IDRBT Botches New .bank Domain? Report Claims RBI Program Meant to Protect Against Cyber Attacks and Fraud Exposed Sensitive Information

The allegations further stated that the flaw could even expose the details of 5,576 bank employees who manage these banking domains
Close-up of a person holding a credit card while shopping online using a laptop at home.
Personal details such as bcrypt password hashes, mobile numbers, email addresses, login IP addresses, and device fingerprints were allegedly at risk.Photo by www.kaboompics.com from Pexels
Updated on

DIGITAL BANKING has become the next major evolution in the Indian banking system. As more services, such as paying bills and applying for loans, have moved online, the risk of online fraud has also increased. To counter these risks, the Reserve Bank of India (RBI) introduced the .bank.in domain program for all Indian banks in 2025. The domains are managed by the Institute for Development and Research in Banking Technology (IDRBT). 

The move aimed to create trusted and secure online spaces for users, ensuring that the websites they visit are genuine and authorized banking portals. This initiative allows users to differentiate legitimate bank websites from fake ones that engage in phishing attacks, in which fraudsters steal sensitive information such as passwords, usernames, credit card numbers, and other personal data.

What are the flaws found in the Cashless Consumer research?

Despite the aim of the initiative, in a recent development, a security researcher named Srikanth L from Cashless Consumer alleged that IDRBT, domain registration portal failed to carry out its responsibility and leaked sensitive information. IDRBT was established by the RBI and is responsible for managing the .bank domains of all banks.

The researcher claimed that the website domain, which was intended to strengthen security against fraudsters and phishing attacks, had a major flaw that could expose sensitive data through more than “33 unauthenticated REST API endpoints”. The allegations further stated that the flaw could even expose the details of 5,576 bank employees who manage these banking domains.

Personal details such as bcrypt password hashes, mobile numbers, email addresses, login IP addresses, and device fingerprints were allegedly at risk. The researcher claimed, “Anyone with curl could retrieve the bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of all 5,576 bank employees trusted with managing India’s banking domains.”

See Also: Haryana Suspends IAS Officer Pankaj Agarwal After CBI Arrest in ₹657 Crore IDFC First Bank Fraud Case

The report by Srikanth L further noted that, out of the 1,497 registered domains, only 6.9% matched the RBI IFSC and DICGC insurance records. It further added, “the rest include phantom test domains, gibberish registrations, and non-bank entities, several with live SSL certificates.” 

What is a .bank domain? 

The older format of a bank website was www.nameofthebank.in, while the updated domain format is https://nameofthebank.bank.in.

The newer format was introduced by the RBI amid the rising number of cyber fraud cases, in which customers are targeted by fake banking websites that trick them into sharing their personal data. The .bank.in domain assures customers that the website they are visiting belongs to a genuine, licensed bank. Fake websites cannot use this domain, ultimately helping reduce online data theft and the misuse of customers' sensitive information.

[VS]

(Edited by Harsh Pandey)

FAQs

Q

What is Cashless Consumer?

A

Cashless Consumer is a group that promotes the vision of a cashless society in India.

Q

What is IDBRT in banking?

A

IDRBT stands for the Institute for Development and Research in Banking Technology. It was established by the Reserve Bank of India (RBI).

Q

What is a .bank.in domain? 

A

.bank.in is a verified domain introduced by the RBI to protect customers from phishing attacks and data fraud.

Suggested Reading:

Close-up of a person holding a credit card while shopping online using a laptop at home.
India’s Digital Fraud Rate Still Nearly Double Global Average Despite Decline: TransUnion Report

Subscribe to our channels on YouTube and WhatsApp

Download our app on Play Store

logo
NewsGram - Your Most Trusted Place for News with Substance
www.newsgram.com