They may have exfiltrated personal data by different means, but this week’s successful compromise of Westpac’s PayID service highlights the continuing threat faced by organisations whose business relies on collecting large volumes of sensitive information.
PayID – a new service that allows customers to transfer money to other customers using only mobile phones as an identifier – was compromised after an enumeration attack saw a large number of user lookups lodged from several compromised Westpac accounts.
An estimated 98,000 customers’ mobile phone numbers, names and/or email addresses were compromised in the incident, which was made possible because of the New Payments Platform (NPP) introduced by banks last year.
Westpac has spruiked PayID as being secure, noting that the transfers “are subject to Westpac’s own real-time, fraud screening and detection”. Yet reports stated that 600,000 PayID lookups were made through the service over six weeks in April and May – suggesting that Westpac’s fraud monitoring missed the activity despite plenty of opportunities.
The incident validates early concerns about NPP, which was flagged early on as a potential threat vector because of its ability to facilitate fraud by moving money instantaneously.
“The faster movement of funds is something that we see as a huge asset to businesses and individuals,” Andrew Davies, Fiserv vice president of global market strategy for financial crime risk management, recentlytold CSO Australia. “But you need to manage risk at the same cadence because of the fact that you are handling relationships remotely.”
Real-time monitoring and analysis enable what Davies calls “appropriate inference”, increasingly aided by artificial intelligence techniques “that can be leveraged in real time to truly uncover anomalies,” he said. “Having access to a repository of data very rapidly allows analysis in real time, and to really intercept transactions before they’re released to the financial institution.”
Such compromises create myriad problems for banks whose reputation has already taken a hit in the wake of the Royal Commission. Recent Unisys Corporation research found that Australian consumers rank data security as the most important issue to them about their bank – and that Australian banks trust their banks with personal data less than any other country in the Asia-Pacific region.
Fully 60 percent of Australian respondents said the safety and security of their data is the thing that matters most to them – higher even than the 49 percent who nominated the bank’s processes and services, transparency, understandability.
“People want to do things quickly,” Davies said, “and we need to make sure we manage that effectively – and make sure it’s secured. Banks don’t want to inhibit the customer experience.”
Financial institutions are the second most-breached industry in Australia, after healthcare, according to Office of the Australian Information Commissioner (OAIC) statistics based on reports received under the Notifiable Data Breaches (NDB) scheme – which received 27 reports of financial-services breaches last quarter alone.
“It’s not just some guy developing a piece of malicious software from the dark web to perform an organised cyber attack,” he added. “It’s organised crime who have the capabilities to penetrate the defences of financial institutions. We take a broad view of the attacks that organisations can be subject to.”