Hack attack on Westpac PayID exposes data of 100,000
June 4, 2019 |
Financial institutions and health care facilities are by far and away the most attractive and attacked sites for hackers. Accessing personal information to permit access and transfer of funds from financial institutions are an obvious attraction. Health facilities as a matter of course collect names, addresses, dates of birth, insurance information, government identifiers and often times credit card information. That accumulation of data in one place, which depressingly is what health facilities usually do, permits a hacker to sell that information on the dark web or embark on identify theft himself (most hackers, based on evidence to date, being male).
Westpac has suffered a data breach as reported in Almost 100,000 Australians’ private details exposed in attack on Westpac’s PayID. The aim and partial success was to access personal information to later use to commit acts of fraud.
There are three interesting aspects to the story. The first is that details of the attack became public only because someone close to or in Westpac, NPP or both posted details as an item of interest on Whirlpool. The Second is that the attack highlightgs the vulnerability of apps and other services designed for quick and easy use of banking facilities. There is often a trade off, at least in the developers mindset, of ease of use and protection from hacking. Apps are often weak links in data security. The third issue is that the Information Commissioner is staying well in the shadows even though as a regulator she should be having something to say about the breach and trying either to turn it into an educational experience or a target of enforcement. After all, how is it that a hack on such an obviously tempting target occurred? At that level there should be a thorough examination. These things just don’t happen if there is proper training and adequate resources put into data security, with the site being stress tested regularly. There is a real problem which is not being aired and is probably not going to be properly investigated if the Information Commissioner adopts her usual timid placate rather than regulate approach.
The article provides:
The private details of almost 100,000 Australian bank customers have been exposed in a cyber attack on the real-time payments platform PayID, which allows the instant transfer of money between banks using either a mobile number or email address.
The attack on Westpac, which also affects customers from other banks, has prompted a warning from computer security experts who say that the pilfered data could be used for fraud.
Treasurer Josh Frydenberg has personally urged the nation’s biggest banks to pass on all of an expected 0.25 percentage point cut in official interest rates on Tuesday.
Unknown to many Australians, PayID operates like a telephone book, allowing anyone to type in a mobile number or email address and have it confirm the name of the corresponding account holder. This allows for what security experts call an “enumeration attack“, whereby numbers can be changed at random to find the names and mobile numbers of thousands of Australians.
Experts say that with access to these details, fraud could be committed on a mass scale.
“NPPA can’t comment on individual banks and any issues at their level,” a spokeswoman said.
However, she said that participating financial institutions were “required to have measures in place to monitor PayID use for unusual activity and ensure PayID is not used by customers or customer applications to mine data for fraudulent purposes”.
“It’s also important to remember that PayID has been designed to provide more reassurance during the payments process,” the spokeswoman said. “It enables a payer to see the name associated with the PayID to reduce the risk of a mistaken payments or scam.”
The Privacy Commissioner would not confirm whether Westpac had informed it of the matter.
“Where we are made aware of a potential privacy incident or notifiable data breach, the OAIC may engage with the organisation involved to establish the facts of the matter,” a spokeswoman said. “In line with our regulatory action policy, we do not generally comment about specific incidents.”
Banks have been under pressure from the Reserve Bank to roll out PayID to customers more quickly, after it was launched last year. But it was not initially offered by all of the big four.
The service, which uses the New Payments Platform infrastructure, allows money to be transferred in near real-time between customers of either the same or different banks.
Troy Hunt, an Australian security consultant who runs the popular haveibeenpwned.com website that alerts its users when their data has been breached online, said there was often a fine line between a feature and a security or privacy risk. Such was the case in this instance, he said.
“In this case, the convenience of PayID is clear,” he said. “What’s less clear is whether users of the service are willing to accept the privacy trade-off. I suspect that most people are unaware of the potential disclosure of their personal information in this fashion.”
The incident came amid a warning from the financial regulator of the growing cyber threats to financial businesses and the risks they pose in potentially further destroying already battered financial institutions’ reputations.
“With financial sector trust damaged, it only takes one media expose or social media outcry to cause a company serious financial damage, often in the space of days or hours, rather than weeks or months,” Australian Prudential Regulation Authority deputy chair John Lonsdale warned in a speech on Monday.
In February 2018, the NPP was forced to address concerns the service could be used to lookup any Australians’ details. It confirmed this was possible but said using PayID was a user’s choice.
“We are aware that a person on Twitter has performed a small number of PayID look-ups and tweeted these details publicly in a bid to start a discussion about PayID and privacy issues,” it said then. “While unfortunate for the individuals involved, the discussion highlights the choice and benefits to be considered by users when they opt in to create a PayID.”