CANBERRA, Australia—Australia's real-time payments platform, which just launched, has sparked privacy concerns.
At issue is a feature designed to reduce fraud and erroneous payments. But some believe it exposes users to greater risk of social engineering attacks, Bank Info Security stated.
The feature, called PayID, is part of the New Payments Platform that settles domestic bank-to-bank payments in seconds. Banking customers can create a PayID and give it to someone for payment. As of now, PayIDs can be email addresses, phone numbers, Australian business numbers or Australian company numbers, Bank Info Security explained.
"Once you have full name, mobile number and Facebook profile, social engineering unfortunately becomes much easier," Bank Info Security noted.
When a payer enters a PayID into a banking application, it shows the name of the person to whom the PayID is assigned. The system is intended to eliminate problems stemming from entry errors. The old-style way to make a payment is to enter a routing code – known as a BSB – plus an account number. If those numbers were wrong, however, the payment might not arrive, Bank Info Security explained.
Using PayID, however, a user can take a mobile phone number they already know and enter it into their banking application, which will confirm that the PayID belongs to who they think it belongs to, thus giving them confidence their payment will go to the right person, Bank Info Security said.
“But a Melbourne-based software developer, Anthony Roberts, found that he could enter random phone numbers that had been assigned as PayIDs and discover the names of people connected with those IDs. He tweeted his findings about the problem, which is classified as a user enumeration issue. Depending on context, however, these problems can sometimes be viewed as vulnerabilities,” Bank Info Security stated.