RSS

India's central bank mandated use of .bank domains to enhance trust

Bender1 pts0 comments

India’s central bank mandated use of .bank domains to enhance trust – but its registry leaked sensitive info

Jump to main content

Search

REG AD

security

India’s central bank mandated use of .bank domains to enhance trust – but its registry leaked sensitive info

Open API could reveal everything an attacker needs to impersonate bank officials

Simon Sharwood

Simon<br>Sharwood

APAC Editor

Published<br>tue 30 Jun 2026 // 03:24 UTC

In 2025, the Reserve Bank of India created the .bank.in subdomain and required all local banks to start using it for their online presences. Indian is home to thousands of banks and the new rule meant all needed to register for and use a bankname.bank.in domain, a move designed to make life harder for phishers and fraudsters.<br>Now a security researcher has alleged that the entity chosen as the sole registrar of the subdomains – the Institute for Development and Research in Banking Technology (IDRBT) – botched the job and leaked sensitive data.<br>The allegation came in a report [PDF] and post published yesterday by CashlessConsumer, a group that advocates for India to become a cashless society and which aims to represent citizens to digital payments players.

REG AD

“The IDRBT Domain Registration Portal (registrar.idrbt.ac.in) – the exclusive registrar for India’s .bank.in namespace – exposed its entire REST API via 33+ unauthenticated endpoints,” the post alleges. “Anyone with curl could retrieve the bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of all 5,576 bank employees trusted with managing India’s banking domains.”

REG AD

The researcher behind the exposé, “Srikanth L”, says he accessed info through the portal and found evidence that some India banks host websites on shared servers in the United States, Singapore, and Lithuania. He also found 80 percent of registered .bank.in domains don’t use DNSSEC, 40 percent don’t employ the DMARC email security protocol that verifies senders’ identity, and many domains are secured with free Let’s Encrypt certificates.

MORE CONTEXT

India and China are home to 2.9 billion people – and together they bought just 13 million PCs in Q1

India blocks Telegram ahead of scandal-hit medical school entrance exam

India's cyber agency sets clock at 12 hours to tackle exploited bugs as AI turns up the heat

India orders infosec red alert in case Mythos sparks crime spree

The researcher’s post also alleges that the portal went live without a proper security audit and ran without secure APIs for 13 months.<br>Srikanth L disclosed his findings in early June and says IDRBT has since fixed the gaping security flaws. The researcher also appears to have used a GitHub repo to list info found by accessing the portal’s APIs – so some of the info available over the previously-open API is now public – and claimed doing so will help security researchers by letting them understand the extent of Indian banking infrastructure.<br>That knowledge may come in handy given the open API means attackers may have been able to access and use credentials of senior bank staff, information that can enable many forms of attack - even the DNS spoofing and phishing attacks the requirement to use .bank.in was designed to prevent.<br>At the time of writing, the IDRBT, Reserve Bank, and India’s government appear not to have made a public comment on the matter. ®

banking<br>api<br>financial services<br>security<br>india

REG AD

Security

Huntress CEO says threat hunter used 'poor judgment' in alerting ransomware crim about law enforcement probe

Ex-employee claims this 'meets the definition of an insider threat'

offbeat

Meta's non-surgical mind reading machine improves on prior projects, but still isn't great

61% word accuracy is progress, but the system still relies on users typing and can't yet support real-time communication. Implanted BCIs remain well ahead

What the OCI MSA didn't solve for AI scaling

PARTNER CONTENT: The OCI MSA settled the architecture for optical scale-up. How fast bandwidth scales is a manufacturing question, not an architectural one

ai and ml

AI agents: Cause of database sprawl. And also the proposed solution

DB wrangling tech needs to meet demands of AI agents, Cockroach Labs CEO Spencer Kimball tells El Reg

columnists

Telling internet platforms where to stick public service media will serve nobody. Turn it on its head

Show not tell makes a far finer script

virtualization

Microsoft previews Linux containers that run in Windows

Linux container CLI and API for Windows applications

MOST POPULAR

systems

Micron locks in historically high memory prices for five years

Channel

Infosys boss says vibe coding is no threat because there’s more to writing software than writing software

Personal tech

India and China are home to 2.9 billion people – and together they bought just 13 million PCs in Q1

Security

Mythos discovers 'Squidbleed,' a memory leak that's gone undetected since Clinton era

Research

Boffin claims...

bank india security domains info idrbt

Related Articles

(no title)

Risse50 ptstitle

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

The labor share of income in the US is at its lowest post-war level

loughnane15 ptsfinancial labor share york securities central
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.