Israel-based vpnMentor has discovered a “massive” breach of sensitive financial data affecting 7 million users connected to India’s mobile payment app BHIM, the company said in its blog.
As per the report, a campaign website was being used to sign users and businesses to the app and data thus acquired was being stored on a publicly accessible misconfigured Amazon Web Services S3 bucket.
The research team, led by Noam Rotem and Ran Locar made the discovery as part of its web mapping project. “Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being exposed. Our team was able to access this S3 bucket because it was completely unsecured and unencrypted,” the company said in its blog post.
It said that it informed the Indian government about the same. “As ethical hackers, we’re obliged to inform a company when we discover flaws in its online security. We reached out to CSC, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure,” it added.
The company stated it reached out to the website’s developers on May 5 and then approached India’s cybersecurity authority – Computer Emergency Response Team (CERT-In) on May 22, after which the breach was closed.
“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals,” it added.
As per the report, the S3 bucket seemed to contain records from a short period: February 2019. However, even within such a short timeframe, over 7 million records had been uploaded and exposed. These records are highly sensitive, including many documents needed to open an account on BHIM, such as:
> Scans of Ardaar cards – India’s national ID
> Scans of Caste certificates
> Photos used as proof of residence
> Professional certificates, degrees, and diplomas
> Screenshots taken within financial and banking apps as proof of fund transfers
> Permanent Account Number (PAN) cards (associated with Indian income tax services)
> The private personal user data within these documents gave a complete profile of individuals, their finances, and banking records: with Names, Dates of birth, Age, Gender, Home address, Religion, Caste status, Biometric details, Profile and ID photos, such as fingerprint scans and ID numbers for government programs and social security services.
BHIM or Bharat Interface for Money was launched by the National Payments Corporation of India (NPCI) in 2016 as part of the country’s cashless economy drive.
It allows users to conduct e-payments and money transfers between bank accounts from a user’s phone and uses NPCI’s Unified Payments Interface (UPI) technology.
Possible impact of breach
“The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information,” it noted.
Damages could include:
> Identity theft – Using a person’s PII data and banking records to adopt their identity and use it to apply for loans, make illegal purchases, commit crimes, and more.
> Tax fraud – Similar to identity theft, using someone’s tax details to falsify records and make fraudulent claims.
> Theft – Hackers could access BHIM accounts via the app and withdraw large sums of money.
> Fraud – Tricking a user into sending you money via the app, by sending texts or emails imitating businesses and friends.
> Research also suggested that some of the exposed BHIM users were minors, who would be particularly vulnerable to fraudulent schemes.
> Potentially, the most damaging aspect of this data breach is the exposure of the S3 bucket’s APK. Skilled hackers could use this to attack CSC’s BHIM cloud storage infrastructure and target it with malware, spyware, and more.
Advice from the Experts
The developers of the CSC/BHIM website could have easily avoided exposing user data if they had taken some basic security measures to protect the data. These include, but are not limited to:
> Securing its servers.
> Implementing proper access rules.
> Never leaving a system that doesn’t require authentication open to the internet.
The NPCI has however issued a statement saying there has been no compromise of data on the BHIM app. “There has been no data compromise at BHIM App ... NPCI follows a high level of security and an integrated approach to protect its infrastructure,” it said.