Report says India’s .bank.in registry exposed sensitive bank employee data
India’s central bank moved in 2025 to strengthen trust in online banking by requiring domestic banks to use the .bank.in namespace for their web presence. The goal was to make phishing and impersonati...
India’s central bank moved in 2025 to strengthen trust in online banking by requiring domestic banks to use the .bank.in namespace for their web presence. The goal was to make phishing and impersonation harder by giving customers a clearer way to identify legitimate banking sites.
A new report now alleges that the system meant to support that effort was itself exposed to serious security problems. According to the findings, the Institute for Development and Research in Banking Technology (IDRBT), which serves as the exclusive registrar for the namespace, left a public-facing registration portal accessible through numerous unauthenticated API endpoints.
The report claims that the open interfaces could have revealed large amounts of information about bank staff responsible for managing domain registrations. The data allegedly included password hashes, phone numbers, email addresses, login IP addresses, and device fingerprints tied to thousands of users. The researcher behind the disclosure said the portal also made it possible to identify how some banks host their sites and where those systems are located.
Additional concerns raised
- Some bank websites were reportedly hosted on shared infrastructure in countries including the United States, Singapore, and Lithuania.
- About 80% of registered .bank.in domains were said not to use DNSSEC.
- Roughly 40% were reportedly missing DMARC, a control that helps verify sender identity in email.
- Many of the domains were said to use free Let’s Encrypt certificates.
The researcher also alleged that the portal went live without a full security review and remained exposed for more than a year. The findings were reportedly shared in early June, and the researcher says IDRBT has since corrected the weaknesses.
While some of the data appears to have been published in a GitHub repository after the disclosure, the original claim is that the API exposure could have given attackers enough information to impersonate bank staff or support phishing and DNS-related attacks. As of publication, IDRBT, the Reserve Bank of India, and the Indian government had not publicly commented on the allegations.
