Updated The brand-new app implementing Australia’s New Payment Platform (NPP) system has a user enumeration flaw, but the organisation responsible for it considers it to be a feature.
The NPP is an instant-money-transfer scheme implemented by Australia’s banks to give customers an app that can transfer money between account-holders, even if they’re customers of different banks. Instead of logging into Internet banking and providing the payee’s account details (name, BSB number and account number), the NPP uses its own identifiers for payment processing.
One of those identifiers is a telephone number, and that’s where software developer @anthonycr0 noticed a problem.
The PayID app created by Australian banks checks that the payer has entered the right phone number for the payee, by displaying the name of the person who owns an entered phone number - whoever that might be.
If a user provides the wrong phone number, they can see the name of the owner of that number (and then make a reasonable guess about their gender). With many online services now accepting phone numbers as a user ID, Reg columnist Mark Pesce has noted that PayID therefore has all sorts of interesting possibilities.
NPP Australia Limited, which operates the NPP, told The Register the feature is necessary and isn’t viewed as a bug. It issued this statement [PDF] that said, in part:
“The payee confirmation step is aimed at reducing the number of mistaken payments, as well as some cases of fraud, which is why it is has been, or is currently being, adopted in other countries around the world with real-time payments systems. For instance, the UK system Paym was launched in April 2014, although it only supports the use of mobile phone numbers rather than other alternatives like email and ABN/ACN."
“We are aware that a person on Twitter has performed a small number of PayID look-ups and tweeted these details publicly in a bid to start a discussion about PayID and privacy issues. While unfortunate for the individuals involved, the discussion highlights the choice and benefits to be considered by users when they opt in to create a PayID.”
It’s reasonable that users are offered a way to verify that they’re sending funds to the right person - but as HaveIBeenPwned.com operator Troy Hunt told Vulture South, this could be done without exposing details of people who aren’t party to a transaction.
"I appreciate their sentiment. It sounds to me like they’re trying to show personal information about the recipient, which would then give the payer confidence that the money’s going to the right person. To that extent, that’s a feature.
"People are increasingly conscious of their privacy ... when something looks like a source of scraping someone's personal data, that sets off alarm bells," he added.
He noted that other means of identity verification are almost certainly feasible, even if marginally less convenient - a recipient using a shared secret with the payer, for example.
At this stage, PayID has not said it will change how the system operates, since if you’re not comfortable using your phone number, it offers using e-mail instead, or simply not using PayID.
The Register contacted the Office of the Australian Information Commissioner for comment. ®
Update: The NPP organisation has told The Register there is a limit to how many lookup attempts are permitted in any given session, but for security reasons declined to say how many attempts would trigger a lockout.
In an e-mail to The Register, it also said:
Participating financial institutions are required to have measures in place to ensure PayID is not used by customers or applications to mine data for fraudulent purposes. This includes fraud detection technology that monitors and responds to the number of times a person conducts a PayID look-up without completing the payment. Once a person, or application, reaches a threshold they are locked out of their banking session. Banks continually monitor for this activity and adjust their thresholds depending on an assessment of current threat levels.