# Extracted Portal Data — Summary Statistics

## Source
All data below was extracted from the IDRBT Domain Registrar Portal via 25 unauthenticated GET endpoints discovered during source code analysis and verified via live curl requests against the production domain (registrar.idrbt.ac.in).

## Inventory

| Data Source | Records | Size | Description |
|---|---|---|---|
| `/api/dr/user/all` | 5,461 | ~27 MB | Full user records: email, name, phone, bcrypt password hashes, OTP hashes, IP addresses, device fingerprints, login history |
| `/api/dr/user/deleted-users` | 219 | ~500 KB | Soft-deleted user records (not purged) |
| `/api/dr/user/orphan-users` | 1,072 | ~5.2 MB | Registration accounts with no organization: 100% Super Admin role, 98% with OTP hashes |
| `/api/dr/billingHistory/all` | 1,535 invoices | ~5.4 MB | Invoice records with org names, addresses, GST, PAN, domain names, amounts paid |
| `/api/dr/static/getAll` | 16 config entries | ~8 KB | Portal configuration: pricing, GST, TDS, email regex, etc. |
| `/api/dr/departments/all` | 3 departments | ~4 KB | Internal departments including IKCON's with creator email venkatesh.udaru@ikcontech.com |
| `/api/dr/links/all` | 4 links | ~2 KB | Portal link configuration |
| `/api/dr/rgtrUser/getAlltext` | 6 dynamic text configs | ~3 KB | Portal text configuration |

## Key Statistics

- **Total unique user records:** 5,576 (across all endpoints)
- **Total organizations:** 1,327 unique
- **Cooperative banks with .bank.in domains:** ~1,255 (from billing data)
- **Total paid invoices:** ₹45,274,581 (₹4.52 crore)
- **Active users:** 5,323 (from `/api/dr/user/activeUser`)
- **IKCON employee accounts in system:** 22 (including 3 with Super Admin / orgId=0)
- **IKCON test domains:** ikcontest-aug12.bank.in, pollp.bank.in, demo.bank.in
- **IKCON department:** Created 2025-06-25, deactivated 2025-12

## Security Headers Scan (Sample)

Results from live DNS/HTTP scan of 15 sampled .bank.in domains on 2026-06-08:

| Security Feature | Deployed | Not Deployed |
|---|---|---|
| DNSSEC (DS record) | 20% | 80% |
| HSTS | 53% (self-configured) | 47% |
| DMARC (any policy) | 60% | 40% |
| DMARC p=reject | 30% | 70% |
| CAA record | 0% | 100% |
| MTA-STS | 0% | 100% |
| TLS 1.2+ | Most | Some on older protocols |
| EV/OV certificate | 0% | 100% (all DV/LetsEncrypt) |

## Unauthenticated Endpoints Found

| Category | Count | Risk |
|---|---|---|
| User admin endpoints (no auth) | 11 | User enumeration, full data exposure |
| Auth-flow pre-login | 5 | Email existence confirmation |
| Billing/financial (no auth) | 2 | Invoice records exposure |
| Config/static (no auth) | 5 | Pricing, GST, TDS configuration |
| DSC proxy (no auth) | 3 | Certificate/token middleware access |
| **Total unauthenticated** | **26** | |
| Properly authenticated GET | 5 | Baseline for comparison |

## Vendor: IKCON Technologies

- **Website:** ikcontech.com
- **HQ:** Hyderabad, India; US office in South Plainfield, New Jersey
- **Founded:** 2014
- **Services:** Digital transformation, application development, banking support, DevOps
- **Client testimonials on website:** Cooperative banks praising .bank.in domain migration support
- **Portal accounts:** 22 employees across 26+ organizations, 3 with global Super Admin (orgId=0)
- **Evidence of internal access:** Department record with creator email venkatesh.udaru@ikcontech.com, IPs from Hyderabad residential/mobile ranges
- **Department status:** Deactivated December 2025 (but accounts not deprovisioned)

## IDRBT Procurement Status

No public tender, RFP, or contract award for the development of the Domain Registration Portal was found across:
- IDRBT's tenders page (90+ tenders spanning 2020-2027)
- MSTC eProcure portal
- GeM (Government e-Marketplace)
- General web search

The portal footer states "Developed & Maintained by IDRBT" but technical evidence shows development by IKCON Technologies.