.

  • Written by Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University
Linking your mobile number to your bank account could have unintended consequences. SewCream/Shutterstock.com

When we think of a bank robbery, we might imagine a safe with the door blown open. But nowadays it might be more accurate to picture criminals accessing our bank account online from another country. Bank robbers don’t need balaclavas and shotguns anymore.

Australian banks have long provided convenient ways for customers to transfer funds. But the process of remembering and entering BSB and account numbers is prone to human error. Enter PayID.

PayID allows customers to attach their mobile phone number or email address to their bank account. They can then simply provide these details to other people, providing a convenient way to receive payments.

It can only be used for incoming payments, rather than outgoing ones. So you might think that makes it less of a tempting target for hackers. But that’s not necessarily the case.

Launched in February 2018 by New Payments Platform Australia, an alliance of 13 banks, PayID is reportedly available to more than 52 million account holders across almost all major financial institutions. By February 2019, some 2.5 million PayID identifiers had been created, and 90 million transactions totalling more than A$75 billion had been processed.


Read more: The New Payments Platform may mean faster transactions, but it won't be safer


When entering a PayID mobile phone number to make a payment, the full name of the account holder is displayed, so the person making the payment can ensure they are sending it to the right PayID account.

Shortly after the service launched, Twitter users began pointing out that this means you can enter random phone numbers and, if that number has been linked to a PayID account, the account holder’s name will show up – rather like a phone book in reverse.

Twitter posting of PayID details. @anthonycr0

The following day, on February 17, 2018, NPP Australia acknowledged this issue in a media release, but effectively dismissed users’ concerns:

While unfortunate for the individuals involved, the discussion highlights the choice and benefits to be considered by users when they opt in to create a PayID.

This is not exactly reassuring for bank customers whose details were publicly posted. And developments this year suggest that the underlying problems persist.

Better luck next time?

In June 2019, around 98,000 PayID details were obtained after hackers used several online bank accounts to carry out more than 600,000 PayID lookups over the course of six weeks, reportedly by simply entering phone numbers in sequential order.

It is not clear who was to blame, although there are allegations of a leaked memo pointing the finger at US-based fraudsters.

The exact motive is unclear, but any personal data has value in the underground economy. In this case, the data could potentially be used as part of a more complex phishing scam designed to steal further information from account holders.

Although this is clearly a very simple attack involving nothing more sophisticated than simple trial and error, it appears the PayID system did not detect the large number of lookups – an average of 14,000 per account – or the speed with which they were undertaken.

To give a real-world example, it would be like going into your bank 14,000 times and handing over a different piece of identification each time.

This high volume of lookups should have raised significant security concerns. While legitimate users could be forgiven for needing a couple of tries to punch in the right number, no one should need thousands of attempts.

It should have been a simple security step to add lookup limits and to identify this as highly abnormal behaviour. Yet neither the bank concerned nor NPP Australia had implemented mechanisms to detect or prevent this form of misuse.

After a security breach this size, the banks might reasonably be expected to take urgent steps to prevent it happening again. But it did happen again, two months later.

In August 2019, a further 92,000 PayIDs were exposed. In this case, it was reported that the breach happened within the systems of a financial institution connected to the NPP Australia systems. Worryingly, this breach reportedly revealed users’ full name, BSB and account number.

Banks were quick to reassure customers that this does not allow transactions to be undertaken. However, it did deliver yet more valuable information into the hands of cyber criminals – further enabling phishing opportunities.

While affected customers have been contacted, the only option to remove this risk is to stop using PayID. This is easily done but removes the convenience factor for most bank customers.

What’s the real risk?

Because the system enables payments into accounts, rather than authorising withdrawals from them, the risk may seem minor. Indeed, many in the banking sector have dismissed it as so. But there is a deeper risk.

Phishing is a form of cyber crime in which victims are tricked into revealing confidential information through convincing-looking emails or SMS messages. Unfortunately, there are already examples of this in relation to PayID.

Real examples of PayID-related SMS phishing messages. canstar.com

The approach depicted above is not particularly sophisticated. But imagine a more tailored email message quoting examples of identifiable information (PayID, full name) or, as with the most recent breach, BSB and account number.

Coupled with the correct branding and reassuring words of your bank, it would be easy to convince an unsuspecting user of the need to “login to change your PayID for security reasons”. Just a few minutes of creativity on a computer can produce convincing results.

The image shown below was created to show how easy this process is. It uses genuine branding, but the “login” button could easily be set to direct users to a website designed to steal login credentials.

Mock-up of a potential PayID-related phishing email.

With the ME Household Financial Comfort Report indicating that almost 50% of households have at least A$10,000 in savings, there is a clear incentive for cyber criminals to target our bank accounts. As with any phishing attack, it only takes a few people to succumb to make the enterprise worthwhile.


Read more: Banks can't fight online credit card fraud alone, and neither can you


Although bank customers can do little more than think twice before responding to messages, the real power is with the banks. Simply being alert to unusual patterns of behaviour would have prevented these security breaches.

This is not new territory for financial institutions, who routinely look for unusual patterns in credit card transactions. Perhaps it is time to apply these same concepts in other scenarios and better protect Australia’s banking customers.

Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.

Authors: Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University

Read more http://theconversation.com/payid-data-breaches-show-australias-banks-need-to-be-more-vigilant-to-hacking-123529

Is your horse normal? Now there’s an app for that

Vet: are you happy? Horse: neigh. evilgurl/Flickr, CC BY-NC-SASince ancient times, horse behaviour, and the bond between horses and humans, has been a source of intrigue and fascination. The horse-l...

Paul McGreevy, Professor of Animal Behaviour and Animal Welfare Science, University of Sydney - avatar Paul McGreevy, Professor of Animal Behaviour and Animal Welfare Science, University of Sydney

Small histories: a road trip reveals local museums stuck in a rut

Berry, and other tourist towns, are out of step with modern museum curation which is trying to include Aboriginal communities and their stories. ShutterstockAboriginal and Torres Strait Islander read...

Jen Saunders, Phd candidate, University of Wollongong - avatar Jen Saunders, Phd candidate, University of Wollongong

Curious Kids: how are stars made?

Stars come into existence because of a powerful force of nature called gravity. ESA/Hubble & NASA, Acknowledgement: Judy SchmidtIf you have a question you’d like an expert to answer, send it...

Orsola De Marco, Astrophysicist , Macquarie University - avatar Orsola De Marco, Astrophysicist , Macquarie University

What is perimenopause and how does it affect women's health in midlife?

Perimenopause lasts months for some women, and years for others. from www.shutterstock.comAll women know to expect the time in life when their periods finish and they reach menopause. Many might even...

Gita Mishra, Professor of Life Course Epidemiology, Faculty of Medicine, The University of Queensland - avatar Gita Mishra, Professor of Life Course Epidemiology, Faculty of Medicine, The University of Queensland

Vital signs. Our compulsory super system is broken. We ought to axe it, or completely reform it

We're taking money from people, letting it fall through the cracks, and spending no less than we were on pensions. ShutterstockThe just-announced inquiry into Australia’s retirement income syste...

Richard Holden, Professor of Economics, UNSW - avatar Richard Holden, Professor of Economics, UNSW

Might consciousness and free will be the aces up our sleeves when it comes to competing with robots?

Our advantage lies in incommensurables, and it'll grow in importance. Franck V. on UnsplashThe rise of artificial intelligence has led to widespread concern about the role of humans in the workplaces ...

Allan McCay, Law Lecturer, University of Sydney - avatar Allan McCay, Law Lecturer, University of Sydney

Should I stay or should I go: how 'city girls' can learn to feel at home in the country

Shutterstock/The ConversationA move to the country is often presented in popular culture as an idyllic life, a place where you can escape the pressures of the city. It’s in television shows su...

Rachael Wallis, Lecturer and Honorary Research Fellow, University of Southern Queensland - avatar Rachael Wallis, Lecturer and Honorary Research Fellow, University of Southern Queensland

Grattan on Friday: Storm clouds avoid the bush, darken over the economy

National Farmers' Federation president Fiona Simson says she doesn't think the government has a drought policy. ShutterstockGovernment sources insist shock jock Alan Jones didn’t drive Thursday&...

Michelle Grattan, Professorial Fellow, University of Canberra - avatar Michelle Grattan, Professorial Fellow, University of Canberra

Julianne Schultz appointed chair of The Conversation

Professor Julianne Schultz AM FAMA has been appointed chair of The Conversation Media Group, following the retirement of Harrison Young. Since becoming chairman in April 2017, Harrison has improved ...

Misha Ketchell, Editor & Executive Director, The Conversation - avatar Misha Ketchell, Editor & Executive Director, The Conversation

Cats are not scared off by dingoes. We must find another way to protect native animals

New research suggests feral cats can probably outsmart dingoes. Wikimedia/AAPFeral cats are wreaking havoc on our native wildlife, eating more than a billion animals across Australia every year. But ...

Bronwyn Fancourt, Adjunct Research Fellow, University of New England - avatar Bronwyn Fancourt, Adjunct Research Fellow, University of New England

Curious Kids: does chewing gum stay inside you for years?

Swallowing a lot of gum can cause it to stick together or stick to food in your gut. www.shuttershock.com, CC BYIf you have a question you’d like an expert to answer, send it to curiouskids@th...

Jerry Zhou, Lecturer, School of Medicine, Western Sydney University - avatar Jerry Zhou, Lecturer, School of Medicine, Western Sydney University

Don't believe your ears: 'enhancing' forensic audio can mislead juries in criminal trials

Audio used as evidence in criminal trials can often be unreliable.  Many criminal trials feature forensic evidence in the form of audio recordings, typically from bugging houses or cars, or intercep...

Helen Fraser, Adjunct Associate Professor, University of New England - avatar Helen Fraser, Adjunct Associate Professor, University of New England

The case for 'inclusion riders' in creative industries: what Australian discrimination law says about quotas

In March last year, Frances McDormand won the Academy Award for Best Actress. In her acceptance speech, she drew attention to the female nominees in the room and left them with two final words: &ldq...

Liam Elphick, Adjunct Research Fellow, Law School, University of Western Australia - avatar Liam Elphick, Adjunct Research Fellow, Law School, University of Western Australia

The Portal review: can meditation change the world?

The Portal uses individual stories of meditative transformation to suggest a bigger change is possible. SuppliedThe Portal follows six individuals who undergo a personal transformation from trauma an...

Peggy Kern, Associate professor, University of Melbourne - avatar Peggy Kern, Associate professor, University of Melbourne

Why white married women are more likely to vote for conservative parties

Women’s perceptions of 'gender linked fate' were contingent on two dimensions: their race and their marital status. ShutterstockThe polls were wrong in the last US and Australian federal electi...

Leah Ruppanner, Associate Professor in Sociology and Co-Director of The Policy Lab, University of Melbourne - avatar Leah Ruppanner, Associate Professor in Sociology and Co-Director of The Policy Lab, University of Melbourne

Thoughts and prayers: miracles, Christianity and praying for rain

In a speech in Albury last month, Prime Minister Scott Morrison told his audience that he was praying for rain in drought-affected areas. “I pray for that rain everywhere else around the count...

Philip C. Almond, Emeritus Professor in the History of Religious Thought, The University of Queensland - avatar Philip C. Almond, Emeritus Professor in the History of Religious Thought, The University of Queensland

Prime Minister's science prizes awarded for algebra expertise, anti-cancer research and excellence in science teaching

Cheryl Praeger was awarded the 2019 Prime Minister’s Prizes for Science. She has spent more than four decades inspiring a love for maths in others, and has created a vast body of academic work i...

Michael Hopkin, Science + Technology Editor, The Conversation - avatar Michael Hopkin, Science + Technology Editor, The Conversation

Curious Kids: is it OK to listen to music while studying?

Does music usually put you in a better mood? That might help you try a little bit harder and stick with challenging tasks. Shutterstock I am in year 11 and I like to listen to music when I am studyin...

Timothy Byron, Lecturer in Psychology, University of Wollongong - avatar Timothy Byron, Lecturer in Psychology, University of Wollongong

A requiem for Reformasi as Joko Widodo unravels Indonesia's democratic legacy

It’s deeply ironic that Indonesia’s third president, BJ Habibie, died on September 11 – less than a week before the national legislature passed a law that gutted the highly-regarded ...

Tim Lindsey, Malcolm Smith Professor of Asian Law and Director of the Centre for Indonesian Law, Islam and Society, University of Melbourne - avatar Tim Lindsey, Malcolm Smith Professor of Asian Law and Director of the Centre for Indonesian Law, Islam and Society, University of Melbourne

Sick and Tired of Your Dead End Job? Try Teaching!

Tired of the same old grind at the office? Want an opportunity to impact lives both in your community and around the world? Do you love to travel and have new experiences? Teaching English is the perfect job for you! All you need is a willingness to ...

News Company - avatar News Company

The Impact of an Aging Population in Australia

There’s an issue on the horizon that Australia needs to prepare for. The portion of elderly citizens that make up the country’s overall population is increasing, and we might not have the infrastructure in place to support this. Australians h...

News Company - avatar News Company

LifeStyle

Questions to ask yourself before buying your watch

There are more and more watches on the market. And more and more brands are trying to seduce consu...

How to Thoroughly Prepare Children for a Professional Photoshoot at a Studio

Children are only young for a moment, which is why, for a lot of parents, it's essential to take a...

What to Expect at the University of Florida Tour

The University of Florida is a dream college for most aspiring students. Not only because of its p...

7 Professions that Will Be Huge in the Next Decade

In order to embark on a career path that requires a lot of training and experience, you might ne...