AI generated summary, newsroom-reviewed
DIGITAL BANKING has become the next major evolution in the Indian banking system. As more services, such as paying bills and applying for loans, have moved online, the risk of online fraud has also increased. To counter these risks, the Reserve Bank of India (RBI) introduced the .bank.in domain program for all Indian banks in 2025. The domains are managed by the Institute for Development and Research in Banking Technology (IDRBT).
The move aimed to create trusted and secure online spaces for users, ensuring that the websites they visit are genuine and authorized banking portals. This initiative allows users to differentiate legitimate bank websites from fake ones that engage in phishing attacks, in which fraudsters steal sensitive information such as passwords, usernames, credit card numbers, and other personal data.
Despite the aim of the initiative, in a recent development, a security researcher named Srikanth L from Cashless Consumer alleged that IDRBT, domain registration portal failed to carry out its responsibility and leaked sensitive information. IDRBT was established by the RBI and is responsible for managing the .bank domains of all banks.
The researcher claimed that the website domain, which was intended to strengthen security against fraudsters and phishing attacks, had a major flaw that could expose sensitive data through more than “33 unauthenticated REST API endpoints”. The allegations further stated that the flaw could even expose the details of 5,576 bank employees who manage these banking domains.
Personal details such as bcrypt password hashes, mobile numbers, email addresses, login IP addresses, and device fingerprints were allegedly at risk. The researcher claimed, “Anyone with curl could retrieve the bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of all 5,576 bank employees trusted with managing India’s banking domains.”
The report by Srikanth L further noted that, out of the 1,497 registered domains, only 6.9% matched the RBI IFSC and DICGC insurance records. It further added, “the rest include phantom test domains, gibberish registrations, and non-bank entities, several with live SSL certificates.”
The older format of a bank website was www.nameofthebank.in, while the updated domain format is https://nameofthebank.bank.in.
The newer format was introduced by the RBI amid the rising number of cyber fraud cases, in which customers are targeted by fake banking websites that trick them into sharing their personal data. The .bank.in domain assures customers that the website they are visiting belongs to a genuine, licensed bank. Fake websites cannot use this domain, ultimately helping reduce online data theft and the misuse of customers' sensitive information.
[VS]
(Edited by Harsh Pandey)
FAQs
What is Cashless Consumer?
Cashless Consumer is a group that promotes the vision of a cashless society in India.
What is IDBRT in banking?
IDRBT stands for the Institute for Development and Research in Banking Technology. It was established by the Reserve Bank of India (RBI).
What is a .bank.in domain?
.bank.in is a verified domain introduced by the RBI to protect customers from phishing attacks and data fraud.
Suggested Reading:
Subscribe to our channels on YouTube and WhatsApp
Download our app on Play Store