Around 100,000 Australian bank customers have had their private details breached after a hack on Westpac's PayID, a system "designed to provide more reassurance during the payments process".
As reported in the Sydney Morning Herald, the attack not only compromises Westpac customers, but those of other banks as well, as PayID allows money transfers between customers (almost instantaneously), even if they are with another bank. The system works by allowing one customer to type in an email address or mobile (cell) phone number of another account holder in order to confirm their name.
The downside is that details - phone numbers, especially - can be randomly changed, eventually exposing the names (and matching phone numbers) of potential victims.
The Sydney Morning Herald obtained a confidential memo in which Westpac stated they had (on May 22) "noted that a high volume (around 600,000) of PayID lookups were made from seven compromised Westpac Live accounts. [Around 98,000] of the lookups successfully resolved to a short name and this was displayed to the fraudster ... the attacks had been occurring since 7 April 2019 (and) intelligence of the logins indicates [they are] US-based fraudsters."
While intelligence points to the US, it's unclear who exactly the attackers are and what they plan doing with the information.
A spokeswoman for NPP Australia, which runs the New Payments Platform (whose infrastructure PayID uses), said "it's important to remember that PayID has been designed to provide more reassurance during the payments process. It enables a payer to see the name associated with the PayID to reduce the risk of a mistaken payments or scam."
However, Australian security consultant and founder of haveibeenpwned.com, Troy Hunt, said that "there (is) often a fine line between a feature and a security or privacy risk. In this case, the convenience of PayID is clear. What's less clear is whether users of the service are willing to accept the privacy trade-off. I suspect that most people are unaware of the potential disclosure of their personal information in this fashion."
At the start of 2018, concerns were raised with the NPP that the details of PayID users could be obtained in a manner akin to what has occurred. The NPP agreed this could happen but stated that "using PayID was a user's choice."
