Monitoring fail allowed Westpac PayID look-up abuse

Retail bank Westpac is facing tough questions over why its security and transaction monitoring systems failed to detect and shut down an automated data harvesting spree of customers’ PayID details used to enable transactions across the real-time New Payments Platform (NPP).

Australia’s oldest bank on Tuesday confirmed it was dealing with abuse of the PayID look-up function which allows its customers to send funds to individuals and businesses in real time by using a secondary customer-nominated and -selected identity instrument then linked to an account.

Westpac’s acknowledgement of the PayID abuse incident follows revelations in the Sydney Morning Herald and on Whirlpool that a whopping 600,000 PayID look-ups were made between April 7th 2019 and May 22nd 2019, a period of just over six weeks.

The SMH’s report is based on a leaked Westpac memo that said around 98,000 PayID look-ups “successfully resolved to a short name and this was displayed to the fraudster”.

Ignorance not so blissful

But what’s stunned the payments industry isn’t that fraudsters targeted PayID, but the scale and duration of the hole they exploited.

The volumes of automated look-ups from just seven compromised accounts isn’t just high, it's staggeringly high – around 1900 per day, assuming the attack lasted 45 days.

Bank sources iTnews spoke to questioned why Westpac’s systems apparently took more than a month to identify such a high number of PayID queries not resulting in a payment or why routine guard rails like the application of session limits – an automated security feature that kicks in to guard against bots – were apparently not in place or failed to kick in.

Counter fraud systems used in the payments industry typically look for anomalous behaviour to indicate automated harvesting or bot-based fraud. Known behaviours include disproportionately high activity to try and validate account credentials.

In the case of PayID, a standard measure is understood to be a check against the number of look-ups versus the number of payments executed – because, usually, people who do a look-up then make a payment.

While there are tolerances to guard against false positives, it is fairly safe to assume that most people have better things to do than cycle through 1900 look-ups a day (though this is not completely impossible).

Look-up to hook-up

The look-up function works like a phone book accessed from a customers’ online bank account or app.

But like phone directories, information can be extracted, look-up by look-up, to potentially create a reverse directory function.

The PayID system is also optional, with users allowed to nominate the name (or phone number) that gets dug up.

The PayID look-up functionality, and its potential for abuse, has polarised views between the financial services industry and privacy and technology security advocates over trade-offs between the enhanced convenience of the feature versus its potential value to miscreants – primarily for mobile phone number porting and telco account hijacking.

Attempts by fraudsters to exploit elements of the NPP were anticipated by participants and regulators well in advance of the platform going live. The platform also specifically bans participants from caching PayIDs as a precaution.

It is understood that one of the pre-conditions for participation in the NPP is that counter fraud and transaction monitoring systems be in place and working, with sanctions ranging from fines and warnings to suspension and exclusion.

On notice

Chief executive of the NPP Adrian Lovney was quick to stress the obligations of participating banks.

“NPP Australia has firm requirements in place that require participating financial institutions to monitor, detect and shut down any attempts to harvest data from PayID,” Lovney said in a statement.  

“NPP Australia is working closely with Westpac on this matter. 

“No financial details or credentials are available from the PayID database, and therefore none of these details have been compromised. The only details obtained have been the account name which was designed to be returned to a legitimate enquiry.”

Westpac, in the meantime, is mopping up after the monitoring failure fiasco.

“Westpac can confirm we had detected misuse of the NPP’s PayID functionality, which triggered preventative actions,” a spokesman said in a statement, admitting controls have now been tightened.

"Westpac Group takes the protection of customer data and privacy extremely seriously and we continually monitor our systems. In addition, there is now heightened monitoring of NPP transactions.

“Westpac apologises for this isolated incident and will continue to ensure customer information is secure,” the spokesman said.

Banks still slipping

The issue for regulators is that the number of isolated incidents and slip-ups seems to be growing, especially around transaction monitoring and compliance obligations.

The Commonwealth Bank of Australia last year incurred the wrath of AUSTRAC over its failure to identify laundering transactions, particularly with flagging deposits designated as suspicious made via its intelligent ATM network, a $700 million slip.

In the CBA’s case, the issue was also not that the flags could not be raised; rather it was that the systems that were in place just did not activate as intended, nor was this detected, creating a systemic problem in the process.

Westpac’s apparent failure of fraud control mechanisms on PayID is certain to pique the interest of emboldened financial regulators looking to kybosh bad behaviour after the Banking Royal Commission, particularly the Reserve Bank of Australia which has pushed hard for the NPP.

Westpac’s struggles to get NPP functionality up and running have been on public display, with CEO Brian Hartzer strongly pressed during a Parliamentary committee over what was causing the delays.

With the Coalition government now re-elected, Westpac’s next appearance will not be any less painful.