Your ICICI statement can be accessed online by anyone

ICICI Bank is the second-largest bank in India, with subsidiaries around the world. However, for the millions of Indians who have accounts with the bank, there's some worrying news. A vulnerability in the bank's safety systems means that anyone on the Internet can access your account statement.

ICICI Bank's Sujit Ganguli, Sr. General Manager, Head-Corporate Communications and Brand, Ganguli admitted that he was not aware of this vulnerability. A bank representative later told NDTV Gadgets that ICICI was working urgently to correct the problem.

An independent researcher contacted NDTV Gadgets with information about a flaw in ICICI Bank's security protocols, and this has been verified by various journalists in NDTV Gadgets who used their own personal information to download their account statements without logging into net-banking - this method did not work for one of the customers, but we could access statements of three other customers using this method.

While we are not revealing the exact methodology for obvious reasons, our readers should know that the method of the hack was exceedingly simple, and required just a little copy-paste and knowledge of one of the attributes of customer which people don't usually think twice before sharing. You do not even need to be logged in to net-banking to repeatedly exploit the loophole. There is no need for any coding knowledge, or technical know-how, whatsoever.

Ethical hacker Ayush Ghosh, who works at BookMyShow in Bangalore, contacted NDTV Gadgets with the information, which he noticed when operating his own account. Before contacting NDTV Gadgets, Ghosh had also written to the contact IDs present on ICICI Bank's website, but says he received no response.

It is worth noting that no one can access your account itself - it is impossible to carry out malicious transactions, or take any action other than seeing your account statement, so it should be safe to continue using your ICICI Bank account for now. However, a person can access your monthly account statement, which includes all financial transactions, along with your name and address. This is a serious concern in and of itself as with access to a person's address and information like 'last three transactions' someone can possibly call the bank itself and misrepresent themselves as you. Alternatively, someone could call ICICI customers and pretend to be from the bank itself and 'authenticate' themselves using information accessible via these statements.

New Delhi-based cyber security consultant Dominic K. spoke to NDTV Gadgets and discussed the multiple layers of security that banks have in place, which include multi factor authentication, encryption, secure connectivity - SSL and HTTPS and identity management systems. He adds, "We have not heard of any serious attacks that were successful. These are industry practices that meet global standards."

In light of this vulnerability, it is essential that people know a few things - first, you should obviously use strong passwords and enable multi-factor authentication wherever possible. Beyond that however, we must also be aware of the possibility of social engineering, and never share our passwords or even seemingly innocuous details like customer id or bank account number, unless really needed.