Australia's real-time payments platform, which launched last week, has sparked privacy concerns. At issue, ironically, is a feature designed to reduce fraud and erroneous payments. But some believe it exposes users to greater risk of social engineering attacks (see Australia Launches Real-Time 'New Payments Platform').
The feature, called PayID, is part of the New Payments Platform, which settles domestic bank-to-bank payments in seconds. Banking customers can create a PayID and give it to someone for payment. As of now, PayIDs can be email addresses, phone numbers, Australian Business Numbers or Australian Company Numbers.
"Once you have full name, mobile number and Facebook profile, social engineering unfortunately becomes much easier."
When a payer enters a PayID into a banking application, it shows the name of the person to whom the PayID is assigned. The system is intended to eliminate problems stemming from entry errors. The old-style way to make a payment is to enter a routing code - known as a BSB - plus an account number. If those numbers were wrong, however, the payment might not arrive.
Using PayID, however, a user can take a mobile phone number they already know - say for their son or daughter - and enter it into their banking application, which will confirm that the PayID belongs to who they think it belongs to, thus giving them confidence their payment will go to the right person.
But a Melbourne-based software developer, Anthony Roberts, found that he could enter random phone numbers that had been assigned as PayIDs and discover the names of people connected with those IDs. He tweeted his findings about the problem, which is classified as a user enumeration issue. Depending on context, however, these problems can sometimes be viewed as vulnerabilities.
"But then you are trading off some privacy," Hunt says. "And no matter how much they [NPP] sugarcoat it, it is a privacy tradeoff because you can pull someone else's data, and we've just seen a bunch of tweets on that."
3, 2, 1, Tweetstorm
The tweets from Roberts that showed the names of people who had PayIDs registered with the phone numbers he randomly entered have caused a stir, prompting questions about whether the designers of the New Payments Platform Australia carefully considered security.
A New Payments Platform Australia spokeswoman tells me that security and fraud were "absolutely" in front of mind when designing the system. But a statement from the organization characterized what played out on Twitter as "unfortunate."
"We are aware that a person on Twitter has performed a small number of PayID look-ups and tweeted these details publicly in a bid to start a discussion about PayID and privacy issues," the statement says. "While unfortunate for the individuals involved, the discussion highlights the choice and benefits to be considered by users when they opt in to create a PayID."
But is it clear to users that their PayID could be used by anyone - even people who have no intention of sending them a payment - to enumerate their name?
Terms and Conditions
The NPPA's spokeswoman pointed me to PayID's terms and conditions. A section under the privacy heading says that using the system means a person's name will be disclosed to payers for payment validation.
But given how few people read terms and conditions for any service, it's unlikely that consumers would put together the scenario that Roberts demonstrated.
Roberts took it further. After obtaining a name from a random phone number, he found both people's Facebook accounts. That opens up many other possibilities.
"Once you have full name, mobile number and Facebook profile, social engineering unfortunately becomes much easier," Roberts tells me.
The NPPA says that financial institutions are required to take steps to ensure PayID is not abused for data mining, which presumably means rate limits are in place. Roberts tells me he didn't notice signs of rate limiting, but different banks may have different tolerances.
ID Theft: Patience is a Virtue
Even if data mining at scale isn't possible, it would be useful for limited probes. For example, say an attacker wants to figure out the real person behind a pseudonymous email address. Enter the email into PayID, and if it returns a name, there's strong confidence - thanks to the bank's own know-your-customer verifications - it's accurate.
"I think that ultimately what happens is companies tend to sort of decide on behalf of everyone where the privacy default is going to be, and we all sort of inherit that."
Identity thieves are good at pulling these kinds of threads. Bits of personal data in isolation may not prove a privacy risk, but it can be if the information is collated into more useful portfolios, says Steve Wilson, vice president and principal analyst at Constellation Research.
Identity thieves "are very patient," Wilson says. "They can take months or years even to do this."
Hunt says the uproar over PayID may just die down, and people will move on from yet another situation where privacy is eroded a tiny bit.
"I think that ultimately what happens is companies tend to sort of decide on behalf of everyone where the privacy default is going to be, and we all sort of inherit that," he says.
The good news is PayID is entirely voluntary. It's up to users to evaluate if the usability of PayID trumps what is arguably - in an age of massive data breaches - a marginal risk. But Roberts' findings show the potential impact of a seemingly innocuous feature.