KYC registration agency gets vulnerability alert Lessupport 07 Jan 2022
On 07 Jan 2022

KYC registration agency gets vulnerability alert

KYC Registration Agency Scam Vulnerability Alert

An independent team of security researchers have identified a vulnerability in the software used by a Sebi-registered KYC Registration Agency. The agency, CDSL Ventures Limited (CVL), was already under the radar of cybersecurity professionals once before. The vulnerability gives a malicious hacker complete access to the confidential data of all the investors who do their KYC through CVL.

CVL is a subsidiary of India’s largest securities depository, the Central Depository Services Limited. It provides secure storage and management of sensitive investor information. It also provides KYC registration services to market intermediaries. All in all, it holds data for over 4 crore investors in India.

The vulnerability was patched up in a jiffy a week after it was reported. Along with CDSL, the National Critical Information Infrastructure Protection Centre (NCIIPC) and India’s Computer Emergency Response Team (CERT-In) were also involved.

“Our researchers detected an authorisation vulnerability in one of the APIs which allowed anyone capable of launching a malicious attack to retrieve extremely sensitive personal and financial information of around 4.39 crore investors who have obtained market securities KYC since 2005,” said Himanshu Pathak, founder / director of the security company which has the security researchers under its employ.

When confronted, a CDSL representative said the following via email: “CDSL would like to clarify that there has been no security issue or data breach at CDSL. However, CVL has received a vulnerability alert on the website of CVL which has since been mitigated. There has been no data breach at CVL.” Sebi, NCIIPC, and CERT-In refrained from opining on the matter.

As we see, CDSL claims that no data has yet been breached. But if it had, around 19 crucial data points for each investor profile would’ve been at stake. With this information, any hacker would’ve launched highly targeted phishing campaigns that would’ve caused further damage. Such a targeted phishing attack is called as spear phishing and needs to be prevented at all costs. Otherwise, it can lead to financial fraud, identity theft, extortion etc. But beyond that, access to such detailed stock information could also enable a determined hacker to manipulate share prices.

Evaluate-your-business-applications-to-get-in-depth-insights-in-terms-of-risk-and-recommendations
More IT and security resources and updates.
Previous page
Next page

Related Posts

  • Why Traditional Antivirus Is No Longer Enough for Businesses Post Thumbnail
    Blog

    For years, traditional antivirus solutions have been the default choice for business security. They scan for known threats,...

    Read More
  • Workplace Cybersecurity with Check Point Harmony Post Thumbnail
    Blog

    In today’s hybrid-work world, email and collaboration platforms power nearly every day-to-day activity — from internal communication and file sharing...

    Read More
  • hishing Simulations A Technical Layer of Defence for BFSI Cybersecurity Post Thumbnail
    Blog

    BFSI organizations operate in a high-risk environment where cybercriminals aggressively target employees through social engineering. Even with security tools in...

    Read More
Scroll
Copy link