PayID Hack Prompts Warning From Banks Down Under

PayID Hack Prompts Warning From Banks Down Under

A recent PayID data breach reported to Australia’s New Payments Platform (NPP) has prompted banks to issue warnings to customers, FinTech Extra reported on Wednesday (Aug. 21).

Aussie financial institutions started sending breach notifications after an undisclosed number of PayID records were exposed in the country’s real-time NPP on Friday (Aug. 16). The hack originated from one of the NPP banks that were secured by payments provider Cuscal Limited.

This is the second time since June that PayID has been hacked. In the earlier incident, Westpac was hit with a breach that affected PayID’s address lookup function.

With PayID, users create their own numbers and then register them with their banks. When it comes time to make and receive payments, users share their PayID instead of using their BSB code and account number.

“The affected data included PayID name[s] and account numbers,” NPP told FinTech Extra. “None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement.”

Exposed banks have begun warning customers of a “sophisticated PayID scam” in which personal information like mobile numbers, email addresses and account numbers may have been disclosed.

“Cybersecurity is an issue of paramount importance to NPP Australia,” NPP said in a statement. “As part of our ongoing commitment to uplifting cybersecurity controls across the NPP ecosystem and following a similar event in June, we recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing endpoint security to ensure that the controls are executed as intended.”

Australia’s real-time payments service went live in early 2018 and sought collaboration from FinTech firms and developers through the launch of a developer sandbox. NPP Australia, along with payments messaging firm SWIFT, launched the sandbox via application programming interfaces (APIs) that allowed startups and FinTech developers to integrate NPP’s real-time payments functionality into their own solutions.

Dubbed the NPP API Framework, the sandbox aimed to promote “open access” to the payments platform and offer “companies and innovators the chance to understand how they can use its world-leading capabilities,” according to NPP Australia CEO Adrian Lovney.