trust, worse, its fail open by default - https://www.n00py.io/2018/08/bypassing-duo-two-factor-authen...


Security and Banking in India cant be used in same sentence. My bank regularly sends me emails with attachments that contain bank statements of random people ad companies. I have no idea why.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: