Westpac thwarts PayID hack attack

George Lekakis
Westpac has reassured customers that it successfully thwarted attempts by hackers last week to access private information of account holders using the PayID online payments service.

A bank spokesperson confirmed last night that unknown hackers had tried to access the details of customers' accounts by attacking the PayID name lookup service on the Westpac website.

News of the attack was broken by a contributor to the Whirlpool financial services chatroom on Monday morning and later reported by Fairfax mastheads.

"Westpac can confirm we had detected mis-use of the New Payments Platform's PayID functionality and we took additional preventative actions which did not include a system shutdown," the spokesperson said.

"No customer bank account numbers were compromised as a result.

"Westpac Group takes the protection of customer data and privacy extremely seriously and we continually monitor our systems.

"There has been no further inappropriate activity detected."

While Westpac insists that "no customer account numbers" were revealed during the attacks last week, the contributor (known as "Two Bob") who broke the story on Whirlpool chatroom claims that unknown hackers obtained the personal details of thousands of customers.

"Their (Westpac's) NPP service was attacked, an unknown party repeatedly pinging tens of thousands of times, hitting the PayID name lookup service to confirm PayID mobile numbers, each successful request returning the account holders name associated with the phone number," the contributor claimed in the chatroom.

The attack on Westpac's PayID lookup service is the first publicly acknowledged attempt by hackers to exploit potential vulnerabilities of the NPP's real time payments operation.

Security experts had foreshadowed that such threats were likely, particularly in the early stages of the NPP rollout.

Critics of the NPP argue that real time settlement of personal payments transactions increases fraud risks because transactions are instant and irreversible.

The launch of Britain's Faster Payments Service in 2008 led to a spike of fraudulent transactions at one banking institution that failed to implement real time fraud detection systems as its customers linked their accounts to the new payments process.

Australian deposit takers have been telling customers that the NPP offers a more secure payments environment than similar overseas platforms a decade ago.

Banks and credit unions claim to have deployed processes leveraging artificial intelligence and biometrics that verify the integrity of transactions in real time.

In a discussion paper issued to credit unions and mutual banks before the launch of the NPP last year, CUSCAL's head of payments Nathan Churchward advised client institutions that fraud detection driven by machine learning would underpin the security of PayID-related services.

"By combining machine learning with human intelligence, many organisations are developing data-driven fraud systems that are capable of predicting and preventing losses before they occur, and giving valued customers the ability to transact without interruption,"  he said.

"While even the most sophisticated machine learning platforms still require human
intervention, the real value they offer is their ability to process large amounts of
information in seconds."

The solid growth of the NPP in its first 12 months indicates that Churchward's argument seems to be winning public support for a system that most users don't really understand.