Slashdot Mirror
India's Largest Bank SBI Leaked Account Data On Millions of Customers (techcrunch.com)
An anonymous reader quotes a report from TechCrunch: India's largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions. The server, hosted in a regional Mumbai-based data center, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500. But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers' information.
The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer's partial bank account number. Some would say when a check had been cashed, and many of the bank's sent messages included a link to download SBI's YONO app for internet banking. The bank sent out close to three million text messages on Monday alone. The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers' finances. SBI claims more than 500 million customers across the globe with 740 million accounts.
The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer's partial bank account number. Some would say when a check had been cashed, and many of the bank's sent messages included a link to download SBI's YONO app for internet banking. The bank sent out close to three million text messages on Monday alone. The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers' finances. SBI claims more than 500 million customers across the globe with 740 million accounts.
Just look at their shitty front page and the scrolling marquee with only the text "sadasdasd" https://www.onlinesbi.com/
Boring
I mean, imagine someone with an Indian accent called you with "Sir, I'm from your bank and we have to inform you ..."
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Next time they get a call from Windows, they better not hang up.
When QA tests the functionality, but nobody checks the security. Plenty of times all you have is review the code and ask the question "who is allowed to see this?" to figure out if the answer is "everybody in the world", and decide if that's OK or not.
"Everybody's naked underneath" -- The Doctor
Having been at companies who had outsourced development tasks to India, I can't say I'm surprised.
For the first two weeks the people you get seem to know what they're talking about ... then you get the second and third string teams.
We started seeing evidence of multiple people using the same email address, because they were sending contradictory messages from the same email minutes apart, and the quality of the work went downhill and the understanding of what was being asked of them dropped to the point of being like explaining it to a child.
Suddenly the email address from the guy who gave good answers was replying without even a basic understanding of the question.
We once opened a ticket to install a specific version on four servers ... we got one server correctly installed, one with the wrong version of the software, and for the last two they sent us their procedure manual to install it ourselves -- ummm, no, we're paying *you* to do this shit, not be given instructions for how to do it. We already know how to do this, so what is the point in paying you if you're not going to do it?
So, yeah, a data center in Mumbai is enough to tell me that who you think you have running your stuff, and what you think their skill level is, is a complete fiction behind a shared email address.
This sounds like a pretty epic security fail, but in no way does it surprise me.
Well, they are just keeping with the trends really. Catching up to the developed world and its security standards.
Over my years of experience, this issue isn't with the skill of the Indians, but the culture of India. You take this person, ship them to America have them work in an American office, and get paid a competitive rate that the others in that office for that job, within a few weeks they are as productive as any other employee.
But the work culture in India, and even with the price parity difference they are getting paid less, and are really expected to do less. So they will do exactly what is told to them, without putting in any context on what they are doing.
Working with a developer in India, I had asked them to make a function that will take any random person in the database, and give me their info back. My mistake was using the random person vs. telling them, to use the person_id value as a parameter.
So after a few days, I went back to check on his status, as this should had only taken a day. And he was still trying to figure out how to load random people from the database. So I was annoyed in three areas.
1. They didn't bother thinking for the reason of the feature I was asking for, and comprehended I wanted a parameter.
2. It took them so long to figure out how to pull a Random patient from the database (that would be an easy thing to do)
3. They never communicated with me that they had a problem.
If they were in the office with me, they would see that our team was open to helping others in the team, and there was a lot of discussion back and forth on the specs given to make sure goals were clear, and while I was the boss (Lead Architect), my word wasn't final, especially if what I said wasn't clear to them, and I was open to discussions and sometimes bigger changes.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
They're scum and smell vermin. Who cares if their details are leaked? They're subhuman.
Fuck off APK
"They didn't bother thinking for the reason of the feature I was asking for, and comprehended I wanted a parameter."
If you know there's a language barrier, and you ask for random when you mean specific, you have only yourself to blame.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Pretty soon it will get the government to pass a law to make it illegal to access databases without password. Then it will display a warning saying it is illegal to access this data base. And then wash its hands off saying, "we can't be held responsible for the criminal actions of the miscreants. Affected parties are advised to file complaints against the trespassers with the appropriate authorities who would do the needful". Then they will go return to status quo ante.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
As an Indian working in India my experience has been exactly the opposite. Every single innovative idea has met dismissal from British or American bosses over my career. Twice I have won the internal competitions of creating tools in two different companies (both product companies, not service), both times my immediate manager was given super tight deadlines and when he refused to give me any time to work on those tools, I couldn't blame him. When I was working in a service company, it was basically hammered into me to not do anything new by consistently giving me bad feedback for 'not asking enough questions'.
There is no problem in Indian culture or people or whatever excuse rich people in developed countries have. The problem is that it is difficult to see some poor person working under worse conditions getting lesser pay having worse quality of life put up with it and still try to do just as good a job as you. Your consceince won't allow it! So India gets shit load of UI related work while all the backend job remains un-outsourced.
It is not about India anyway - fucking iPhone is manufactured in China but 'designed' in California? Why? Most innovation in mobile phones is happening in China today. (Needless to say, whatever China stole, innovation is original.)
"They didn't bother thinking for the reason of the feature I was asking for, and comprehended I wanted a parameter."
If you know there's a language barrier, and you ask for random when you mean specific, you have only yourself to blame.
To be fair when the customer asks for something stupid, an experienced professional will verify that they actually want what they asked for rather than just doing it blindly. Especially if there may be a language barrier, or it's posible the customer is using an unfamiliar idiom.
There's a key cultural difference here - in China and India, you don't question the person giving the orders (the customer when they're paying you, or your boss). I've seen this go badly in various ways. For example two Chinese student pilots in Melbourne were practicing a landing. The pilot forgot to lower the gear, and they walked away unhurt from a belly landing. When asked, the co-pilot said he realised the pilot hadn't lowered the gear, but had said nothing because he dind't want to disrespect his superior (as co-pilot, he felt that the pilot was his superior in that situation). Of course, this defeats the purpose of having the co-pilot in the first place.
As an Indian Australian running a business in China, I find this frustrating at times. If someone nominally subordinate realises something I ask for is a bad idea, I want them to tell me before we waste time/effort/money on it. In Australia, people will let me know pretty quickly, but in China I have to actually ask if they see any issues, or they're unlikely to tell me due to cultural hangups about questioning your superior.