Personal data belonging to almost 100k clients of Australian banks are exposed due to a cyberattack against PayID, a real-time online payment platform from the Australian bank Westpac. According to web application security specialists, this attack allowed hackers to instantly transfer money between multiple banks using a mobile phone number and an email address.
The attack, which affects the customers of
Westpac and other Australian banks, has triggered alerts among the cybersecurity
community, which believes that the compromised information could end up being
used for various identity frauds.
Although many Australian citizens ignore it,
PayID functions as a phone book, allowing anyone to enter a phone number or
email address to confirm the name of an account holder. Web application
security experts mention that this allows the so-called “enumeration
attack”, so numbers can be randomly changed to find the names and mobile
phones of thousands of people.
“Any threat actor with access to these
personal details could deploy a powerful attack campaign”, the experts
added.
Representatives of the bank confirmed the
security incident, although they did not mention the exact number of affected
users.
Web application security experts were able to know that, at the end of May, the bank detected a large volume of searches in PayID conducted from seven Westpac Live accounts committed. Little more than 98 thousand of these searches were successfully performed; this figure is equivalent to the total amount of affected users.
According to specialists of the International
Institute of Cyber Security (IICS) The attacks would have started since April
7, with about 600,000 searches in a period of just over a month; In addition,
the Australian authorities consider that the mode of operation of the hackers
has similarities with the activities of some cybercriminals groups detected in
the United States.
Finally, the bank stressed that the accounts
used to deploy the attack were compromised and specially configured for this
campaign, so Westpac dismisses that some of the legitimate owners of the compromised
accounts are behind the attack.
