[BreachExchange] PayID in new breach affecting customers at big four banks

Destry Winant destry at riskbasedsecurity.com
Tue Aug 27 10:15:08 EDT 2019


More than 90,000 Australian bank customers have had their bank details
and other personal data exposed after PayID was breached via Credit
Union Australia, in the second major attack on the payment management
system in recent months.

A spokeswoman for payments provider Cuscal, which is partnered with
more than 120 banks and financial services institutions in Australia
and overseas, said the breach originated with one of their clients and
impacted "most organisations" that use PayID.

Cuscal released a statement on the weekend that "less than 92,000 or 3
per cent of the total 3.5 million customers who have registered for
PayID" were impacted. The spokeswoman confirmed on Monday the number
of affected accounts was "close to the upper limit" of 92,000.

A spokeswoman for Credit Union Australia confirmed on Monday the
breach originated with its PayID accounts on August 16.

"On Friday 16 August, CUA's payment provider Cuscal alerted us to
mis-use of the PayID service. CUA took immediate action to stop this
activity and put in place controls to protect against a recurrence,"
the spokeswoman said in a statement.

"Some information attached to individuals' PayIDs was accessed. No
financial transactions took place and nor can the information accessed
be used, on its own, to enable financial transactions.

"Information security is obviously of paramount importance. We are
deeply disappointed this occurred and apologise to those affected,"
the statement said.

PayID, a function of the New Payments Platform (NPP), allows banking
customers to use their phone number or email address to identify their
account for real-time payments, instead of having to remember their
BSB and account number.

Cuscal informed affected clients of the breach last week and put in
place additional alerting "to mitigate against further incidents", its
statement said.

Both the Australian Prudential Regulation Authority (APRA) and the
Office of the Australian Information Commissioner (OAIC) were informed
by the client, Cuscal said.

The big four banks have each confirmed their customers were among
those affected by the breach.

A spokesman for ANZ said it was informed by New Payments Platform
Australia on August 17 of a data exposure involving another member of
the NPP.

"PayID information may have been accessed without authority through
another financial institution which uses Cuscal to offer PayID
transactions on the New Payments Platform," the spokesman said.

"The exposure led to the harvesting of PayID details linked to a
number of mobile phone numbers. Of those, a small number of mobile
numbers were linked to PayIDs registered to ANZ customers," he said.

The spokesman said ANZ understood the information disclosed included
the affected users' full name, PayID nickname, mobile number, BSB and
account number. However, he said ANZ's monitoring had not detected any
fraud as a result of the disclosure.

A Westpac spokeswoman also confirmed "a relatively small number" of
its customers were affected following "an incident at another
financial institution which has resulted in the disclosure of PayID
account data of a number of individuals". Customers of Westpac-owned
Bank of Melbourne, BankSA and St.George were not affected, she said.

Commonwealth Bank and NAB also confirmed they had customers who were affected.

Partner at McGrathNicol Advisory, Shane Bell, said data breaches were
inevitable in a digital world. But he added that such breaches raised
an important question about the relationship between the "ecosystem"
–payment providers, banks and consumers – and who is responsible for
these incidents.

"We should be accepting of the fact you cannot prevent all
cyber-security incidents or data breaches," he said.

"I think organisations have had an opportunity to invest in
themselves, but the question [for them] is: 'How do I roll that
through the supply chain so that my ultimate responsibility to the
customer doesn't fail because I haven't looked far enough down my
supply chain?'"

The latest incident follows a similar breach of PayID users which was
detected by Westpac in May from a handful of compromised Westpac Live
accounts, which saw 98,000 users' details exposed.

That incident prompted concerns to be aired about the fact that PayID
releases the name of the account holder associated with a given phone
number or email address. The function allows for what security experts
call an "enumeration attack", whereby random numbers are entered to
find the names and mobile numbers of thousands of users – details
which can potentially be used to commit large-scale fraud.

More information about the BreachExchange mailing list