FINANCIAL INFRASTRUCTURE

Banking system, UPI ecosystem, payment infrastructure, and financial sector cyber threats

₹233L Cr
Annual Banking Volume
150K+ branches, 1.4B accounts
20.39B
Monthly UPI Transactions
Feb 2026 data
₹14,094 Cr
Documented Financial Losses
Cosmos + PNB + BoB + SIDBI
67%
UCBs Below Minimum IT Security
1,500+ cooperative banks

Live UPI Transaction Volume

0.00B
Monthly Transactions
Feb 2026
650M
Registered Users
30M+
Active Merchants
₹85L Cr
Annual Value
99.99%
System Uptime
Bank Security Posture Comparison
Financial Losses by Incident (₹ Crore)
Increase
Decrease
Total

Core Banking Solutions - Single Points of Failure

Finacle (Infosys)
critical
Banks: SBI, PNB, BoB, Canara, OBC, UBI
Coverage: 60% of banking assets
Vuln: Auth bypass CVE-2018-13889, SQL injection
Flexcube (Oracle/TCS)
critical
Banks: ICICI, Yes Bank, Axis
Coverage: 25% of banking assets
Vuln: Oracle WebLogic exploitation chain (CVE-2020-14750)
BaNCS (TCS)
high
Banks: Union Bank, Bank of India
Coverage: 15% of banking assets
Vuln: Oracle DB inheritance, patch chain delays
The Black-Box Problem

All three dominant CBS platforms are proprietary, closed-source systems. Indian banks cannot independently audit the code running their core banking operations. Security auditing requires vendor cooperation, limiting independent verification. Foreign-controlled dependencies (Oracle Flexcube) create additional national security concerns.

UPI Transaction Flow

User DeviceMedium
Malware, Screen Recording
PSP AppHigh
API Vulnerabilities, IDOR
NPCI SwitchCritical
Single Point of Failure, 800 Staff
Bank CBSHigh
CBS-SWIFT Gap, Patch Delays
DestinationLow
Account Takeover
Single Point of Failure
NPCI operates Mumbai primary + Hyderabad DR (warm standby). DR failover takes 4-8 hours historically.

NPCI Product Portfolio

UPI
20.39B
650M
45% of traffic
IMPS
350M
1.2B
8% of traffic
RuPay
2B+
640M Cards
35% of traffic
AePS
180M
Rural BC
4% of traffic
NACH
500M
Batch
8% of traffic
800-1000 NPCI employees operate entire payment infrastructure. PayPal employs 30,000+for a fraction of UPI's volume.

Regulatory Compliance by Institution Type

Compliance Score Assessment
Vulnerability Heatmap by Bank Type
PSU Banks
Private Banks
SFBs
UCBs
PSU Banks
75
0
0
0
Private Banks
0
50
0
0
SFBs
0
0
60
0
UCBs
0
0
0
85
0
100
Finacle
Infosys CBS
Flexcube
Oracle CBS
BaNCS
TCS CBS
ATM
Switch Network
ThirdParty
Vendor Access

Major Financial Cyber Incidents

Cosmos Bank Heist
Aug 2018
critical
₹94.35 Crore
Actor: Lazarus Group (North Korea)
ATM switch malware cloned 12,000 cards. Simultaneous withdrawals across 408 ATMs in India, USA, Canada, Hong Kong, UAE in 4 hours.
PNB-Nirav Modi Fraud
2011-2018
critical
₹14,000 Crore
Actor: Internal + External
Fake Letters of Understanding created in SWIFT but not recorded in Finacle. Gap between CBS and SWIFT enabled 7-year fraud.
Yes Bank Moratorium
Mar 2020
high
Data Leaked
Actor: Management Failure
Customer data of ~1 lakh accounts leaked within days. Targeted phishing calls with specific account information.
Bank of Baroda NRI Portal
2019
high
NRI Data Exposed
Actor: Chinese State Actors (suspected)
Third-party Apache Struts vulnerability (CVE-2017-5638). 6 months of unauthorized access. NRI customer data including passport numbers.
SIDBI Data Breach
2020
critical
30 Lakh Records
Actor: Third-party Vendor
Loan records of 3 million MSME borrowers exposed. Aadhaar, PAN, GST numbers. Sold on darknet under aliases "Null" and "Jay."
HDFC Bank API Exposure
2023
medium
Customer Data
Actor: Security Researcher
Exposed API endpoints returned partial credit card numbers, names, emails, phones. Patched within 72 hours.

UPI Fraud Escalation

YearCasesAmount (₹ Cr)Growth
2021432,000₹650 Cr
2022873,000₹1200 Cr+102%
20231,500,000₹1750 Cr+72%
20241,342,000₹2000 Cr-11%
Primary Method
UPI Collect Scams (42%)
Fraud Type
Fake UPI Apps (23%)
Organized Component
Confirmed by Law Enforcement

Strategic Findings

Third-Party Risk

Every significant bank incident involved third-party access - ATM networks, payment gateways, data processors, insurance vendors. Vendor ecosystem extends beyond banks' security visibility.

CBS-SWIFT Integration Gap

PNB fraud demonstrated SWIFT and core banking systems were not integrated for fraud detection. Post-PNB remediation was documentation-focused, not architecturally verified.

ATM Network Air-Gapping

Cosmos Bank demonstrated that inadequately segmented ATM infrastructure converts a single compromise into global cash-out capability. Lazarus Group coordinated simultaneous withdrawal across countries.

NPCI Concentration Risk

Single entity operates India's entire retail payments infrastructure. 250% increase in UPI fraud reflects structural insecurity, not merely increased criminal activity.

Insurance & Securities

Star Health Breach (Aug 2024)
31 Million Customers Exposed
critical
Records Exposed:31 Million
Data Volume:7 TB
Ransom Demand:$68,000
IRDAI Penalty:₹3.39 Crore
Stock Exchange Incidents
NSE & BSE Threat Landscape
high
NSE Daily Attacks:170 Million
Op Sindoor Peak:400 Million/Day
BSE Data Breach:Nov 2024
CDSL Investors Exposed:4.39 Crore (2021)

NPCI Concentration Risk — Single Point of Failure

Geographic & Product Concentration (% Traffic)
Mumbai
Hyderabad
Chennai
Kolkata
Delhi
Mumbai
90
0
0
0
0
Hyderabad
0
10
0
0
0
Chennai
0
0
0
0
0
Kolkata
0
0
0
0
0
Delhi
0
0
0
0
0
0
100
Geographic Risk
Mumbai Primary + Hyderabad DR Only
4-8 hour DR failover gap
Product Concentration
UPI + IMPS + RuPay + AePS + NACH
All on same switch infrastructure
Staffing Risk
800-1,000 Employees
vs PayPal 30,000+ for fraction of volume

UPI Fraud Escalation — 250% Growth (2021-2024)

UPI Fraud Cases & Severity (2021-2024)
+250%
Case Growth
₹2,000 Cr
FY24 Losses
42%
UPI Collect Scams
11+
States Affected

CBS Platform Risk — Black-Box Dependency

Finacle (Infosys)
Threat Level
CRITICAL
Immediate action required
Banks: SBI, PNB, BoB, Canara, OBC, UBI
Coverage: 60% of assets
Control: Indian (Infosys)
Auth bypass CVE-2018-13889, SQL injection, patch chain delays
Flexcube (Oracle/TCS)
Threat Level
CRITICAL
Immediate action required
Banks: ICICI, Yes Bank, Axis, IndusInd
Coverage: 25% of assets
Control: US (Oracle)
Oracle WebLogic exploitation chain (CVE-2020-14750), US foreign control
BaNCS (TCS)
Threat Level
HIGH
Significant threat detected
Banks: Union Bank, Bank of India, IDBI, PNB
Coverage: 15% of assets
Control: Indian (TCS)
Oracle DB inheritance, patch chain delays, vendor lock-in
Foreign Vendor Control — National Security Concern

Oracle Flexcube (used by ICICI, Yes Bank, Axis) places US-based Oracle in control of core banking infrastructure. All three platforms are closed-source — Indian banks cannot independently audit code running their most critical systems.

Fund Flow & Money Laundering Networks

Cosmos Bank Lazarus Cash-Out
MalwareWithdrawCosmos ATM SwitchCloned Cards (12K)India ATMsGlobal ATMsINR 94.35 Cr
Primary
Secondary
External
UPI Fraud Syndicate Network
Create1,200+CSC OperatorsMule AccountsUPI FraudCash Out
Primary
Secondary
External
Cosmos Bank (Aug 2018)
408 ATMs across 5 countries
4-hour coordinated attack
UPI Fraud Syndicates
1,200+ mule accounts
11+ states networks
PMFBY Fraud
Rs 160+ crore
UP, Rajasthan, Haryana

NSE Attack Volume — Op Sindoor Escalation

NSE Daily Attack Volume (Million/day)
170M
Normal Daily
400M
Op Sindoor Peak
235%
Increase
40 Cr
10-15 min peak

Financial Crime Infrastructure — Cross-System Risk

ED-FIU-GST-PAN Data Flow
QueriesCTRs/STRsLinksKYCAuthCTR/STRTransactionsGST DataED ECMSFIU-IND (goAML)GST PortalPAN Database (800M)SFB SystemsAadhaar AuthCBS BanksSTR/CTR Reports
Primary
Secondary
External
ED ECMS
Threat Level
CRITICAL
Immediate action required
Windows Server 2008 EOL (no patches since 2020)
Chinese APT intrusion attempts (2023)
Third-party vendor access: 4 months undetected
FIU-IND (goAML)
Threat Level
HIGH
Significant threat detected
Single point of failure — goAML platform
SMS OTP vulnerability (SIM swap)
No security testing since 2022 UNODC upgrade
PAN Database
Threat Level
CRITICAL
Immediate action required
800 million PAN cards — no rate limiting
2019 API vuln: 600M exposed ~8 months
Cross-linkage explosion from single breach

Insurance Sector Breach Severity — FY2024-25 Record Year

Breach Severity Matrix
Star Health
HDFC Life
Tata AIG
Allianz Life
ICICI Lombard
Star Health
88
0
0
0
0
HDFC Life
0
72
0
0
0
Tata AIG
0
0
75
0
0
Allianz Life
0
0
0
58
0
ICICI Lombard
0
0
0
0
42
0
100
31M
Star Health
16M
HDFC Life
340GB
Tata AIG
7TB
Star Health Vol
$6.9M
HDFC Ransom

Major Financial Breaches Timeline (2011-2025)

Financial Sector Incident Timeline
Q1 2011Q2 2015Q3 2018Q4 2022Q 2025
Cosmos Bank Heist
100%
PMC Bank Fraud
100%
PNB-Nirav Modi
100%
BoB NRI Breach
100%
Yes Bank Crisis
100%
SIDBI Data Breach
100%
CDSL 43.9M Exposure
100%
CDSL Malware
100%
HDFC Bank API
100%
AU SFB 3.5M
100%
Star Health 31M
100%
BSE Data Theft
100%
HDFC Life 16M
100%
Tata AIG 340GB
100%
NSE Op Sindoor
100%
PMFBY Fraud
75%
Completed
In Progress
Planned
Delayed

Small Finance Banks — Security Maturity vs Risk Exposure

SFB Security Controls Matrix
AU SFB
Equitas SFB
Ujjivan SFB
Jana SFB
ESAF SFB
Capital SFB
AU SFB
40
0
0
0
0
0
Equitas SFB
0
36
0
0
0
0
Ujjivan SFB
0
0
38
0
0
0
Jana SFB
0
0
0
30
0
0
ESAF SFB
0
0
0
0
32
0
Capital SFB
0
0
0
0
0
44
0
100
150M Customers at Risk
Small Finance Banks serve predominantly rural and underserved populations with minimal IT security infrastructure. IT security budget is 0.5-1% of operating expenses vs 1.5-2% at major banks.
Structural Underfunding
No threat intelligence sharing infrastructure. Jana SFB paid ransom — threat actor unknown. Limited incident response capability and no dedicated CERT-In escalation pathways.

Payment System Risk vs Transaction Volume

Risk Score vs Monthly Volume (Billion Transactions)

UPI Fraud Type Breakdown

Fraud Distribution by Type
100
Total
Fraud Type Details
UPI Collect Scams42%
Fake UPI Apps23%
SIM Swap Assisted18%
Screen Recording12%
Social Engineering5%

PMFBY Digital Claims Attack Surface

Claims Processing Data Flow
VerifySubmitAuthLinkDisburseFraudLand Records DBCSC OperatorsPFMS PortalAadhaar AuthAadhaar-Linked AccountsClaim Payout
Primary
Secondary
External
State-Level Fraud Risk
Rajasthan
Threat Level
CRITICAL
Immediate action required
Amount:₹122Cr
Claims:4,453
Villages:12
Uttar Pradesh
Threat Level
CRITICAL
Immediate action required
Amount:₹40Cr
Claims:2,100
Villages:8
Haryana
Threat Level
HIGH
Significant threat detected
Amount:₹0Cr
Claims:4,453
Villages:5
Maharashtra
Threat Level
MEDIUM
Elevated awareness warranted
Amount:₹15Cr
Claims:890
Villages:4
Karnataka
Threat Level
MEDIUM
Elevated awareness warranted
Amount:₹8Cr
Claims:450
Villages:3
Jhansi Case Study

Village with 96 farmers had 467 claimants. CSC operators created fictitious farmer identities with fake land records, then routed payments through mule bank accounts. Total fraud: Rs 40+ crore in single district.

SOC Compliance Status — PSU Banks

65%
SBI
Partial
42%
PNB
Below Minimum
55%
BoB
Partial
48%
Canara
Below Minimum
52%
Union
Partial
RBI Internal Audit Finding

Only 30% of PSU banks are fully compliant with RBI's IT Security framework. Gap between documentation compliance and actual detection capability is significant. UCBs (1,500+) have 67% below-minimum IT security with no detection capability.

Financial Sector Attack Surface Overview

Attack Surface vs Resilience by Sector
88%
PSU Banking Attack Surface
95%
UPI Attack Surface
85%
Financial Crime Infrastructure

Bank Vulnerability Assessment Matrix

Security Control Gaps by Institution Type
PSU Banks
Private Banks
SFBs
UCBs
PSU Banks
76
0
0
0
Private Banks
0
64
0
0
SFBs
0
0
68
0
UCBs
0
0
0
78
0
100
CBS_Patch
CBS Patch State
ThirdParty
Vendor Access
SOC_Maturity
SOC Capability
ATM_Seg
ATM Segmentation
UPI_Risk
UPI Exposure

FIU-IND Report Volumes — 2.3 Billion CTRs Annually

Annual Report Submissions
RESTRICTED - For Official Circulation OnlyFinancial Infrastructure Intelligence Report