After Thefts, RBI Warns Cooperative Banks of App RisksBanks Urged to Carefully Assess Third-Party Apps for Vulnerabilities
It warned the banks to ensure the versions of third-party apps they're using meet adequate security requirements by using appropriate risk assessment methods. But will banks heed the advice?
"According to the national portal of India, under the aegis of Ministry of Finance, there has been a cyberattack on the server of the bank and hackers have stolen data pertaining to customer credentials - including customer codes, consumer codes, real time gross settlement [RTGS] and extracted passwords, which [were] sold in the dark net"
The regulator brought to light a case of data theft in some of the cooperative banks in Nagpur jurisdiction in Maharashtra State, which deployed what RBI portrays as a vulnerable version of the core banking application from Ahmedabad-based Acute Informatics Pvt. Ltd. RBI's letter stated that hackers stole all customer credentials from the banks' servers and offered it for sale on the dark net.
The big challenge for these smaller banks throughout India is how to tighten security at the server and application layers and how to evaluate third-party core banking applications. Given that there are close to 2,000 cooperative banks in India, which are often dependent on third-party applications and lack the skills or capabilities to assess third-party applications and their security features, they could be at great risk.
So how will these will these banks strengthen their security architecture and fight growing cyber threats?
The Case in Question
RBI, in a July 13 letter to Nanded-based District Cooperative Bank obtained by Information Security Media Group, stated: "According to the national portal of India, under the aegis of Ministry of Finance, there has been a cyberattack on the server of the bank and hackers have stolen data pertaining to customer credentials - including customer codes, consumer codes, real time gross settlement [RTGS] and extracted passwords, which [were] sold in the dark net." The notice further stated that the bank used a vulnerable version of one core banking application, Easy Bank Core Web, from Acute Informatics Pvt. Ltd., which resulted in data exposure to the hackers.
RBI's chief manager, Dr. P S Venkateshan, further instructed the bank to conduct vulnerability assessment and penetration test of its entire Information & Communication Technologies system to discover vulnerabilities and also patch them in the application layer and conduct a thorough system audit and report to the RBI within a week.
What is surprising is that RBI, apparently for the first time, has squarely blamed a third party, cited the bank for its weak ICT system and acted on the national portal's risk assessment findings.
But there are many banks that run their core banking systems using third-party applications - because they come at a cheaper price than developing them on their own. And many do not have appropriate audits in place.
Some security practitioners tell me that over 50 banks in the Maharashtra region alone use the Easy Bank Core Web application. What's most surprising, one security practitioner told me, is that flaws apparently were discovered at both infrastructure and application levels, which resulted in data compromise at the affected banks.
Milind Rajhans, former CISO of Hyderabad-based AP Mahesh Cooperative Bank, says a majority of these smaller banks do not have proper audits in place as per RBI requirements. They also lack in-house capabilities to fix the the security gaps or deploy appropriate tools as well as funds to hire audit agencies.
Acute Informatics Responds
RBI stated that the Nanded-based District Cooperative bank's data was stolen as a result of it use of Acute's core banking application, which contained vulnerabilities. Acute Informatics' CEO Chirag Patel, however, contends that the cause of the attack was not the core banking application. "While I am not passing the buck - we should have taken appropriate measures while deploying the app - the bank's infrastructure lacked basic security," he claims.
Patel contends that the bank did not have the basic security infrastructure and firewall in place. Even the email IDs were configured wrong, so the system ID could not spot the inaccuracies in the system, he claims.
"The bank had not conducted any audit for almost five years, and the RTGS platform which was connected to the ICICI Bank back end platform for transaction process had severe security lapses," Patel says. "Since these were pushed through core banking, the entire blame was placed on Acute's platform, which should not be the case."
Patel says he and his team are conducting a thorough VAPT test of all the logs and will submit a report to RBI in an effort to prove that the bank's hacking incident was not caused by vulnerabilities in the vendor's system.
RBI's Venkateshan refused to discuss the details of the case. "Please wait for some time to know more details. And I don't think the District Cooperative Bank will be in a position to discuss the same," he told ISMG.
Nanded-based District Cooperative Bank could not be reached for comment.
Prakash Ranjan, manager-IT and IS, Canara Bank, says these regional rural apex banks should turn to larger banks for infrastructure support.
The Institute for Development and Research in Banking Technology has created a private cloud that these smaller banks can use to securely store their critical data, but it appears that this is not being widely used.
RBI recommends that cooperative banks analyze their IT operation environment, including technology, human resources and implemented processes, to identify threats and vulnerabilities.
These banks should conduct a periodic risk assessment, RBI says, which should identify internal and external risks as well as risks associated with individual platforms, systems or processes, as well as automated processing units. A risk assessment process should quantify the probability of a threat and vulnerability, and the financial consequences of such an event.
It is imperative for these banks to ensure they have reasonable security best practices.