Why Banks Can’t Just Bank on bank.in

The RBI mandated that all Indian banks migrate their official websites and digital banking portals to the exclusive “.bank.in” domain by October 31, 2025. The RBI’s “.bank.in” domain mandate is a strategic response to a rapidly evolving cyber threat environment targeting digital banking in India. By centralizing domain control, restricting registrations to regulated banks, and enforcing renewed cybersecurity rigor, India aims to build a trusted digital ecosystem and reduce the massive volume of phishing and spoofing fraud that impact customer confidence and the integrity of the financial sector. RBI also mandated

Indian banks demonstrated strong compliance and adoption of the “.bank.in” mandate. According to RBI and industry reports, over 90% of scheduled banks completed migration by the deadline, with ongoing efforts for smaller regional and cooperative banks.

The Pitfalls of Set-It-and-Forget-It Security

One might think, “We signed that DNS record, installed those certificates, that should be enough.” Not quite. DNSSEC and TLS require continuous care:

1. DNSSEC signatures need timely renewal and key rollovers to remain valid.

2. TLS certificates must never expire unnoticed, and configurations must be secured against downgrades and vulnerabilities.

3. Misconfigurations or lapses here lead to failed validations, browser warnings, or invisible man-in-the-middle attacks that erode user trust .

Hence  migrating to the RBI-mandated “.bank.in” domain, while a critical step, is not sufficient on its own to ensure robust cybersecurity for Indian banks’ digital presence.

Cyber adversaries continually develop new attack methods that can bypass simple domain-level protections, including DNS hijacking via registrar compromise, non-DNS based phishing, certificate mis issuance, or man-in-the-middle attack.

Banks need a multi-pronged, proactive monitoring approach:

1. Continuous DNSSEC Validation: There are tools which automatically verify the integrity of DNSSEC signatures end-to-end, sending real-time alerts on anomalies or expiring keys (e.g. DNSViz or ThousandEyes )

2. Certificate Health Checks: Automated scans track certificate validity, expiration, trust chain correctness, and revocation statuses. Alerts are triggered well before expiration deadlines to ensure seamless renewal.

3. Registrar and Infrastructure Audits: Vigilant access control with multi-factor authentication, combined with regular auditing of DNS and certificate management processes, prevent insider threats and configuration drift.

4. Integration with Security Dashboards: Feeding these checks into Security Information and Event Management (SIEM) platforms enables correlation with other threat signals for comprehensive situational awareness.

5. User Awareness Campaigns: Educating customers on checking secure URLs and certificate indicators complements technical measures for phishing prevention.

The RBI’s bank.in migration is a giant leap for Indian banks, but a domain secured in name is not a fortress in fact unless monitored constantly. It is like locking your front door but leaving windows open if you don’t watch your DNSSEC signatures and TLS certificates closely.