Experts Respond To NPP Security Concerns

Image: PayID

Now that the New Payments Platform (NPP) is live and banks are slowly coming to the party in offering access to their own PayID system for transferring funds, the spotlight has turned to security. Is the NPP platform safe for consumers? Can your PayID be compromised or hacked in some way? Or is it really a reverse lookup system for mobile phone numbers?

We asked the NPP and a couple of privacy experts what they thought about some some of the privacy and security concerns.

A spokesperson for NPP told us "PayID’s payee confirmation step (when you see the name of the person linked to the PayID you are about to pay) was designed to address mistaken payments, as well as scam and fraud risks".

When you enter someone's PayID into your payment app you'll see their name before you transfer the funds.

NPP's research found research found 76% of Australians worry about paying money into the wrong account due to an error when inputting details.

So, on the face of things, this looks like a reasonable thing to do. But, if enter a random phone number into the PayID field in your app, you can learn the name of the account holder. that makes it a handy reverse lookup tool.

NPP's response was "If a person is not comfortable creating a PayID using their phone number, there are other PayID types, such as an email address, they could use. Or they can decide not to use the PayID service at all and instead continue to use their BSB and account number and still receive the benefits of faster payment offered by Osko without the added benefits of PayID".

Osko is the payments service late leverages the NPP. And PayID, which is provided by the NPP, is the identifier you use to access the service.

It's also worth noting you can only send money to someone's account using PayID/Osko. You can't use the PayID to withdraw funds from someone's account.

"Participating financial institutions are required to have measures in place to ensure the PayID service is not used by customers or customer applications to mine data for fraudulent purposes," they added.

Richard Booth, from RSA’s fraud and risk intelligence team in Asia Pacific/Japan, said it's possible for an attacker to use this reverse lookup capability to start collecting information for a more targeted attack. From random phone numbers, they could distil names and potentially use the combination to launch other attacks through social engineering or other vectors.

And the new system, he said, is "for the bad guys, an exciting new way to steal funds quick and with less preventative measures than previously. Criminals already have a good idea of where to start after the UK launch [of their Faster payments platform] in 2008. In the years following that, the banks reacted by putting in very heavy identity controls. It's not that different from what criminals can do today

Centrify’s Senior Director for APAC Sales Niall King says the faster clearance times give criminals an advantage when they are stealing from accounts.

"Because bank transfers will no longer have a three-day buffer period to clear, banks will need to detect fraudulent activity in real time. You can guarantee the bad guys will work overtime to exploit any vulnerabilities, especially through scam emails or calls designed to steal consumer information", he said.

This was something the UK faced a decade ago when they launched their Faster Payments platform.

One of the questions people ask is around whether someone can use another person's mobile number or email address to create a PayID. NPP's spokesperson said "Registering a PayID requires a number of identification and verification steps to prove you are the rightful owner of the information you wish to use for the PayID, as well as the account you will be linking that PayID to. So, unless a person has these details, it will be hard for them to create a PayID linked to their account using your personal details".

So, it's up to the bank providing you with the service to ensure you're using a legitimate PayID. If you think something dodgy has been done, such as someone has used your mobile number to create a PayID to direct payments into their own accounts, or you see some potentially fraudulent transactions in your account, then your first port of call should be your bank.

One of the potential verification tools used by banks is SMS but, as RSA's Richard Booth explained, this might not be a great idea.

"In the US, NIST has come out and said quite publicly that their faith in SMS, as a security mechanism, is largely diminished. Organisations should not be looking at SMS as their sole factor for verification processes".

Booth advocates the use of push notifications to a trusted device.


    Experts whose livelihoods are tied to selling security products think there may be an issue here? Shock...

    "If they don't want to use their mobile number they can use OTHER PayID types, like their email address" .... and
    Please continue Mr NPP, what are the other types... nope thats it, email, phone or not at all.

    I appreciate that you need to do some checks and balances/verification in the setup staged, using either an email or phone number.
    But this doesn't have to be your public facing PayID... granted it ensures its unique.
    Allowing users to create their own ID and then cross checking if it has been used is hard work for a poor system like this.

      Business account holders can use an ABN. But I agree that the limitations, that I believe are set by the banks, are a little silly.

    Beware of man in the middle malware:
    1. At first transfer records the name of the person corresponding to the number chosen for the transfer.
    2. At subsequent transfer to the same number replace the number to fraudulent.
    3. Replace fradulent name with true name fot confirmation.
    What you see is NOT what you get.

Join the discussion!

Trending Stories Right Now