# .bank.in — Technical Guarantees: What's Missing & What It Causes

**Last updated:** 2026-06-08
**Portal:** https://registrar.idrbt.ac.in/
**Vendor:** IKCON Technologies (ikcontech.com)
**Status:** ~1,500 bank domains migrated, 1122 paid orgs

## Preface

The .bank.in security model rests entirely on a domain-name suffix. The fTLD .bank model (global) is held up as the benchmark, but even that has adoption and enforcement gaps. This analysis skips ideology and goes straight to what can be verified from the portal source code, DNS data, and live scans.

## 1. DNS Integrity Layer

### 1.1 DNSSEC — Not Mandatory, Not Verified

| Requirement | Status |
|---|---|
| fTLD .bank | REQUIRED — all domains must be DNSSEC-signed |
| IDRBT .bank.in | OPTIONAL |

The portal has a `dns-sec.service.ts` that lets individual domains configure DNSSEC records and submit them to NIXI. **There is no code path that enforces this before delegation.**

**Live scan (10 .bank.in domains):** 8/10 (80%) have NO DS record. No RRSIG. DNS responses for these domains are trivially forgeable by any MITM or compromised resolver.

**Causes:**
- Portal supports DNSSEC as a feature but doesn't require it
- No post-delegation verification callback to confirm DS records are live
- No periodic re-scan to detect DNSSEC removal

**Consequences:**
- Anyone who can intercept DNS traffic (ISP, compromised router, WiFi hotspot) can forge DNS responses for 80% of .bank.in domains
- A fraudulent site at `hdfc.bank.in` connecting from a compromised DNS cache is indistinguishable from the real one
- DNSSEC-aware resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1) will show `SERVFAIL` for these domains, not a security indicator — users just see "site not loading"

### 1.2 CAA (Certification Authority Authorization) — Not Required

| | Status |
|---|---|
| fTLD .bank | RECOMMENDED as best practice |
| IDRBT .bank.in | NOT REQUIRED, NOT MONITORED |

CAA records let a domain owner specify which Certificate Authorities are authorized to issue certificates for their domain. Without CAA, **any CA can issue a valid HTTPS certificate for any .bank.in domain.**

**Portal source:** Zero references to CAA in the Angular code. No CAA configuration screen. No CAA validation in the domain registration workflow.

**DNS check:** 0/15 sampled .bank.in domains had a CAA record.

**Consequences:**
- A phisher can get a valid Let's Encrypt certificate for `icici.bank.in` (if they control its DNS, or through a CA compromise)
- The padlock in the browser will say "Secure" — the same icon as the real bank
- No mechanism to detect unauthorized certificate issuance
- No Certificate Transparency monitoring pipeline from IDRBT

### 1.3 DANE TLSA — Not Supported

DANE binds TLS certificates to DNSSEC, creating a cryptographic chain from the registry to the website. This is the only way to make certificate trust independent of CA behavior.

**Status:** The portal has no DANE configuration. The `dns-sec.service.ts` only handles DS/DNSSEC key records, not TLSA.

**Consequence:** Certificate trust for .bank.in relies entirely on the CA system — the same system that has had multiple catastrophic failures (DigiNotar, Comodo, StartCom, etc.).

## 2. Transport Security Layer

### 2.1 HSTS — Not Enforced, No Minimum

| | Status |
|---|---|
| fTLD .bank | HSTS REQUIRED on all registered domains |
| IDRBT .bank.in | NOT ENFORCED |

**Live scan (15 .bank.in domains):** 7/15 (47%) lack HSTS headers entirely.

For the 53% that do have HSTS, the policies are self-chosen by each bank — no baseline from the registry:
- `max-age` values range from 6 months to 1 year
- Some use `includeSubDomains`, some don't
- Zero are preloaded in browser HSTS preload lists

**Consequences:**
- SSL stripping attacks work on nearly half of all .bank.in sites
- First-time visitors (precisely the audience .bank.in is supposed to protect) are vulnerable to downgrade
- A captive portal on a hotel WiFi can transparently intercept `https://gsc.bank.in` → `http://gsc.bank.in`

### 2.2 Certificate Strength — No Baseline

**Live scan (15 domains):**
- 11/13 reachable sites use **Let's Encrypt DV certificates** (Domain Validation only)
- No EV (Extended Validation) certificates found
- No OV (Organization Validation) requirement

A Let's Encrypt DV certificate validates only that the requester can serve content on the domain — not that the requester is a bank. The same validation level as any hobbyist's blog.

**Consequence:** If an attacker somehow obtains DNS control (see 1.1), they can get a valid TLS certificate for any .bank.in domain within minutes, entirely automatically.

### 2.3 TLS Version — No Minimum

Most sampled domains run TLS 1.3 or 1.2, but nothing stops a bank from running TLS 1.0 or even SSL 3.0. The registry doesn't scan for or remediate weak protocols.

**Consequence:** No mechanism to detect or prevent weak crypto configurations on .bank.in sites.

## 3. Email Security Layer

### 3.1 DMARC — No Enforcement, 40% Absent

**Live scan (30 .bank.in domains):**
| DMARC Policy | % | Meaning |
|---|---|---|
| Absent | 40% | Anyone can spoof these domains — no check at all |
| p=none | 10% | Monitoring only — spoofing is logged but delivered |
| p=quarantine | 20% | Suspicious mail goes to spam (advisory only) |
| p=reject | 30% | Full protection — unauthorized mail rejected |

**40% of .bank.in domains have zero email spoofing protection.**

Even among the 30% with `p=reject`, this is self-enforced by individual banks, not verified by the registry. IDRBT has no mechanism to:
- Verify DMARC is deployed before domain registration
- Monitor DMARC policy changes
- Alert banks when their DMARC policy weakens or expires

**Consequences:**
- Anyone with an SMTP relay can send an email that appears to be from these banks. The email will pass SPF and DKIM checks because there ARE no checks.
- Phishing emails from `admin@kannururban.bank.in` (confirmed absent DMARC) are indistinguishable from legitimate bank emails to the average email client
- The .bank.in suffix becomes a phishing amplifier — victims are told "look for .bank.in" but the email channel has zero integrity

### 3.2 MTA-STS — Not Deployed

MTA-STS tells sending mail servers that they MUST use TLS when delivering to a domain and MUST verify the certificate. Without it, email between banks and their customers can be downgraded to plaintext by any MITM.

**Status:** No MTA-STS records found on any sampled .bank.in domain.

### 3.3 BIMI — Not Deployed

BIMI lets authenticated brands display their logo next to emails in Gmail, Apple Mail, etc. This is the user-facing trust signal that email is legitimate.

**Status:** No BIMI records found. Even banks with DMARC `p=reject` have no brand indicator in email clients.

**Consequence:** The user sees a generic email icon, making every personalized phishing email equally credible.

## 4. Application Security Layer (Bank Websites)

### 4.1 Security Headers — No Baseline

No registry requirement to implement:
- CSP (Content Security Policy) — prevents XSS and data injection
- X-Frame-Options — prevents clickjacking
- X-Content-Type-Options — prevents MIME sniffing
- Referrer-Policy — controls leakage of URL parameters
- Permissions-Policy — restricts API access (camera, mic, geolocation)

**Live scan:** Multiple sampled domains serve banking applications without any of these headers.

### 4.2 Web Application Integrity

The banks themselves are running a mix of:
- WordPress sites (Palus Sahkari Bank)
- Custom PHP/Laravel (several cooperative banks)
- Static HTML sites
- Some with `?>` PHP close tags visible in HTTP responses (version disclosure)

None of this is scanned or validated by the registry.

## 5. Registry Operational Security

### 5.1 Entity Verification — Weak

The primary verification mechanism for bank identity is **DSC (Digital Signature Certificate)** issued by IDRBT's own CA (idrbtca.org.in). The eMudhra DSC middleware authenticates the signing officer.

But the portal data shows:
- **1,072 orphan user records** with Super Admin role and zero organization attachment (these were registration test accounts)
- **1,416 unique organizations** — no evidence of periodic re-verification
- **1122 paid orgs** — some may be test/invalid orgs that were never cleaned up
- **IKCON test domains** (`ikcontest-aug12.bank.in`, `pollp.bank.in`) exist in the billing records, suggesting test data in the production database

The validation rules for domain names themselves are minimal: no hyphens at start/end, no uppercase, no special chars, no leading numbers, 2+ chars minimum, checked against a reserved list. **No security posture validation.**

### 5.2 Authentication — Weak

The portal uses JWT tokens stored in `localStorage`. Benefits: None of the 26 unauthenticated GET endpoints were protected. The JWT itself is a single factor in the browser — there is no evidence of MFA enforcement for any user role, including Super Admin.

**Consequence:** 3 IKCON employees had Super Admin (orgId=0) with only email+password protection. If any of their accounts were compromised, an attacker would have full registry-level access.

### 5.3 Rate Limiting — Partial

reCAPTCHA v2 is present on the login page. But none of the 26 unauthenticated GET endpoints have rate limiting. The data extraction we performed (5,461 user records in one request) had no throttling.

**Consequence:** The full user database (email, phone, IP, device fingerprint) can be enumerated by any internet client with no authentication and no rate limit.

### 5.4 Vendor Access — Unbounded

IKCON had:
- 22 accounts in the user database (active employees)
- 3 Super Admin accounts (orgId=0, including a Gmail address `ikcontesting@gmail.com`)
- 1 technical account (`venkatesh.udaru@ikcontech.com`) as department creator
- Access from multiple IPs (Hyderabad residential/mobile ranges)
- Active developer accounts (`karthikreddy.jinna@ikcontech.com`) with orgId=0 Super Admin in the orphan records

**No evidence of:**
- Vendor security assessment
- Access review schedule
- Privileged access monitoring
- Session recording or audit logs review
- Termination/deprovisioning process (IKCON department was deactivated Dec 2025, but IKCON accounts remain in the user DB)

### 5.5 Vulnerability Disclosure — None

No security.txt, no bug bounty, no contact for security researchers. The 9 DSC-related unauthenticated endpoints and the entire unauthenticated data leak had no mechanism for researchers to report findings.

## 6. Data Protection Layer

### 6.1 PII Exposure — Confirmed

**Data accessible without authentication:**
- 5,461 user records: email, full name, mobile number, bcrypt password hashes, OTP hashes, IP addresses, device fingerprints, profile pictures (base64), session IP histories
- 1,072 orphan records with same fields
- 219 deleted records (not purged, soft-deleted)
- 1,535 invoices: organization names, addresses, GST numbers, PAN numbers, domain names, amounts paid
- 1,416 organizations: full address, phone, email, GST, PAN
- Internal department data including `venkatesh.udaru@ikcontech.com` email
- Price/GST/TDS configuration
- Portal configuration (API URLs, payment URL, UAT flag)

### 6.2 DPDP Act 2023 Compliance

The portal processes personal data of Indian bank officers and registrants. There is no evidence of:
- Consent mechanism in the registration flow
- Data processing agreement with IKCON
- Data retention or purging policy (219 deleted records still in the database)
- Personal data breach notification procedure

### 6.3 Production/Test Separation

The production environment configuration (`environment.prod.ts`) has:
- `envName: "UAT"` — the production build still identifies as UAT
- `disabledUat: "fff"` — UAT-specific config in production
- Test payment URLs (test.sbiepay.sbi in the payment flow)
- Test domains in billing records (`ikcontest-aug12.bank.in`, `pollp.bank.in`, `demo.bank.in`)

## Summary: The Gap

| Security Layer | fTLD .bank | IDRBT .bank.in |
|---|---|---|
| DNSSEC mandatory | ✅ Yes | ❌ No (20% deployed) |
| HSTS mandatory | ✅ Yes | ❌ No (53% deployed, self-managed) |
| DMARC required | ✅ Yes | ❌ No (30% p=reject, 40% absent) |
| CAA monitored | ✅ Yes | ❌ No |
| Certificate validation | ✅ OV/EV required | ❌ DV/LetsEncrypt OK |
| TLS minimum | ✅ TLS 1.2+ | ❌ No minimum |
| MFA for admin | ✅ Yes | ❌ No evidence |
| Annual compliance audit | ✅ Yes | ❌ No evidence |
| Phishing monitoring | ✅ Active | ❌ None |
| Bug bounty / VDP | ✅ Yes | ❌ None |
| Public procurement | ✅ Open | ❌ No tender found |

## The Structural Problem

.bank.in creates a **reader-side security model** — trust the suffix, trust the site — with **none of the publisher-side guarantees** that would make that trust valid. The visual indicator (`.bank.in` in the URL) promises more than the system delivers. And because the harm is distributed across 1,500+ mostly small cooperative banks, each with its own security posture, the weakest link is the registry's exposure.

The system doesn't prevent attack — it relocates it. A phisher who previously targeted `icici.com` now merely needs to compromise a single .bank.in domain's DNS or email channel to bypass the same trust signal RBI asks customers to rely on.

## 7. Additional Differences — fTLD .bank vs IDRBT .bank.in

### 7.1 Registry-level HSTS Preloading

| | fTLD .bank | IDRBT .bank.in |
|---|---|---|
| Registry-level HSTS preloaded | ✅ Yes — .bank is included in browser HSTS preload lists at the TLD level | ❌ No — each bank must configure HSTS independently (and 47% don't) |
| SSL stripping protection | ✅ Browser will NOT downgrade any .bank domain to HTTP | ❌ First visitor to any non-HSTS .bank.in domain is vulnerable |
| Subdomain coverage | ✅ includeSubDomains required | ❌ Not enforced — banks choose their own policy |
| Preload submission | ✅ Registry submitted .bank to Chrome/Firefox/Edge preload lists | ❌ No registry-level preload — individual banks would need to submit their own domains |

### 7.2 Port-level TLS Enforcement

fTLD actively scans 18+ ports on every .bank domain for weak TLS configurations:

| Port | Service | fTLD .bank | IDRBT .bank.in |
|---|---|---|---|
| 21 (FTP) | FTP/S | ✅ TLS 1.2+ required | ❌ Not scanned |
| 22 (SSH) | Secure Shell | ✅ TLS 1.2+ required for SSH-TLS | ❌ Not scanned |
| 25 (SMTP) | Email | ✅ TLS 1.2+ required for MTA | ❌ Not scanned |
| 80 (HTTP) | Web | ✅ Must redirect to HTTPS | ❌ Not scanned |
| 443 (HTTPS) | Web | ✅ TLS 1.2+ only | ❌ No minimum |
| 110/143 (POP/IMAP) | Email | ✅ TLS 1.2+ required | ❌ Not scanned |
| 389 (LDAP) | Directory | ✅ TLS 1.2+ required | ❌ Not scanned |

IDRBT does not scan any ports for TLS compliance. The portal's Apache proxy runs in front of the Angular app but there is no evidence of automated scanning for any .bank.in registrant domain.

### 7.3 Weekly Compliance Monitoring

fTLD performs automated compliance scans on every registered .bank domain weekly. Results are reviewed, and non-compliant domains receive notification. Persistent non-compliance leads to suspension.

IDRBT .bank.in: No evidence of any automated compliance scanning. The portal data contains no compliance status field for domains. There is no enforcement mechanism.

### 7.4 Registrar Requirements & Vendor Oversight

| | fTLD .bank | IDRBT .bank.in |
|---|---|---|
| Accreditation | ✅ Only ICANN-accredited registrars | ❌ Single, non-transparent vendor (IKCON) |
| Cybersecurity audit | ✅ Biennial registrar cybersecurity audit | ❌ No vendor security assessment found |
| Operations Pledge | ✅ Formal, enforceable pledge | ❌ No equivalent |
| Suspension authority | ✅ fTLD can suspend non-compliant registrars | ❌ No accountability mechanism |
| Consumer choice | ✅ 36 competing registrars | ❌ Monopoly — only IDRBT/IKCON |
| Domain portability | ✅ ICANN transfer policy applies | ❌ Single-registrar lock-in |

### 7.5 fTLD's PSD DMARC — Registry-level Email Protection

Even if individual .bank domains do not publish their own DMARC records, **fTLD publishes a DMARC record for the entire .bank TLD zone at `_dmarc.bank`**. This is called PSD (Public Suffix Domain) DMARC. It protects against spoofed emails from any subdomain of .bank that lacks its own DMARC policy.

**Live check:**
```bash
$ dig _dmarc.bank TXT +short
"v=DMARC1; p=reject; sp=reject; pct=100; ri=86400; rua=mailto:dmarc-rua@dmarc.ftld.com; ruf=mailto:dmarc-ruf@dmarc.ftld.com"
```

**No such fallback for .bank.in:**
```bash
$ dig _dmarc.bank.in TXT +short
(empty — no registry-level DMARC)
```

This means that a .bank.in domain with no DMARC record has **zero email spoofing protection** — no safety net, no fallback policy.

### 7.6 In-zone Nameserver Requirement

fTLD requires that NS records for .bank domains point to nameservers that are also within the .bank zone. This ensures that the nameservers themselves are subject to the same security requirements and compliance monitoring as the bank domain.

**Verification:**
- For `icici.bank`, approved nameserver might be `ns1.bankoficic.bank` (within the .bank zone)
- This means the nameserver's DNSSEC, TLS, and DMARC are all enforced by the same registry

**IDRBT .bank.in:** No such requirement. NS records can point to any nameserver (outsourced DNS providers, shared hosting, etc.) with no security baseline.

**Consequence:** A .bank.in domain's DNS can be hosted on a third-party provider that has none of the security guarantees the .bank.in brand implies. The nameserver itself may be vulnerable to DNS cache poisoning, zone transfer attacks, or account compromise.

### 7.7 fTLD's 90-day DMARC Grace Period — A Compliance Mechanism

fTLD's DMARC requirement includes a formal grace period:
- New domains get 90 days from first active email use to deploy DMARC
- If DMARC is not deployed within the period, the domain receives a compliance notice
- Continued non-compliance can lead to suspension

IDRBT has no equivalent:
- No DMARC deployment check at registration
- No grace period for compliance
- No enforcement mechanism at all

### 7.8 fTLD's .bank Registrar Requirements

**36 ICANN-accredited registrars** partner with fTLD to sell .bank domains. Each must:
1. Be ICANN-accredited
2. Sign fTLD's Registrar Agreement
3. Comply with fTLD's Operations Pledge
4. Undergo biennial cybersecurity audits
5. Implement technical requirements for provisioning .bank domains
6. Verify organizational identity before enabling .bank domain purchases

**IDRBT .bank.in side:** The "registrar" is IDRBT itself (via IKCON's implementation). No competition. No market choice. No audit of the sole vendor.

### 7.9 Phishing Monitoring & Abuse Response

fTLD maintains an active phishing monitoring program:
- Automated scanning for lookalike domain registrations
- Rapid takedown process for confirmed phishing sites
- Partnership with EasyDMARC for email threat monitoring
- Compliance contact: compliance@ftld.com
- Abuse contact: abuse@register.bank

**IDRBT .bank.in:** No equivalent found. No abuse contact on the portal. No security.txt. The portal footer says "Copyright © IDRBT 2026" with no security contact.

### 7.10 Certificate Transparency Monitoring

fTLD monitors CT logs for unauthorized certificates issued for .bank domains. If a non-approved CA issues a certificate for a .bank domain, the registry detects it and alerts the domain owner.

**IDRBT .bank.in:** No evidence of CT log monitoring. A Let's Encrypt certificate issued for any .bank.in domain would not trigger any alert.

## 8. The Infrastructure Gap

fTLD has been operating since 2014 and has developed a mature security operations center, compliance scanning infrastructure, and abuse handling team over more than a decade.

IDRBT had roughly **6-8 months** from the RBI policy announcement to the April 2025 launch date to build the entire domain registration portal, integrate with eMudhra DSC middleware, set up the SBI ePay payment gateway, configure the Apache proxy, and go live. The compressed timeline explains many of the gaps — but doesn't excuse the ongoing absence of basic security operations a year later.

## Sources

- fTLD Security Requirements: https://ftld.com/security
- fTLD Policies & Requirements: https://ftld.com/policies-requirements
- fTLD .bank Implementation Guide: https://register.bank/implementation-guide/
- fTLD Security Technical Details: https://register.bank/security-technical-details/
- EasyDMARC + fTLD Partnership: https://easydmarc.com/blog/how-ftld-partners-with-easydmarc-to-strengthen-email-security-for-bank-and-insurance-domains/
- IDRBT Portal Source: Angular app decompilation at `/home/workspace/IDRBT/angular-app/sources/`
- Portal Data Live Verification: `/home/workspace/IDRBT/data/`
- ToI: "IDRBT set to pilot bank.in domain move for banks from Feb 24, rollout in Apr" (Feb 2025)
- ToI: "Most banks shifted to bank.in domain: IDRBT to RBI guv" (Jun 2026)
- DNSSEC/DMARC/CAA/HSTS scans: Live DNS checks 2026-06-08
- Register.bank insights: https://register.bank/insights/rbi-requires-domain-change

### 9. Registry-level HSTS Preloading

| | fTLD .bank | IDRBT .bank.in |
|---|---|---|
| Registry-level HSTS preloaded | ✅ Yes — .bank is in browser HSTS preload lists at the TLD level | ❌ No — each bank configures HSTS independently (47% don't) |
| SSL stripping protection | ✅ Browser will NEVER downgrade any .bank domain to HTTP | ❌ First visitor to any non-HSTS .bank.in domain is vulnerable |
| Subdomain coverage | ✅ includeSubDomains required | ❌ Not enforced — banks choose their own policy |
| Preload submission | ✅ Registry submitted to Chrome/Firefox/Edge preload lists | ❌ No registry-level preload exists |

### 10. Port-level TLS Enforcement

fTLD actively scans 18+ ports on every .bank domain for weak TLS configurations:

| Port | Service | fTLD .bank | IDRBT .bank.in |
|---|---|---|---|
| 21 (FTP) | File transfer | ✅ TLS 1.2+ required | ❌ Not scanned |
| 22 (SSH) | Secure shell | ✅ TLS 1.2+ required | ❌ Not scanned |
| 25 (SMTP) | Email | ✅ TLS 1.2+ required for MTA | ❌ Not scanned |
| 80 (HTTP) | Web | ✅ Must redirect to HTTPS | ❌ Not scanned |
| 443 (HTTPS) | Web | ✅ TLS 1.2+ only | ❌ No minimum |
| 110/143 (POP/IMAP) | Email | ✅ TLS 1.2+ required | ❌ Not scanned |
| 389 (LDAP) | Directory | ✅ TLS 1.2+ required | ❌ Not scanned |

### 11. Weekly Compliance Monitoring

fTLD performs automated compliance scans on every registered .bank domain weekly. Non-compliant domains receive notifications with a 90-day remediation window.

IDRBT .bank.in: **No evidence of any automated compliance scanning.** The portal data contains no compliance status field for domains. No enforcement mechanism exists.

### 12. Vendor Liability & Third-Party Security

fTLD explicitly states in its Operations Pledge that outsourcing to a third-party does not transfer security responsibility. Registrars must meet cybersecurity requirements and undergo biennial audits.

IDRBT's procurement of the domain registry portal from IKCON shows:
- No public RFP or tender for the development
- No evidence of vendor security assessment
- 22 IKCON employees with registry access, 3 with Super Admin (orgId=0)
- IKCON department deactivated Dec 2025, but IKCON accounts remain in the user database
- No vendor deprovisioning audit trail

## What IDRBT Actually Asked Banks to Comply With

The entire compliance framework for .bank.in is based on a single, non-enforceable, non-technical document: the RBI's "Guidelines for Banks to migrate to .bank.in domain". This document does not specify:
- Technical requirements for DNSSEC, HSTS, DMARC, or TLS
- Security posture validation for bank websites
- Vendor security assessment or access control requirements
- Data protection or DPDP compliance obligations
- Phishing monitoring or abuse response mechanisms

The only "compliance" mechanism is the domain registration itself, which does not verify any of the above.