An unprotected server of State Bank of India allowed anyone to gain access to customers’ bank balances and recent transactions until the glitch was removed by the lender, TechCrunch reported on Thursday. It is not clear how long the server remained unprotected.
The bank did not reply to TechCrunch’s request for a comment, the website said. A security researcher told the website about the unprotected server, which the website corroborated with another expert using the bank’s SBI Quick service. The service uses a text message and call-based system to dispense basic information about customers’ bank accounts.
The server, hosted in a regional Mumbai-based data center, purportedly did not have a password.
The SBI Quick service was aimed to be used by customers who do not have access to smartphones or have limited data service. The service recognised the customer’s registered phone number and sends a message revealing the amount in the account linked to it to the number.