Almost 100,000 Australians' private details exposed in attack on Westpac's PayID
04 Jun 2019
The private details of almost 100,000 Australian bank customers have been exposed in a cyber attack on the real-time payments platform PayID, which allows the instant transfer of money between banks using either a mobile number or email address.
The attack on Westpac, which also affects customers from other banks, has prompted a warning from computer security experts who say that the pilfered data could be used for fraud.
Unknown to many Australians, PayID operates like a telephone book, allowing anyone to type in a mobile number or email address and have it confirm the name of the corresponding account holder. This allows for what security experts call an "enumeration attack", whereby numbers can be changed at random to find the names and mobile numbers of thousands of Australians.
Experts say that with access to these details, fraud could be committed on a mass scale.
The bank confirmed the incident late on Monday but did not say how many Australians had been affected.
"Westpac can confirm we had detected mis-use of the [New Payments Platform's] PayID functionality and we took additional preventative actions which did not include a system shutdown," a spokesman said. "No customer bank account numbers were compromised as a result.
"There has been no further inappropriate activity detected."
In a confidential memo obtained by the Sydney Morning Herald and The Age, the bank disclosed information about the incident to Australia's banking and financial industry.
"On 22 May 2019, Westpac noted that a high volume ([around] 600,000) of NPPA PayID lookups was made from 7 compromised Westpac Live accounts," the memo said. "[Around 98,000] of the lookups successfully resolved to a short name and this was displayed to the fraudster.
"Further analysis revealed that the attacks had been occurring since 7 April 2019 (the total number of lookups is [around] 600,000). The attackers are possibly offshore (the ... intelligence of the logins indicates [they are] US-based fraudsters).
"The accounts used appear to have been compromised or set up ... to perform the attack (Westpac conversations with the legitimate owners of the existing accounts used indicates that they are not aware of the attacks or involved in any way)."
The memo went on to say that the attackers had been "trying phone numbers in a semi-sequential manner (i.e. ascending by a few numbers at a time in the high density ranges of Australian phone numbers on issue).
"It appears likely that the numbers are targeted guessing and do not necessarily come from an existing data compromise (however the high hit rate of alias registrations remains somewhat suspicious)."
The attacks were "continuing on a semi-daily basis", the memo said, "but the scale of resolved accounts is now greatly reduced".
Reports of the attack first emerged after user "Two Bob" wrote an ominous message on the online forum Whirlpool, often frequented by insiders of the Australian technology, broadband and banking industry, explaining what they had heard.
"I've heard gossip on the wires that Westpac experienced an event last week that doesn't seem to have made the news," Two Bob wrote at 11.38am on Monday.
"Their NPP service was attacked, [with] an unknown party repeatedly pinging [it] tens of thousands of times, hitting the PayID name lookup service to confirm PayID mobile numbers, each successful request returning the account holder's name associated with the phone number.
"Westpac shut their NPP logon for several hours to stop the attack. Identity theft, much?"
By about 5pm — after The Sydney Morning Herald and The Age contacted Two Bob — the post was edited to remove the details, leaving behind just "I've heard gossip on the wires that ...."
It's unclear who now has pilfered PayID information and what they intend to do with it.
NPP Australia, which runs the New Payments Platform, said it could not comment.
"NPPA can't comment on individual banks and any issues at their level," a spokeswoman said.
However, she said that participating financial institutions were "required to have measures in place to monitor PayID use for unusual activity and ensure PayID is not used by customers or customer applications to mine data for fraudulent purposes".
"It's also important to remember that PayID has been designed to provide more reassurance during the payments process," the spokeswoman said. "It enables a payer to see the name associated with the PayID to reduce the risk of a mistaken payments or scam."
The Privacy Commissioner would not confirm whether Westpac had informed it of the matter.
"Where we are made aware of a potential privacy incident or notifiable data breach, the OAIC may engage with the organisation involved to establish the facts of the matter," a spokeswoman said. "In line with our regulatory action policy, we do not generally comment about specific incidents."
Banks have been under pressure from the Reserve Bank to roll out PayID to customers more quickly, after it was launched last year. But it was not initially offered by all of the big four.
The service, which uses the New Payments Platform infrastructure, allows money to be transferred in near real-time between customers of either the same or different banks.
Troy Hunt, an Australian security consultant who runs the popular haveibeenpwned.com website that alerts its users when their data has been breached online, said there was often a fine line between a feature and a security or privacy risk. Such was the case in this instance, he said.
"In this case, the convenience of PayID is clear," he said. "What's less clear is whether users of the service are willing to accept the privacy trade-off. I suspect that most people are unaware of the potential disclosure of their personal information in this fashion."
The incident came amid a warning from the financial regulator of the growing cyber threats to financial businesses and the risks they pose in potentially further destroying already battered financial institutions' reputations.
"With financial sector trust damaged, it only takes one media expose or social media outcry to cause a company serious financial damage, often in the space of days or hours, rather than weeks or months," Australian Prudential Regulation Authority deputy chair John Lonsdale warned in a speech on Monday.
In February 2018, the NPP was forced to address concerns the service could be used to lookup any Australians' details. It confirmed this was possible but said using PayID was a user's choice.
"We are aware that a person on Twitter has performed a small number of PayID look-ups and tweeted these details publicly in a bid to start a discussion about PayID and privacy issues," it said then. "While unfortunate for the individuals involved, the discussion highlights the choice and benefits to be considered by users when they opt in to create a PayID."
Source : The Sydney Morning Herald
Share this link: