PayID hack leaves thousands of bank accounts at risk of attack

If a bank sends you a text message or email asking you to “verify your identity”, do not press on that link. That’s the stern warning coming from cyber security experts, after thousands of Australian customers were targeted in a hacking attack involving real-time payment system PayID.

Big 4 banks

What is PayID?

PayID is part of a new payments system called the New Payments Platform (NPP), which enables users (like banks, governments and businesses) and their customers to make real-time payments between accounts at participating financial institutions. PayID is used by about 80 financial institutions to simplify identification verification, allowing access to the NPP system. PayID enables their customers to quote non-bank information, such as a phone number or email address, rather than having to remember their account and BSB numbers. About 65 million accounts are connected to PayID across Australia, many of them through a payments provider company, such as Cuscal. 

What bank accounts were targeted in the PayID hack?

Only a small portion of accounts with PayID were affected – about 92,000 – held at banks including National Australia Bank, Commonwealth Bank (including Bankwest), Westpac, and ANZ. Cuscal client CUA was reported to be the source of the security breach. A statement on the CUA website states: “Some members’ PayIDs, and their PayID ‘short name’ (e.g. “Susan S or “S Smith”), were accessed, as was other information attached to the PayID including full name, mobile number, BSB, and account number of the associated account.

An NPP statement said Cuscal alerted them on 16 August about a “client-side technical issue underlying the exposure”, which “were identified and resolved immediately”. The “technical issue” was reported to have allowed hackers access to the wider PayID system – details of customers at other banks. 

“The affected data included PayID name and account numbers,” the statement said. “None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement.”

How did hackers gain access to funds in the PayID breach? 

While hackers weren’t able to use the PayID account names and numbers they obtained to withdraw cash from any accounts, they could – and did – use this information to send emails and text messages to account holders. Many of these messages included a link to a website, and a request that the account holder verify their identity. This is called “phishing”, or when scammers attempt to trick people into giving out personal information which allows them to access bank accounts. 

A phishing attempt can look like the example below, sent to a National Australia Bank (NAB) customer as a text message. The first message shown, alerting the customer that a credit card had been posted, has been confirmed as legitimate. However, it appears the scammers managed to use phone-number “ID spoofing” software to mimic the official NAB number, to make the second – bogus – message appear legitimate.

NAB would never ask customers to confirm, update or disclose personal or banking information via email or text message,” a NAB spokesperson said.

Image of a scam text message received from a National Australia Bank customer.
A scam text message received from a National Australia Bank customer. Image: Canstar

What can you do if you think your data has been exposed by the PayID hack? 

All four of Australia’s biggest banks have released statements saying that they have contacted users who have been exposed in the PayID security breach. 

Commonwealth Bank

CommBank has issued a warning to customers. “We are aware that a number of customer PayIDs across multiple financial institutions, including Commonwealth Bank and Bankwest, have been accessed through another financial institution. The information disclosed includes details such as customer name, BSB and account number and may be used as part of scams and phishing attempts. You may have received a fraudulent SMS. The PayID scam via SMS or email may have your name or account details in it, like this example. If you have clicked a link from a suspicious SMS or email, contact us on 13 2221 urgently.”

An image of a scam text message received from a Commonwealth Bank customer.
A scam text message received from a Commonwealth Bank customer. Image: CommBank

 

National Australia Bank

A NAB spokesperson said: “NAB has contacted impacted customers following the data breach event at another Australian financial institution, which exposed PayID details registered to customers from a number of banks, including some NAB customers. We take the protection and security of our customers information seriously and have placed an extra layer of fraud detection and security controls on the accounts of affected NAB customers.”

The bank’s website states that anyone who thinks they have received a suspicious message should forward it to phish@nab.com.au (for emails) or  0476 220 003 (for text messages), and then delete the message. 

Westpac

Westpac was the target of another hacking attack via the PayID system in June. Back then, about 100,000 customers of Westpac and other Australian banks had some of their personal details exposed. The bank was reported to have sent out emails to its customers after this most recent breach, asking them to be vigilant and to report any suspicious activity.

“We are urging all customers to be wary of any SMS phishing attempts — for example, a personalised message which looks like a legitimate message from Westpac or another bank, in an attempt to acquire banking credentials and password,” the email said.

“Report suspicious emails or scam details to hoax@westpac.com.au, and forward hoax SMS to 0497 132 032 and then delete the message.

On its website Westpac’s states:“If you clicked on a link provided in hoax email or SMS, it’s possible your security could’ve been compromised.In that case, contact us immediately on 132 032.”

ANZ

ANZ also confirmed that the PayID breach affected “a small number” of its customers, whom they have contacted. “These accounts are being closely monitored,” a statement on the ANZ website said. The bank asked customers who suspected they had been targeted by a scam to visit its online security centre. It also suggested that customers send hoax emails to hoax@cybersecurity.anz.com, and report fraudulent or unusual activity via phone to 133 350. 

Follow Canstar on Facebook and Twitter for regular banking updates.

 

Share this article