Westpac has confirmed its PayID lookup function has been misused, but affirmed no customer bank account numbers were compromised as a result.
As initially reported by Nine newspapers, Westpac witnessed 600,000 PayID lookups stemming from seven compromised Westpac Live accounts. Citing a memo sent to Australia’s finance community, the report says around 98,000 of the lookups were successfully resolved to a short name and displayed to the “fraudster”.
A Westpac spokesperson said once it became aware of the misuse, the bank took additional preventative actions, which did not include a system shutdown.
“Westpac Group takes the protection of customer data and privacy extremely seriously,” the spokesperson added.
A PayID allows for payments to be made without any of the previously required banking information — BSB and account number. A PayID is a unique, user-specific number registered with the customer’s bank and linked to a nominated bank account and can be a phone number, email address, or an Australian Business Number (ABN).
It can only be used to put money into an account, not to take money out.
A PayID is a unique, user-specific number and when making a payment, the name registered to that PayID appears as part of the confirmation process.
However, this means that a person can be found by entering their mobile number — something already possible through the search bar on Facebook, as one example.
No other personal information is stored with the PayID.
According to the Fairfax report, the attackers had been trying phone numbers in a semi-sequential manner, with the accounts used set up purely to conduct the activity.
PayID is used to transfer funds via Australia’s New Payments Platform (NPP).
The NPP went live in February last year; the platform allows for the transfer of money from one person to another in near real-time, using an email address or phone number rather than the traditional BSB or account number process.
The NPP infrastructure was built by the Reserve Bank of Australia (RBA), in consultation with the Commonwealth Bank of Australia (CBA), the National Australia Bank (NAB), the Australia and New Zealand Banking Group (ANZ), and Westpac, which hold around 95% market share of the entire Australian finance industry between them.
The new platform was in the works for years; the RBA had originally announced its plans as far back as 2012, inviting input from industry to determine the most effective way of delivering on its plan to make real-time payments, among other objectives.
Slow implementation casts doubt on the big four banks being completely ready for open banking on July 1.
The New Payments Platform officially launched on Tuesday, and apart from boasting near real-time funds transfer, it also promises room for innovation in Australia’s financial services sector.
Urgent and emergency welfare payments will be sent via the New Payments Platform in real-time.