A prolonged abuse of the simplified payment address system used by Australia’s major payment providers has sparked concerns over the security of the country’s instant payments platform – although opinion is divided over how serious the flaw is.

Customers of banks connected to the New Payments Platform (NPP), Australia’s instant payments system, can sign up for a PayID to use when transferring funds.

A PayID is a unique, user-specific number registered with the customer’s bank and linked to a nominated bank account. A phone number, email address or an Australian Business Number (ABN) can be used, in lieu of the traditional bank state branch (BSB) or account number process.

Westpac, one of Australia’s ‘big four’ banks, this week confirmed that its PayID lookup function has been abused but insisted no customer bank account numbers were compromised as a result.

The NPP was officially launched in February 2018 by a handful of financial service providers after six years of planning and more have gradually been coming on board over the past 16 months. The platform enables peer-to-peer (P2P) money transfers to be made in near real-time, but a PayID cannot also be used to withdraw funds.

As of February 2019, more than 75 financial institutions supported the system, and 52 million account holders can make payments via the NPP, according to NPP Australia, which maintains the platform.

The NPP infrastructure was built by the Reserve Bank of Australia (RBA), in consultation with Westpac and its peers the Commonwealth Bank of Australia (CBA), the National Australia Bank (NAB), and the Australia and New Zealand Banking Group (ANZ). The four collectively account for 95% of the Australian finance industry.

Shutdown averted

According to local reports Westpac witnessed 600,000 PayID lookups stemming from seven compromised Westpac Live accounts. A memo sent to Australia's finance community indicated that around 98,000 of the lookups were successfully resolved to a short name and displayed to the "fraudster".

A Westpac spokesperson said once it had detected the misuse, the bank took additional preventative actions, although these did not include a system shutdown. “Westpac Group takes the protection of customer data and privacy extremely seriously,” the spokesperson added.

An NPP Australia spokesperson said it “has firm regulations in place that require participating financial institutions to monitor, detect and shut down any attempts to harvest data from PayID. NPP Australia is working closely with Westpac on this matter.

“No financial details or credentials are available from the PayID database, and therefore none of these details have been compromised,” the spokesperson said. “The only details obtained have been the account name which was designed to be returned to a legitimate enquiry.

“While this incident was unacceptable, the information obtained would be readily available in other public places. All participating financial institutions are on notice and may apply additional security controls if deemed necessary.

“PayID was designed to provide more reassurance during the payments process; it enables a payer to see the name associated with a PayID to reduce the risk of a mistaken payments or scam.”

Australia is scheduled to begin the implementation of open banking from  1 July 2019, when the ‘big four’ are expected to make credit/debit card, deposit and transaction account data available under the framework.