The PayID real-time banking system owned by Australian financial institutions through the New Payments Platform (NPP) has been the victim of hacker misuse twice this year, highlighting just how vulnerable the nation’s real time payments infrastructure is.
As with any security incident, it doesn’t take much for confidence in the system to be compromised. Many of us depend on this payments technology to get money into our bank accounts more quickly and we are entitled to believe that our banking records and money are secure.
PayID allows payments to be made in real-time between banking accounts. Payments provider Cuscal confirmed in August that cyber criminals had accessed the PayID details of around 92,000 customers in the payment system of its client, Credit Union Australia (CUA). Hackers were able to harvest PayID details linked to NPP users, including mobile phone numbers and account data, such as account holders’ names and numbers.
Although the August incident involved customers of the big four banks (NAB, CBA, ANZ and Westpac), Westpac was also the victim of a similar incident in June this year when hackers retrieved details of 98,000 PayIDs by undertaking 600,000 account lookups over six weeks.
All NPP participants, from the NPPA itself, to payments provider Cuscal and its financial institution clients, are responsible for protecting customers against fraud and keeping their personal details and money secure. Although the stolen data cannot be directly used for fraud, it opens opportunities for further criminal activities including the selling of personal data and phishing opportunities.
Even simple measures such as a limit on the number of PayID lookups an individual can make or machine learning techniques that identify unusual patterns should have been in place to protect users’ data from the date that PayID was launched, and definitely after the June breach this year.
PayID provides a way for consumers to enter a more convenient identifier such as a mobile phone number or email address to make online payments. Once entered, the user is presented with the account name of the recipient to allow confirmation of the destination account.
On its own, this is a reasonable mechanism and there is less scope for human error than using bank account and BSB numbers. But it was misused when hackers identified that entering sequential phone numbers would allow for a ‘reverse phonebook’, that is, with enough attempts it is possible to list valid PayID phone numbers and their associated account holders.
The problem in both instances was that the systems implemented by the relevant financial institutions did not detect the repeated lookups being attempted. Even a simple mechanism to limit the total number of lookups per session would have significantly limited the extent of the attack. As the PayID system was designed for consumers, it should have been designed to restrict (or at least alert) when large numbers of lookups were conducted.
NPP Australia has said it has taken steps to increase its cyber security since June, stating that it had “recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing end point security to ensure that the controls are executed as intended”.
Its policy to increase requirements for financial institutions using their platform is an approach that places the responsibility with the banks. While this may be a legitimate approach for the NPP, consumers will not differentiate where liability may lie. NPP also reserves the right to withdraw access to PayID or apply penalties for breaches of security. This would, however, offer little consolation to users affected by these recent incidents who would simply want to know where responsibility for avoiding the breaches lay.
Cuscal has said that following the August breach, “technology changes were made by the client [CUA] immediately to prevent any further PayID data and to reduce the risk of PayID data being inappropriately obtained by hackers”.
The prompt response of the various organisations involved is laudable but still leaves open questions of how such seemingly obvious oversights could have occurred. While it is impossible to eliminate all risks to IT systems, organisations should strive to minimise attacks and ensure that new systems are thoroughly tested before being implemented.
Designing-in security from the beginning is an important aspect to all new systems and services. Security can rarely be implemented effectively retrospectively and these examples of the PayID system being so easily compromised show the dangers of rushing to roll-out functionality without adequate risk analysis being undertaken.
Associate Professor Paul Haskell-Dowland is the Associate Dean for Computing and Security in the School of Science at Edith Cowan University and is an associate member of the Centre for Security, Communications & Network Research at Plymouth University (UK). Paul has delivered keynotes, invited presentations, workshops, professional development/training and seminars across the world for audiences including Sri Lanka CERT, ITU and IEEE. He has more than 20 years of experience in cyber security research and education in both the UK and Australia.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.