Personal details such as bcrypt password hashes, mobile numbers, email addresses, login IP addresses, and device fingerprints were allegedly at risk. Photo by www.kaboompics.com from Pexels
finance

IDRBT Botches New .bank Domain? Report Claims RBI Program Meant to Protect Against Cyber Attacks and Fraud Exposed Sensitive Information

The allegations further stated that the flaw could even expose the details of 5,576 bank employees who manage these banking domains

Author : NewsGram Desk

India’s RBI launched the .bank.in domain in 2025 to secure digital banking, but researcher Srikanth L of Cashless Consumer alleges IDRBT’s registration portal exposed sensitive data. He claims over 33 unauthenticated REST APIs could leak bcrypt password hashes, contact details, IPs and device fingerprints of 5,576 bank staff.

DIGITAL BANKING has become the next major evolution in the Indian banking system. As more services, such as paying bills and applying for loans, have moved online, the risk of online fraud has also increased. To counter these risks, the Reserve Bank of India (RBI) introduced the .bank.in domain program for all Indian banks in 2025. The domains are managed by the Institute for Development and Research in Banking Technology (IDRBT). 

The move aimed to create trusted and secure online spaces for users, ensuring that the websites they visit are genuine and authorized banking portals. This initiative allows users to differentiate legitimate bank websites from fake ones that engage in phishing attacks, in which fraudsters steal sensitive information such as passwords, usernames, credit card numbers, and other personal data.

What are the flaws found in the Cashless Consumer research?

Despite the aim of the initiative, in a recent development, a security researcher named Srikanth L from Cashless Consumer alleged that IDRBT, domain registration portal failed to carry out its responsibility and leaked sensitive information. IDRBT was established by the RBI and is responsible for managing the .bank domains of all banks.

The researcher claimed that the website domain, which was intended to strengthen security against fraudsters and phishing attacks, had a major flaw that could expose sensitive data through more than “33 unauthenticated REST API endpoints”. The allegations further stated that the flaw could even expose the details of 5,576 bank employees who manage these banking domains.

Personal details such as bcrypt password hashes, mobile numbers, email addresses, login IP addresses, and device fingerprints were allegedly at risk. The researcher claimed, “Anyone with curl could retrieve the bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of all 5,576 bank employees trusted with managing India’s banking domains.”

See Also: Haryana Suspends IAS Officer Pankaj Agarwal After CBI Arrest in ₹657 Crore IDFC First Bank Fraud Case

The report by Srikanth L further noted that, out of the 1,497 registered domains, only 6.9% matched the RBI IFSC and DICGC insurance records. It further added, “the rest include phantom test domains, gibberish registrations, and non-bank entities, several with live SSL certificates.” 

What is a .bank domain? 

The older format of a bank website was www.nameofthebank.in, while the updated domain format is https://nameofthebank.bank.in.

The newer format was introduced by the RBI amid the rising number of cyber fraud cases, in which customers are targeted by fake banking websites that trick them into sharing their personal data. The .bank.in domain assures customers that the website they are visiting belongs to a genuine, licensed bank. Fake websites cannot use this domain, ultimately helping reduce online data theft and the misuse of customers' sensitive information.

[VS]

(Edited by Harsh Pandey)

FAQs

What is Cashless Consumer?

Cashless Consumer is a group that promotes the vision of a cashless society in India.

What is IDBRT in banking?

IDRBT stands for the Institute for Development and Research in Banking Technology. It was established by the Reserve Bank of India (RBI).

What is a .bank.in domain? 

.bank.in is a verified domain introduced by the RBI to protect customers from phishing attacks and data fraud.

Suggested Reading:

Subscribe to our channels on YouTube and WhatsApp

Download our app on Play Store

Heart Health among Indians in the Diaspora

Who is Satyam Kumar? Bihar Boy who Cleared IIT JEE at 12, Completed PhD at 24, Now Works As AI Researcher

Kerala Assembly Passes NEET Resolution, Rejects BJP Amendments

German Vlogger Christian Betzmann Ranks 20 Indian Cities, Calls Delhi 'Most Polluted' and Rajasthan's Food the Best

Ram Mandir Donation Row LIVE Updates: Senior Trustee Anil Mishra Hired 125 Trust Workers, Including Relatives