Biggest data breach in Indian Banking ?

If you are an ICICI bank customer, beware that your Bank account information is open to anybody who is in possession of your mobile. This is breach of privacy under the age old Banking laws besides it is a violation of Section 72A and Section 43A of ITA 2000/8 on which the CEO of the Bank can be imprisoned for 3 years and compensation claimed for the loss.

This is because, if anybody takes your mobile (If it is the registered mobile associated with the account) and types *99# in the calling dial pad and hits enter, the USSD code would execute and ask for first four letters of the IFSC code to be entered. When you enter ICIC, you  will be given direct access to the bank account with options to

1) View Balance

2) See mini statement

3) Send Money using MMID

4)Send Money using IFSC

5) Generate MPIN

For viewing the balance and mini statement, there is no password requirement and on entering the code 1 or 2 the relevant information would be displayed on the mobile.

It is unfortunate that this security flaw exists not only in ICICI bank but in a few other Banks as well. Readers can check their mobiles and keep me informed about other Banks.

I hereby give notice to ICICI Bank and RBI as well as CERT IN that the above flaw puts “Sensitive Personal Information” of ICICI Bank customers at risk of Breach of Privacy and consequential further risk of monetary loss.

The incident should be an eye opener to Indian Bankers led by RBI and IBA where they have embraced the mobile technology without understanding the risks associated therewith. This is negligence at the level of the highest banking authorities in India and exposes the systemic inadequacies.

The incident is a potential “Data Breach” and according to Section 79 read with Section 43A, should be reported by Banks to CERT IN. Will CERT IN respond if they take action?

Hope the Finance Minister and the PM takes note.

Whether politicians take note or not, whether the Bankers take note or not, I request public to take note and initiate corrective action. I hope some body files a PIL in a Court and demand answers from the Banks.



About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

4 Responses to Biggest data breach in Indian Banking ?

  1. Lalu Prasad Yadav says:

    Its an NPCI platform that allows for this, not the Bank’s. The Banks systems interact with NPCI’s servers in the format given. So how will a Bank be liable?

    Since you’re such a “cyber expert”, you should be aware of this before posting such nonsense…

    • Customer’s contract is with the Bank and it includes privacy and security responsibilities. If Bank outsources part of its work to another company such as NPCI, it continues to be liable for the actions of NPCI that is not in conformity with the contract. This is what Section 43A and Section 79 hint under ITA 2000/8…at least to my understanding.

      Glad to know that Lalu has become a Cyber Expert. But I am confused..When did Lalu acquire such profound knowledge?

      Or…Is it impsersonation?. I am sure it has to be an impersonation of either Lalu Prasad Yadav or Shashank. In either case it is an offence punishable under law…Find out which?

  2. Sailesh Rathore says:

    Smart Phones with Android can be hacked easily by various malware including that made by CIA. Banking through mobile is always a risk of data breach in various ways.

    See below: CIA Hacking tools revealed

  3. Pingback: ICICI Bank's denial of the data breach claim

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.