Abuse of Westpac PayID is another hit on trust in Australia’s banks

Credit: ID 124851449 © Liudmila Arsenteva |

They may have exfiltrated personal data by different means, but this week’s successful compromise of Westpac’s PayID service highlights the continuing threat faced by organisations whose business relies on collecting large volumes of sensitive information.

PayID – a new service that allows customers to transfer money to other customers using only mobile phones as an identifier – was compromised after an enumeration attack saw a large number of user lookups lodged from several compromised Westpac accounts.

An estimated 98,000 customers’ mobile phone numbers, names and/or email addresses were compromised in the incident, which was made possible because of the New Payments Platform (NPP) introduced by banks last year.

Westpac has spruiked PayID as being secure, noting that the transfers “are subject to Westpac’s own real-time, fraud screening and detection”. Yet reports stated that 600,000 PayID lookups were made through the service over six weeks in April and May – suggesting that Westpac’s fraud monitoring missed the activity despite plenty of opportunities.

The incident validates early concerns about NPP, which was flagged early on as a potential threat vector because of its ability to facilitate fraud by moving money instantaneously.