Westpac breach highlights cyber-security threat

By Trevor Hoey. Published at Jun 4, 2019, in Features

In yet another breach of what consumers are justified in expecting should be a watertight security environment, the private details of almost 100,000 Australian bank customers have been exposed in a cyber-attack on the real-time payments platform PayID, which allows the instant transfer of money between banks using either a mobile number or email address.

The Sydney Morning Herald explained the events that have occurred, the seemingly tardy approach by Westpac Banking Corporation (ASX:WBC) and the potential fallout in the following article released on Monday evening.

The attack on Westpac, which also affects customers from other banks, has prompted a warning from computer security experts who say that the pilfered data could be used for fraud.

Unknown to many Australians, PayID operates like a telephone book, allowing anyone to type in a mobile number or email address and have it confirm the name of the corresponding account holder.

This allows for what security experts call an "enumeration attack", whereby numbers can be changed at random to find the names and mobile numbers of thousands of Australians.

Experts say that with access to these details, fraud could be committed on a mass scale.

The bank confirmed the incident late on Monday but did not say how many Australians had been affected.

"Westpac can confirm we had detected mis-use of the [New Payments Platform's] PayID functionality and we took additional preventative actions which did not include a system shutdown," a spokesman said. "No customer bank account numbers were compromised as a result.

"There has been no further inappropriate activity detected."

In a confidential memo obtained by the Sydney Morning Herald and The Age, the bank disclosed information about the incident to Australia's banking and financial industry.

"On 22 May 2019, Westpac noted that a high volume ([around] 600,000) of NPPA PayID lookups was made from 7 compromised Westpac Live accounts," the memo said. "[Around 98,000] of the lookups successfully resolved to a short name and this was displayed to the fraudster.

"Further analysis revealed that the attacks had been occurring since 7 April 2019 (the total number of lookups is [around] 600,000). The attackers are possibly offshore (the ... intelligence of the logins indicates [they are] US-based fraudsters).

"The accounts used appear to have been compromised or set up ... to perform the attack (Westpac conversations with the legitimate owners of the existing accounts used indicates that they are not aware of the attacks or involved in any way)."

If a statement such as this was released by Westpac on May 22 in order to alert their customers as a duty of care, a large percentage of users could have taken various measures to protect themselves.

At this stage, if we were retrospectively judging Westpac on the basis that the breach led to mass scale fraud, it would be fair to say that the ramifications for the bank would be far worse.

That said, it is too early to determine what the eventual fallout will be, as depending on the circumstances it can take some time for fraudulent transactions to be detected, and even longer for such transactions to be traced back to an event such as a NPPA PayID lookup.

Consequently, Westpac still isn’t off the hook, and many bank customers will be reassessing the need to use what in effect is a highly discretionary technology - one that could actually be here one day, gone the next without causing undue inconvenience to consumers.

On this note, the Sydney Morning Herald highlighted that Troy Hunt, an Australian security consultant who runs the popular haveibeenpwne.com website that alerts its users when the data has been breached online, said there was often a fine line between a feature and a security or privacy risk.

"In this case, the convenience of PayID is clear,” he said. "What's less clear is whether users of the service are willing to accept the privacy trade-off. I suspect that most people are unaware of the potential disclosure of their personal information in this fashion."

The Sydney Morning Herald noted that NPP Australia, which runs the New Payments Platform, said it could not comment, but indeed the spokesperson left no doubt that there was an expectation on a financial institution such as Westpac to move quickly to affirmative action once the breach was detected.

On this note, the spokesperson said that participating financial institutions were “required to have measures in place to monitor PayID use for unusual activity and ensure PayID is not used by customers or customer applications to mine data for fraudulent purposes”.

“It's also important to remember that PayID has been designed to provide more reassurance during the payments process," the spokeswoman said. "It enables a payer to see the name associated with the PayID to reduce the risk of mistaken payments or scams.”

The Sydney Morning Herald said that the Privacy Commissioner would not confirm whether Westpac had informed it of the matter.

“Where we are made aware of a potential privacy incident or notifiable data breach, the OAIC may engage with the organisation involved to establish the facts of the matter,” a spokeswoman said. "In line with our regulatory action policy, we do not generally comment about specific incidents."

Banks have been under pressure from the Reserve Bank to roll out PayID to customers more quickly, after it was launched last year. But it was not initially offered by all of the big four.

The service, which uses the New Payments Platform infrastructure, allows money to be transferred in near real-time between customers of either the same or different banks.

The incident came amid a warning from the financial regulator of the growing cyber threats to financial businesses and the risks they pose in potentially further destroying already battered financial institutions' reputations.

"With financial sector trust damaged, it only takes one media expose or social media outcry to cause a company serious financial damage, often in the space of days or hours, rather than weeks or months," Australian Prudential Regulation Authority deputy chair John Lonsdale warned in a speech on Monday.

In February 2018, the NPP was forced to address concerns the service could be used to lookup any Australians' details. It confirmed this was possible but said using PayID was a user's choice.

“We are aware that a person on Twitter has performed a small number of PayID look-ups and tweeted these details publicly in a bid to start a discussion about PayID and privacy issues," it said then. "While unfortunate for the individuals involved, the discussion highlights the choice and benefits to be considered by users when they opt in to create a PayID.”

A series of unfortunate events

Amidst the broader mayhem that has characterised the financial services sector, this is another significant setback.

However, for the NPP to refer to the potential impact on individual consumers as ‘unfortunate’ suggests that the group that boasts “Speed, Always on, Data enriched and PayID” has its head in the clouds and its heart in a server.

Not too many PayID users will be wearing the smiley faces featured above after waking up to today’s news.

Straight off the NPPA website is the following statement:

The NPP has been intentionally designed to be ‘open access’. Depending on the end-goal, there are five pathways an organisation could follow to access the NPP and its benefits.

Perhaps, NPP is a little too ‘open’, and there is a sixth pathway that NPP hadn’t been counting on.

However, what these events do underline is the need for increasing levels of security, and arguably a different mindset by innovators whereby security is the key priority in product development and rollout.

WhiteHawk - right time, right place

While there aren’t any winners when it comes to cyber-fraud (except perhaps for those that have short-term gain followed by a long stay in prison), it is an environment that presents opportunities for companies that can fight the crime in innovative ways.

One of the keys is to do what the cyber fraudsters do best — stay one step ahead of emerging technologies.

This usually takes a significant amount of industry experience, and companies also have to win the trust of large enterprises when the very future of their organisations hinge on the quality of their security.

WhiteHawk Ltd (ASX:WHK) has these attributes as the first global online cyber security exchange and AI (artificial intelligence) driven cyber risk mitigation company, enabling small-to-medium businesses (SMB) to take smart action against cybercrime.

The company helps US enterprises to connect to content, solutions, and service providers through evolving its rich data and user experiences.

Last week, WhiteHawk announced a new integrated one-stop cybercrime and fraud prevention SMB offering software that will give WhiteHawk access to tens of thousands of small to mid-sized business (SMB) customers.

Specifically, WhiteHawk has integrated EZShield’s platform — a pioneer and innovator of identity theft and mobile cybersecurity solutions, with 18 years of history, over 27 million US consumers, and strategic partnerships with financial institutions.

EZShield offers small business protection by securing business information, proactively monitoring business and personal information, and preparing for and responding to fraud, identity crimes, and cyber threats.

However, while this recent news related to the SMB market, WhiteHawk has also received recognition by big corporates and government bodies.

Working on multi-billion dollar contracts

WhiteHawk was recently awarded a sub-contractor role servicing a prime contractor on a newly awarded US$2 billion contract for a US federal government department.

The company was also selected as a cyber sub-contractor by the prime contractor on a newly awarded US$27 million prime contract for another US federal department with work to commence this month.

WhiteHawk also announced in mid-May that it had formed a new partnership with international cyber risk reduction firm Global Cyber Alliance (GCA), providing the foundation for expansion beyond the US.

GCA’s mission is to eliminate cyber risk and improve the connected world by securing Internet of Things (IoT) devices and technologies. It reduces cyber risk by developing and deploying practical, real-world solutions that measurably improve the world's collective cybersecurity.

WhiteHawk will work with GCA to provide affordable and easy-to-implement cyber risk mitigation solutions to small and mid-size businesses (SMBs). The partnership opens the door for WhiteHawk to proceed with its international expansion plans as it seeks to explore opportunities to enable SMBs on a global scale.

S3 Consortium Pty Ltd (CAR No.433913) is a corporate authorised representative of LeMessurier Securities Pty Ltd (AFSL No. 296877). The information contained in this article is general information only. Any advice is general advice only. Neither your personal objectives, financial situation nor needs have been taken into consideration. Accordingly you should consider how appropriate the advice (if any) is to those objectives, financial situation and needs, before acting on the advice.

Conflict of Interest Notice

S3 Consortium Pty Ltd does and seeks to do business with companies featured in its articles. As a result, investors should be aware that the Firm may have a conflict of interest that could affect the objectivity of this article. Investors should consider this article as only a single factor in making any investment decision. The publishers of this article also wish to disclose that they may hold this stock in their portfolios and that any decision to purchase this stock should be done so after the purchaser has made their own inquires as to the validity of any information in this article.

Publishers Notice

The information contained in this article is current at the finalised date. The information contained in this article is based on sources reasonably considered to be reliable by S3 Consortium Pty Ltd, and available in the public domain. No “insider information” is ever sourced, disclosed or used by S3 Consortium.

Thanks for subscribing!

X