Westpac bank has confirmed that it “had detected mis-use” of the New Payments Platform’s PayID feature, following a report that the details of thousands of customers were looked up by a ‘fraudster’.

The bank “took additional preventative actions which did not include a system shutdown” when it discovered the mis-use, it said in a statement.

The Sydney Morning Herald and The Age yesterday reported details of an attack on PayID in which “almost 100,000 Australian bank customers” were exposed.

The report cited a confidential memo from the bank to the wider banking industry describing how seven “compromised Westpac Live accounts” had been used to make around 600,000 PayID ‘lookups’ of which 98,000 “successfully resolved to a short name and this was displayed to the fraudster”.

The memo noted that the attacks had been occurring regularly since April 7.

The NPP has been described as a ‘secure set of rails’ between participating financial institutions which allows money to be transferred in near real time between them, via the Reserve Bank of Australia.

A key feature of the platform – which launched in February last year – is PayID. Rather than requiring someone’s BSB and account number in order to transfer money to them, a PayID can be used instead. This can be a mobile number, email address, ABN number or something else, depending on the bank.As of February this year more than 2.5 million PayIDs have been created.

Security concerns with PayID emerged soon after it launched when people realised it could be used as a reverse look-up tool. When a user entered a random phone number, if that person used their number as their Pay ID, their name would appear to the user.

The Westpac attack appears to have exploited the feature at scale.

“No customer bank account numbers were compromised as a result,” a spokesperson for the bank toldCIO Australiain a statement.

“Westpac Group takes the protection of customer data and privacy extremely seriously,” they added.

Following the bank’s preventative actions, it says “there has been no further inappropriate activity detected”.



