[BreachExchange] DATA BREACH IN WESTPAC BANK; NEARLY 100K USERS AFFECTED

Thu Jun 6 09:34:11 EDT 2019

https://www.securitynewspaper.com/2019/06/04/data-breach-in-westpac-bank-nearly-100k-users-affected/

Personal data belonging to almost 100k clients of Australian banks are
exposed due to a cyberattack against PayID, a real-time online payment
platform from the Australian bank Westpac. According to web
application security specialists, this attack allowed hackers to
instantly transfer money between multiple banks using a mobile phone
number and an email address.

The attack, which affects the customers of Westpac and other
Australian banks, has triggered alerts among the cybersecurity
community, which believes that the compromised information could end
up being used for various identity frauds.

Although many Australian citizens ignore it, PayID functions as a
phone book, allowing anyone to enter a phone number or email address
to confirm the name of an account holder. Web application security
experts mention that this allows the so-called “enumeration attack”,
so numbers can be randomly changed to find the names and mobile phones
of thousands of people.

“Any threat actor with access to these personal details could deploy a
powerful attack campaign”, the experts added.

Representatives of the bank confirmed the security incident, although
they did not mention the exact number of affected users.

Web application security experts were able to know that, at the end of
May, the bank detected a large volume of searches in PayID conducted
from seven Westpac Live accounts committed. Little more than 98
thousand of these searches were successfully performed; this figure is
equivalent to the total amount of affected users.

According to specialists of the International Institute of Cyber
Security (IICS) The attacks would have started since April 7, with
about 600,000 searches in a period of just over a month; In addition,
the Australian authorities consider that the mode of operation of the
hackers has similarities with the activities of some cybercriminals
groups detected in the United States.

Finally, the bank stressed that the accounts used to deploy the attack
were compromised and specially configured for this campaign, so
Westpac dismisses that some of the legitimate owners of the
compromised accounts are behind the attack.