Skip to main content

BHIM app vulnerability reportedly exposed financial data of millions of users; NPCI denies data compromise

A group of ethical hackers on Monday claimed to have discovered a vulnerability affecting millions of BHIM app users, a claim which was denied by NPCI that operates the small value payments application.

Vpnmentor, which claimed to be the largest virtual private networks review website offering a research lab that helps the online community defend itself against cyber threats, alleged that there has been a "data leak" discovered with respect to that of the users of the payments app.

The group also said that an Indian government website focused on pushing adoption of BHIM has exposed data of millions of users to potential fraud.

Representational image. Image: Tech2

The National Payments Corporation of India (NPCI) said there has been no data compromise at the BHIM App, which has over 136 million downloads.

"The developers of the CSC/BHIM website could have easily avoided exposing user data if they had taken some basic security measures to protect the data," Vpnmentor said in a statement.

The Ministry of Electronics and Information Technology has an initiative called CSC (Common Services Centre)-BHIM, which has a portal used by field agents as part of a campaign to push the adoption of the BHIM app, by merchants and also the general public.

According to Vpnmentor, data from this campaign was being stored on a "misconfigured Amazon Web Services S3 bucket" and was publicly accessible, making it vulnerable to misuse for executing frauds, thefts and attack from hackers and cyber criminals.

It also termed the scale of the exposed data as "extraordinary", and pegged the number of users exposed in "millions", adding that the 409 GB of data suspected to be breached has over 70 lakh records.

"We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem," the NPCI said in a statement.

The app was launched in 2016.

The breach was discovered on April 23 and the Indian Computer Emergency Response Team was contacted on 28 April. The CERT-IN responded the very next day and 22 May has been noted as the date of action in Vpnmentor's report.

Over 70 lakh users' data uploaded in February was exposed, the report said, adding the records which were exposed online included scans of Aadhaar cards, caste certificates, residence proofs, professional certificates and degrees, screenshots of fund transfers and PAN cards.

The private personal user data within these documents gave a complete profile of individuals, their finances, and banking records, it noted.

In the statement issued by Vpnmentor, its cyber security researchers Noam Rotem and Ran Locar said the sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning.

"The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users'' account information," they said in the statement.



Udimi - Buy Solo Ads from Firstpost Tech Latest News https://ift.tt/2XUo1wm
via IFTTT

Comments

Popular posts from this blog

9 VCs in Madrid and Barcelona discuss the COVID-19 era and look to the future

Spain’s startup ecosystem has two main hubs: Madrid and Barcelona. Most observers place Barcelona first and Madrid second, but the gap appears to close every year. Barcelona has benefitted from attracting expats in search of sun, beach and lifestyle who tend to produce more internationally minded startups. Madrid’s startups have predominantly been Spain or Latin America-focused, but have become increasingly international in nature. Although not part of this survey, we expect Valencia to join next year, as city authorities have been going all-out to attract entrepreneurs and investors. The overall Spanish ecosystem is generally less mature than those in the U.K., France, Sweden and Germany, but it has been improving at a fast clip. More recently, entrepreneurs in Spain have moved away from emulating success in pursuit of innovative technologies. Following the financial crisis, the Spanish government supported the creation of startups with the launch of FOND-ICO GLOBAL, a €1.5 billi

How to Stay Creative and Keep SEO in Mind

Information Technology Blog - - How to Stay Creative and Keep SEO in Mind - Information Technology Blog Search engine optimization (SEO) refers to customizing your website’s content to ensure that web browsers give your website a high SEO score. The sites with the highest SEO scores are featured on the search engine’s first page of search results for relevant searches.  71%  of the click-throughs happen with articles listed on the first page of results on the search engine. This means that if your website’s article is the second (or third, or fourth page), it’s less likely the search user will even see your article. You want your article to be ranking as close to the top of the first page of results as possible. In order to have a good SEO score your site’s content needs to feature keywords and relevant phrases. It must be optimized for easy navigation between pages. It also needs to be referenced via external links that drive traffic to your site. Incorporating all of these elem

Everything we know about HHS Protect, a secretive government project with Peter Thiel's Palantir that helps brief Trump's coronavirus task force

A secretive project at the US Department of Health and Human Services is working with technology companies to collect and analyze data related to the novel coronavirus .  Dubbed "HHS Protect," the effort tracks information from around the country about coronavirus case numbers, hospital capacity, and even supply chain issues.  HHS uses Palantir Technologies , a data firm cofounded by Peter Thiel, to distill that information for the White House coronavirus task force. Visit Business Insider's homepage for more stories . A secretive project at the US Department of Health and Human Services is working with technology companies to collect and analyze data related to the novel coronavirus.  Dubbed "HHS Protect," the effort includes roughly 2.5 billion pieces of data from healthcare providers, government officials, and labs around the country about coronavirus case numbers, hospital capacity, and even supply chain issues.  The goal is learn about the progress