Month: February 2025

RBI Cyber Security policy .bank.in and .fin.in

The Reserve Bank of India (RBI) in its latest cyber security policy released on 7th February 2025, has mandated all banks to use .bank.in and non-banks(other financial institutions) to use .fin.in. The goal of the measures is to curb phishing attacks against citizens of India.

RBI Cyber Security policy for banks to use .bank.in and non-banks to use fin.in

Figure 1: Snippet of RBI’s Cybersecurity policy

Notably, Institute for Development and Research in Banking Technology (IDRBT) will be the registrar for the parent domain names (.bank.in and .fin.in)

Technical details

In a DNS context, I am guessing IDRBT would control the parent zones .bank.in and .fin.in and delegate for example icici.bank.in to ICICI Bank authoritative nameservers.

Similarly, zerodha.fin.in would be delegated to Zerodha authoritative nameservers.

IDRBT would be able to control the namespace and delegate child zone to the respective bank or financial institution.

Delegation of DNS namespace from the root to .in and .bank.in and .fin.in

Figure 2: Diagrammatic representation of possible delegation of bank.in and fin.in domain namespace

Limitations of the cyber security policy

In my opinion, this is an excellent move at the policy level from a cybersecurity perspective. There will be operational challenges from the perspective of the banks or financial institutions. I will reserve them for another blog post.

However, this measure will not eliminate all types of phishing/impersonation , typo-squatting or domain shadowing attacks

Despite this, the RBI Cyber Security Policy aims to build trust in the namespace by restricting domain names for banks and non-banks to .bank.in and .fin.in, respectively. From a consumer’s perspective, this simplifies decision-making. As I mentioned earlier, this won’t eliminate all threats, but it is a good start and certainly better than the common advice banks give—checking for the padlock to ensure a website uses HTTPS!

At the time of writing, the delegation from .in at NIXI to IDRBT was not yet operational.

Delegation of bank.in and fin.in not yet implemented in .in namespace at NIXI

Figure 3: Delegation of bank.in and fin.in not yet implemented at NIXI

It is to be noted, that the RBI cyber security policy implementation will start April 2025 onwards.

If you liked this blog post, you might also enjoy reading Jio VoWiFi issue – It’s always DNS! or The curious case of esic.in DNS

RPZ Feed list: OSINT Threat Intelligence for DNS Security

This page lists OSINT DNS RPZ Feeds for recursive resolvers to enhance security by blocking malware, phishing, and C2 domains. Submit your RPZ feed if it’s not listed.

Response Policy Zones(RPZ) or DNS Firewall or Protective DNS (thanks CISA) is a solid way to use the DNS protocol as a defense. For a primer on DNS RPZ, please see the blog post

URLhaus Abuse.ch – Primarily malware domain names

CERT.pl – Phishing domain names targeting Polish citizens

YOYO – Advertisement domain names

StevenBlack hosts – Advertisement domain names & others(malware, gambling, porn)

DNS RPZ (Response Policy Zones) – Using DNS as a layer of defence – Part I

Why I’m rejoining social media

Hello again! Starting today, I am back on these platforms (Facebook, Twitter, Instagram) after quitting them a long time ago. Here, I am outlining why I am rejoining social media.

The primary reason to quit these platforms was for a number of reasons, and I will not get into this bit here. If you are interested, I urge you to read the book “The Age of Surveillance Capitalism.”

Book image - The age of Surveillance capitalism

In the past couple of years, aside from building a cyber security company, I have tried my best to educate folks in my network by conducting seminars and workshops about some of the cyber scams and cyber security best practices. Rejoining social media will help me reach a wider audience.

One of the consistent feedback I have received from many is that awareness of on these cyber scams and cyber threats does not spread enough.

Considering that fellow Indian citizens lost ₹11,333 crore to cyber scams in the past year(2024) alone, rejoining social media platforms makes sense, as per data from the Home Ministry’s Indian Cyber Crime Coordination Centre (I4C) division, it’s no brainer that awareness and education are need of the hour.

The figure could be more than ₹11,333 crores, considering folks who haven’t reported the cybercrime.

Considering that, to many, Facebook, Twitter, Instagram etc is the Internet it would be foolish to not use these platforms.

I am flipping the switch today by rejoining social media and will be using these social media platforms to share the latest cyber scams and best practices in safeguarding your accounts and data.

If you are following me on any of these platforms, and feel this is noise or spam, please feel free to mute/block me 🙂

If you believe these cyber scams and best practices to counter these need to be amplified and shared with others, please spread the word.

For the nerds reading this, irrespective of how futile this attempt is, I am following OpSec practice by compartmentalizing each website in it’s own VM 🙂