# RBI's .bank.in Security Failure: From Trust Mandate to Security Vulnerability

> CashlessConsumer's security investigation into the IDRBT Domain Registration Portal — the exclusive registry for India's .bank.in banking namespace under RBI purview. 33+ unauthenticated API endpoints exposed credentials of 5,576 bank employees for over a year. Built without public tender, without published security baseline, without VDP.

## Key Facts

- **33+ unauthenticated API endpoints** on registrar.idrbt.ac.in
- **5,576 bank employees** with exposed bcrypt password hashes, mobile numbers, emails, login IPs, device fingerprints
- **1,072 orphan Super Admin accounts** with top-level access to modify any bank's domain settings
- **1,497 registered .bank.in domains** — only 6.9% verifiable against RBI IFSC and DICGC records
- **Zero public tender** — Portal built by IKCON Technologies in single-source award, violating IDRBT's own procurement handbook
- **IKCON held 22 accounts** including 3 with global Super Admin access
- **80% of cooperative banks lack DNSSEC**, 40% have no DMARC, 47% no HSTS
- **Vulnerable for over 13 months** (May 2025 – June 2026)
- **Disclosure**: Discovered Jun 8, 2026 → Reported to CERT-In → Fixed Jun 25, 2026

## Essential Links

- [Full Report (PDF)](https://bankin-report.cashlessconsumer.in/report.pdf)
- [Exposed Data & Datasets](https://bankin-report.cashlessconsumer.in/open-data/)
- [Source Code](https://github.com/CCAgentOrg/idrbt-bankin-investigation)
- [Daily Audit Feed](https://github.com/CCAgentOrg/bank-in-domains)
- [Evidence Archive](https://zo.pub/cashlessconsumer/idrbt-bankin-security)

## About

Three governance failures: (1) No public tender — single-source award to IKCON violating IDRBT's own handbook. (2) No security baseline — unlike global .bank TLD, .bank.in enforces zero mandatory security controls. (3) No oversight — VAPT failed to detect 33+ open endpoints; no security researcher ever reviewed the system.

## Attack Scenario

Download 5,576 user records → spear-phish bank employees → crack weak bcrypt hashes → use orphan Super Admin accounts to hijack .bank.in domains → redirect to phishing sites with valid SSL + .bank.in suffix → steal customer credentials. No zero-days needed — only curl.

## Open Data

1,497 domains · 1,402 with NS · 95 unpublished · 1,535 billing records · 3,797 CT log entries. User records and orphan account data NOT published (contain PII/hashes).