Published on the 26/09/2019 | Written by Jonathan Cotton
Pay by e-mail (or mobile) provider advises caveat emptor…
If the multiple data breaches of Australia’s PayID in the last year prove anything, it might be that bank customer phishing is the new bank robbing, as the old fashioned holdup finally gets its digital transformation.
Launched in February 2018, PayID is simple in both principle and practice, bringing 24/7 instant transfers without the need for BSB or account numbers. Link a mobile phone number or email address to your bank account, cough up those details to someone who wants to pay you, and boom, you can receive payments from that party via the mobile app, no cumbersome bank number required.
Since launch, 2.5 million PayID identifiers have been issued, but a year and a half on, it’s been a rocky ride from a security perspective at least.
“Simply being alert to unusual patterns of behaviour would have prevented these security breaches.”
The trouble started early. Before the end of February an apparent flaw in the system was revealed (via Twitter): By entering random phone numbers into the app, curious app surfers are presented with the full name of the PayID account holder.
Sure, no money is getting taken out of anyone’s accounts, and it’s hardly a deal-breaker for customers, but it’s a little troubling nonetheless. More troubling perhaps was the cavalier attitude from PayID, that seemed to suggest that PayID users concerned with the privacy hole should take it or leave.
“When a person chooses to create a PayID they do so with their full consent, informed by the terms and conditions of their financial institution which outlines how the PayID service operates and should be used,” wrote NPP Australia, the 13 bank alliance behind PayID.
“We are aware that a person on Twitter has performed a small number of PayID look-ups and tweeted these details publicly in a bid to start a discussion about PayID and privacy issues.
“While unfortunate for the individuals involved, the discussion highlights the choice and benefits to be considered by users when they opt in to create a PayID.”
Maybe not the most empathetic bit of corporate writing, but that would have been the end of it, had it not been for the rapid scaling of the issue: In June, a new breach was revealed which saw 98,000 PayID details exposed (collected via several auto-dialing dummy accounts) over the course of six weeks.
“Although this is clearly a very simple attack involving nothing more sophisticated than simple trial and error, it appears the PayID system did not detect the large number of lookups – an average of 14,000 per account – or the speed with which they were undertaken,” says Paul Haskell-Dowland, associate dean of computing and security at Edith Cowan University.
“This high volume of lookups should have raised significant security concerns. While legitimate users could be forgiven for needing a couple of tries to punch in the right number, no one should need thousands of attempts.
“It should have been a simple security step to add lookup limits and to identify this as highly abnormal behaviour. Yet neither the bank concerned nor NPP Australia had implemented mechanisms to detect or prevent this form of misuse.”
In light of the attack, those hoping for an immediate, all-systems security revision would be disappointed. By August another 92,000 were exposed by different means, this time apparently revealing short usernames (eg ‘Susan S.’), BSB numbers and account numbers.
NPP then said it had instructed affected financial institutions to “take the necessary action”, including customer notification and “enhanced due diligence” over affected accounts.
“As part of our ongoing commitment to uplifting cybersecurity controls across the NPP ecosystem and following a similar event in June, we recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing end point security to ensure that the controls are executed as intended.”
But is it all a storm in a teacup? After all, it’s just a user name and phone number, and money can only be put into these accounts, not taken out, so what’s the real harm?
Simply put, the real risk emerges when information such as that stolen in these PayID breaches is leveraged in phishing attempts that occur further down the track.
And that’s happened already with PayID users receiving emails and text messages requesting the account holder verify their identity. The scammers even used phone number ‘ID spoofing’ software to mimic the official NAB number to make the bogus messages appear to originate from legitimate sources.
“We are urging all customers to be wary of any SMS phishing attempts – for example, a personalised message which looks like a legitimate message from Westpac or another bank, in an attempt to acquire banking credentials and password,” said Westpac in a warning issued to customers.
“Report suspicious emails or scam details to email@example.com, and forward hoax SMS to 0497 132 032 and then delete the message.”
But while the banks are issuing warnings to customers, Haskell-Dowland says the ultimate responsibility lies elsewhere.
“Although bank customers can do little more than think twice before responding to messages, the real power is with the banks,” he says.
“Simply being alert to unusual patterns of behaviour would have prevented these security breaches.
“This is not new territory for financial institutions, who routinely look for unusual patterns in credit card transactions. Perhaps it is time to apply these same concepts in other scenarios and better protect Australia’s banking customers.”
As for the mechanisms that are in place, the NPP says its central infrastructure is certified to the highest data security standards, participating institutions have mandatory data security controls at platform ‘entry points’, and they’re continually tightening security across the ecosystem.
“As part of our ongoing commitment to uplifting cybersecurity controls across the NPP ecosystem,” said the group in a statement, “we recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing endpoint security to ensure that the controls are executed as intended.
“Cybersecurity is an issue of paramount importance to NPP Australia.”
It’s hardly a satisfying conclusion for customers, and those using the PayID product might do well to think carefully about what information they’re comfortable sharing via the product – and to consider the ramifications of the NPP’s seeming ‘caveat emptor’ position on data security.