How vulnerable are the Indian banks: A cryptographers' view

TL;DR

This paper assesses the cybersecurity measures of Indian banks against international standards, revealing many banks' websites are outdated and vulnerable to known cyber threats.

Contribution

It systematically evaluates Indian banks' cybersecurity compliance using global benchmarks and security certificate tests, highlighting gaps and vulnerabilities.

Findings

Many Indian banks do not follow recommended security standards.

Several banks' websites are vulnerable to known cyber attacks.

Security certificates of some banks are invalid or poorly configured.

Abstract

With the advent of e-commerce and online banking it has become extremely important that the websites of the financial institutes (especially, banks) implement up-to-date measures of cyber security (in accordance with the recommendations of the regulatory authority) and thus circumvent the possibilities of financial frauds that may occur due to vulnerabilities of the website. Here, we systematically investigate whether Indian banks are following the above requirement. To perform the investigation, recommendations of Reserve Bank of India (RBI), National Institute of Standards and Technology (NIST), European Union Agency for Network and Information Security (ENISA) and Internet Engineering Task Force (IETF) are considered as the benchmarks. Further, the validity and quality of the security certificates of various Indian banks have been tested with the help of a set of tools (e.g., SSL Certificate Checker provided by Digicert and SSL server test provided by SSL Labs). The analysis performed by using these tools and a comparison with the benchmarks, have revealed that the security measures taken by a set of Indian banks are not up-to-date and are vulnerable under some known attacks.