Westpac confirms abuse of New Payments Platform PayID lookups

Bank detected thousands of PayID looksups from compromised accounts, report reveals

A spokesperson for Westpac has confirmed that the bank “detected mis-use” of the New Payments Platform’s PayID feature and “took additional preventative actions which did not include a system shutdown.”

The Sydney Morning Herald yesterday revealed details of the incident, citing a confidential Westpac memo that said around 600,000 NPP PayID lookups were made from seven compromised Westpac Live accounts. Around 98,000 “successfully resolved to a short name and this was displayed to the fraudster,” the memo said, according to SMH.

“No customer bank account numbers were compromised as a result,” a spokesperson for the bank told Computerworld in a statement. “Westpac Group takes the protection of customer data and privacy extremely seriously.”

The NPP was launched in February 2018. The platform enables real-time transfers between banks as well as a number of other features including data-enriched transactions. As of February this year, more than 75 financial institutions supported system, with 52 million account holders able to make payments via the NPP, according to NPP Australia, which maintains the platform.

PayID is the platform’s addressing service. It allows payments to be directed using an alternative identifier, such as an email address, ABN or phone number, rather than using a BSB and account number.

“NPP Australia has firm regulations in place that require participating financial institutions to monitor, detect and shut down any attempts to harvest data from PayID,” an  NPP Australia spokesperson said. “NPP Australia is working closely with Westpac on this matter.”

“No financial details or credentials are available from the PayID database, and therefore none of these details have been compromised,” the spokesperson said. “The only details obtained have been the account name which was designed to be returned to a legitimate enquiry.”

A PayID can’t be used to withdraw funds and “on its own cannot be used to create a false identity,” the spokesperson said.

“While this incident was unacceptable, the information obtained would be readily available in other public places,” the spokesperson said. “All participating financial institutions are on notice and may apply additional security controls if deemed necessary.”

“PayID was designed to provide more reassurance during the payments process; it enables a payer to see the name associated with a PayID to reduce the risk of a mistaken payments or scam,” the spokesperson said.