If you are an ICICI bank customer, beware that your Bank account information is open to anybody who is in possession of your mobile. This is breach of privacy under the age old Banking laws besides it is a violation of Section 72A and Section 43A of ITA 2000/8 on which the CEO of the Bank can be imprisoned for 3 years and compensation claimed for the loss.
This is because, if anybody takes your mobile (If it is the registered mobile associated with the account) and types *99# in the calling dial pad and hits enter, the USSD code would execute and ask for first four letters of the IFSC code to be entered. When you enter ICIC, you will be given direct access to the bank account with options to
1) View Balance
2) See mini statement
3) Send Money using MMID
4)Send Money using IFSC
5) Generate MPIN
For viewing the balance and mini statement, there is no password requirement and on entering the code 1 or 2 the relevant information would be displayed on the mobile.
It is unfortunate that this security flaw exists not only in ICICI bank but in a few other Banks as well. Readers can check their mobiles and keep me informed about other Banks.
I hereby give notice to ICICI Bank and RBI as well as CERT IN that the above flaw puts “Sensitive Personal Information” of ICICI Bank customers at risk of Breach of Privacy and consequential further risk of monetary loss.
The incident should be an eye opener to Indian Bankers led by RBI and IBA where they have embraced the mobile technology without understanding the risks associated therewith. This is negligence at the level of the highest banking authorities in India and exposes the systemic inadequacies.
The incident is a potential “Data Breach” and according to Section 79 read with Section 43A, should be reported by Banks to CERT IN. Will CERT IN respond if they take action?
Hope the Finance Minister and the PM takes note.
Whether politicians take note or not, whether the Bankers take note or not, I request public to take note and initiate corrective action. I hope some body files a PIL in a Court and demand answers from the Banks.