“Basis our initial probe, we hereby confirm that SBI’s data continue to remain secure and all profiles and financial records of our customers are safe,” a bank spokesperson said in a note. “The bank is continuing its investigation into all the components of the ecosystem to ascertain that there is no other impact.”
Earlier, the foreign Web site claimed that the SBI server was located in a Mumbai data centre and was not protected by a password for an unknown period. This allowed anyone access to financial information, such as bank balances and recent transactions, on millions of SBI customers.
According to a senior bank official who ET spoke with, there is cause for concern because of the lengthy chain in a transaction set.
For each transaction, the bank sends an alert by a text message. The bank system creates the SMS and then sends it to a service provider, generally an aggregator. The aggregator has arrangements with some telecom companies, and forwards it to a telecom company, which in turn sends it to the recipient’s telecom company that finally delivers it to the handset of the customer.
“Each player in these delivery chains assumes the responsibility for its role,” said the person cited above.
Customers should install applications from trusted sources, such as Google Play Store, after verifying the correct nomenclatures from the bank.
“Even if the claims of the hackers are true, the maximum damage could be a social engineering attack in different forms and modes,” said Rakshit Tandon, a Delhi-based cyber-crime expert. “There can be fake calls, SMS, or emails, which may result in fraudulent activities. Customers should be aware of any such social engineering.”