Westpac bank has confirmed that it “had detected mis-use” of the New Payments Platform’s PayID feature, following a report that the details of thousands of customers were looked up by a ‘fraudster’. The bank “took additional preventative actions which did not include a system shutdown” when it discovered the mis-use, it said in a statement. The Sydney Morning Herald and The Age yesterday reported details of an attack on PayID in which “almost 100,000 Australian bank customers” were exposed. The report cited a confidential memo from the bank to the wider banking industry describing how seven “compromised Westpac Live accounts” had been used to make around 600,000 PayID ‘lookups’ of which 98,000 “successfully resolved to a short name and this was displayed to the fraudster”. The memo noted that the attacks had been occurring regularly since April 7. The NPP has been described as a ‘secure set of rails’ between participating financial institutions which allows money to be transferred in near real time between them, via the Reserve Bank of Australia. A key feature of the platform – which launched in February last year – is PayID. Rather than requiring someone’s BSB and account number in order to transfer money to them, a PayID can be used instead. This can be a mobile number, email address, ABN number or something else, depending on the bank.As of February this year more than 2.5 million PayIDs have been created. Security concerns with PayID emerged soon after it launched when people realised it could be used as a reverse look-up tool. When a user entered a random phone number, if that person used their number as their Pay ID, their name would appear to the user. The Westpac attack appears to have exploited the feature at scale. “No customer bank account numbers were compromised as a result,” a spokesperson for the bank toldCIO Australiain a statement. “Westpac Group takes the protection of customer data and privacy extremely seriously,” they added. Following the bank’s preventative actions, it says “there has been no further inappropriate activity detected”. Related content brandpost Sponsored by G42 Understanding the impact of AI on society, environment and economy By Jane Chan Dec 03, 2023 4 mins Artificial Intelligence opinion Website spoofing: risks, threats, and mitigation strategies for CIOs In this article, we take a look at how CIOs can tackle website spoofing attacks and the best ways to prevent them. By Yash Mehta Dec 01, 2023 5 mins CIO Cyberattacks Security brandpost Sponsored by Catchpoint Systems Inc. Gain full visibility across the Internet Stack with IPM (Internet Performance Monitoring) Today’s IT systems have more points of failure than ever before. Internet Performance Monitoring provides visibility over external networks and services to mitigate outages. By Neal Weinberg Dec 01, 2023 3 mins IT Operations brandpost Sponsored by Zscaler How customers can save money during periods of economic uncertainty Now is the time to overcome the challenges of perimeter-based architectures and reduce costs with zero trust. By Zscaler Dec 01, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe