Payment processor Cuscal says it is working with one of its clients to investigate a “spike” in PayID enquiries and resolutions.
The enquires were lodged by a number of customer accounts at the financial institution, which Cuscal didn’t name. Cuscal provides a number of smaller ‘identified institutions’ with access to the New Payments Platform, including PayID.
PayID is an NPP-based service that allows payments to be made using alterative identifiers — such as an email address or mobile number — instead of a BSB and account number.
“Cuscal works closely with our clients and industry partners, such as the NPPA, to ensure measures are in place to monitor unusual PayID activity,” a statement released by Cuscal said.
“Upon identification of the issue our NPP Identified Institution client took immediate action to remediate, as well as putting additional alerting in place to mitigate against further incidents.”
“In addition, technology changes were made by the client immediately to prevent any further PayID data and to reduce the risk of PayID data being inappropriately obtained by others in the future,” Cuscal added.
The affected institution has notified the Australian Prudential Regulation Authority (APRA) and the Office of the Australian Information Commissioner, Cuscal said.
In June, Westpac revealed it had “detected misuse” of PayID lookups. Hundreds of thousands of PayID lookups were believed to have been made using compromised Westpac Internet banking accounts.
A statement from NPP Australia, which operates the NPP, said that it was advised late on 16 August that “a number of PayID records and associated data in the Addressing Service were exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited.”
The data included PayID name and account numbers, the statement said. Although those details cannot be used to directly withdraw money, they could be used to support identity theft, phishing or targeted forms of social engineering.
“Cuscal has confirmed that the client-side technical issues underlying the exposure were identified and resolved immediately,” NPP Australia said.
“Financial institutions whose customer details have been exposed have been provided with details so that they can take the necessary action, which includes customer notification and enhanced due diligence over affected accounts,” the statement said.