One of Australia’s four largest banks, Westpac has been hit by a cyber attack that saw details of almost 100,000 of its customers compromised through a successful breach of its PayID money transfer platform.
“Unknown to many Australians, PayID operates like a telephone book, allowing anyone to type in a mobile number or email address and have it confirm the name of the corresponding account holder. This allows for what security experts call an ‘enumeration attack’ whereby numbers can be changed at random to find the names and mobile numbers of thousands of Australians,” according to the Sydney Morning Herald.
Westpac confirmed reports of the data breach on Monday, but failed to confirm how many of its clients have been implicated in the attack.
“Westpac can confirm we have detected mis-use of the [New Payments Platform’s] PayID functionality and we took additional preventative actions which did not include a system shutdown,” they said. “No customer bank account numbers were compromised as a result… there has been no further inappropriate activity detected,” they said.
The SMH managed to obtain a confidential memo where the bank disclosed information surrounding the incident to Australia’s banking and financial bodies- it reads as follows: “On 22 May 2019, Westpac noted that a high volume (around 600,000) of NPPA PayID lookups was made from 7 compromised Westpac Live accounts.”
“Around 98,000 of the lookups successfully resolved to a short name and this was displayed to the fraudster.”
“Further analysis revealed that the attacks had been occurring since 7 April 2019 (the total number of lookups is around 600,000). The attackers are possibly offshore (the… intelligence of the logins indicates [they are] US-based fraudsters.”
“The accounts used appear to have been compromised or set up… to perform the attack (Westpac conversations with the legitimate owners of the existing accounts used indicates that they are not aware of the attacks or involved in any way).”
The memo continues to explain that the hackers had been “trying phone numbers in a semi-sequential manner (i.e. ascending by a few numbers at a time in the high density ranges of Australian phone numbers on issue).”
“It appears likely that the numbers are targeted guessing and do not necessarily come from an existing data compromise (however the high hit rate of alias registrations remains somewhat suspicious.)”
Troy Hunt, the man behind the haveibeenpwned.com online security site said that while the convenience of Westpac’s PayID feature is clear, “what’s less clear is whether users of the service are willing to accept the privacy trade-off. I suspect that most people are unaware of the potential disclosure of their personal information in this fashion,” he said.
The hack comes shortly after Australia’s financial regulator warned of the growing threat to the bank's reputation as cyber attacks become more common- and effective. John Lonsdale, deputy chair of Australian Prudential Regulation Authority said, “with financial sector trust damaged, it only takes one media expose or social media outcry to cause a company serious financial damage, often in the space of days or hours, rather than weeks or months.”