In yet another breach of what consumers are justified in expecting should be a watertight security environment, the private details of almost 100,000 Australian bank customers have been exposed in a cyber-attack on the real-time payments platform PayID, which allows the instant transfer of money between banks using either a mobile number or email address.
The Sydney Morning Herald explained the events that have occurred, the seemingly tardy approach by Westpac Banking Corporation (ASX:WBC) and the potential fallout in the following article released on Monday evening.
The attack on Westpac, which also affects customers from other banks, has prompted a warning from computer security experts who say that the pilfered data could be used for fraud.
Unknown to many Australians, PayID operates like a telephone book, allowing anyone to type in a mobile number or email address and have it confirm the name of the corresponding account holder.
This allows for what security experts call an “enumeration attack“, whereby numbers can be changed at random to find the names and mobile numbers of thousands of Australians.
Experts say that with access to these details, fraud could be committed on a mass scale.
The bank confirmed the incident late on Monday but did not say how many Australians had been affected.
“Westpac can confirm we had detected mis-use of the [New Payments Platform’s] PayID functionality and we took additional preventative actions which did not include a system shutdown,” a spokesman said. “No customer bank account numbers were compromised as a result.
“There has been no further inappropriate activity detected.”