By this time, we are used to of getting news on almost daily basis, regarding customer data getting exposed to Cyber Hacking, be it Banks, Stock Trading Company, Utility firms or D2C platforms. Almost all the companies claim to have best process, availing the services of best of consulting firms etc.
For example, last week one of the famous well-funded stock trading/intermediary company faced the instance of data breach.
Company’s top representative came out with the initial statement of the firm’s co-funder and CEO, Ravi Kumar, stated on its website:
“We would like to assure you that your funds and securities are protected and remain safe. Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories.
As a matter of abundant caution, we have also initiated a secure password reset via OTP.” The broking house has also immediately restricted access to the impacted database, added multiple security enhancements at all third-party data-warehouses, set up real-time 24×7 monitoring and ring-fenced the network.”
Following the incident,Upstox issued a clarification, stating: “We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm. We brought in the expertise of this globally renowned firm after we received emails claiming unauthorised access into our database. These claims suggested that some contact data and KYC details may have been compromised from third-party data-warehouse systems.”
Thoughts to Ponder: For the moment, Yes, funds were protected as of now, but what happens to those customers, whose KYC’s data have been leaked? Who should customer held responsible if their KYC has been misused?
Typically, content of KYC data doesn’t get changed, e.g. DoB, Aadhar, PAN, Permanent Address.
If person can access KYC, how much time does it take to open Bank Account based on this KYC & change the account information? Its matter of minutes. Question comes about OTP, yes with the same KYC even mobile number can be changed & OTPs shall get diverted.
If a hacker can breach upto above level, exploiting the KYC can be done very easily.
Keeping these factors in mind, how prudent is it to claim:
Money is safe
Who should be held responsible for these sorts of data breach?
May be it’s a high team we do move forward with traditional control measures of defensive security, do an actual audit, how much fund had been allotted specially for Cyber Security, how much has been actually spent, How many offensive drills had been done to check the robustness of the system!
This article has been submitted by Armantec Systems Pvt Ltd. (www.armantecsystems.com), a Delhi-NCR based IT company, which also specializes in Offensive Cyber Security Research, with prime focus on Deep Web/DarkNet analysis.