back to article Australia's new insta-pay scheme has insta-lookup of any user's phone number

The brand-new app implementing Australia’s New Payment Platform (NPP) system has a user enumeration flaw, but the organisation responsible for it considers it to be a feature. The NPP is an instant-money-transfer scheme implemented by Australia’s banks to give customers an app that can transfer money between account-holders, …

  1. Andrew Commons

    What happens when email is used as the Id?

    Just curious.

    Would not be surprised if the persons name was again displayed.

    I'm staying well away from it.

    1. bd1235

      Re: What happens when email is used as the Id?

      or simply not using PayID.

      That's my option too. It may change when the dust settles but I'll let someone else do the settling.

  2. Phil Kingston Silver badge

    Whilst registering a real name is the default, I'm fairly sure my PayID sign-up offered a choice of names to be associated with. I regret not going with something creative like Heron Fluffytits.

  3. Dog Eatdog
    Paris Hilton

    Stupid

    Why not just require the payer to enter the payee's name as well as number?

    Then just a yes/no response - either it's correct or it's not.

    Sounds like Paris designed this.

    1. frank ly

      Re: Stupid

      Yes but is the intended recipient's registered name James, Jim or Jimmy? (Maybe the donor could ask them, via a phone call.)

    2. kernelpickle

      Re: Stupid

      Yes, but there's still potential for enumeration in that system--albeit a lengthier, and far more annoying method.

      If someone wanted to find out the phone number of a particular individual, all they would have to do is run through all the possible combinations of phone numbers, to see which ones hit. Now, if phone numbers were a purely random 10 digit number, it would be quite daunting to brute force your way through 10 billion possible numbers. Since phone numbers are generated in a predictable fashion, it's not hard to guess someone's area code--so, for any given area code, there is a range of 10 thousand to 10 million possible phone numbers, which would be far easier for a computer to brute force.

      To avoid the issue of payments being made incorrectly to the wrong person, AND avoid enumeration attacks, the service would need to require that both name and phone number were provided by the sender. Then, after pressing the "Send" button, the service would need to respond to all attempts in the exact same fashion. After a several minute delay, the sender would then receive an email with either a confirmation that it was sent successfully--or a message that said that the name did not match the, and they would need to try it again.

      That extra step would induce a massive delay, making any attempts to brute force the system so painfully slow, it becomes unfeasible--but it also require that someone first commit to sending cash, before it ever performs the check that would generate the confirmation message.

      I'm sure that there are other folks that are much smarter that could come up with fancier ways to solve that problem, but if they're looking for a quick and dirty solution to the problem, my proposal wouldn't be hard to implement.

      1. coconuthead

        Re: Stupid

        These are almost all mobile numbers, and mobile numbers do not have "area codes" in Australia. They all start with 04 (02 is NSW, 03 Victoria etc.). Long, long ago, the next two digits were the mobile provider, but when numbers became portable between telcos that nexus gradually fell away.

        So you need to enumerate at least 8 digits.

  4. FozzyBear Silver badge
    Pirate

    It's not all bad. The way this is being implemented. many of the stop fraud checks that are done will be by-passed. Which means that your bank account could be emptied before the bank could ring you to advise of the potential fraud

    So if you're an online crim this is great news. Me, I'm putting a whole jot of daylight between my money and this new payment platform

    1. Andrew Commons

      If your an online crim....

      Britain, where online banking fraud jumped 132 per cent after it introduced a faster payments system in 2008.

      See:

      http://www.smh.com.au/business/rising-fraud-risk-tipped-from-move-to-realtime-payments-20170127-gtzulk.html

      And:

      http://www.afr.com/business/banking-and-finance/cyber-fraud-risks-rise-ahead-of-instant-payments-20170612-gwpeva

  5. Anonymous Coward
    Pirate

    Convenience is the Enemy of Security

    Credit card, Eftpos, Tap and Go & RF proximity, QR code, Bpay Direct Debit and Cash aren't quick and convenient enough, yet all could be made to operate quickly up to a nominated limit, as the RBA desire.

    Smaller banks want PayID so as to increase their coverage and service capabilities, not for transaction speed.

    Banks could allow customers to nominate specific accounts to do direct payments to via Bpay and phone access. but this is banned until you get into their less safe internet-banking website.

    and now you have PayID doing just that.

    People cannot remember their account numbers - while businesses were years ago recommended to use in-accounts and out-accounts or at least separate numbers for those type of transactions.

    My bank gave me a customer number, on top of my account number, other accounts have cards for them that I don't want, I just want them linked internally. I only want one transaction account for personal business.

    And then I wonder how long until you can direct debit your friends for that concert ticket your buying as a group by using PayID, instead of waiting for them to pay you via PayID.

    And when you change your phone number or email address you better make sure you don't delete it until you have notified everybody that owes you money or someone else would get it by mistake.

    If it were up to me I'd give everybody a transaction number much like IVP6, it could apply so that everyone has approx one transaction account with in/out numbers, that is less than the total number of devices predicted to be on the internet by 2030.

    a better use of numbers. and provides a number that would last for a lifetime.

  6. eldakka Silver badge

    From my reading up of PayID, for a business I think it is a good idea, where the business PayID could be their email address (dildos.r.us@sex.xxx), and when you enter the email address there is nothing privacy concerning about then seeing the businesses details (since they have to be publicly available on various government registries to be a business):

    Dildos'R'US

    1800 dildo

    345 vibration st,

    Wanktown

    ....

    Or using a business telephone number that is often advertised in annoying campaigns, e.g. 131 888:

    Domino's Pizza

    (blah blah)

    For these types of uses there is no privacy implication, however this is different story when it comes to private individuals using PayID to receive funds.

    Personally, as a business I think it is useful, but I would never set up a personal PayID because of the privacy issues. It's not like I have people clamoring to send me money who need an easier way than a bank transfer (BSB, account number, etc) or just giving me cash the next time they see me...

  7. Anonymous Coward
    Anonymous Coward

    "for security reasons declined to say how many attempts would trigger a lockout"

    Anyone with a Pay-ID can establish the limit by hammering away and counting the attempts until it locks up - if it ever does.

    Luckily a crim would never think of doing that.

    Security Investigator: "What day of the week is it?"

    NPP "We decline to answer that question for security reasons"

    1. deevee

      Reverse phone number lookup, NO PROBLEM!

      We decline to tell you something you can easily find out yourself, but give us a random phone number and we will tell you who owns it.

      Nothing ironic about that!

      Move along now, nothing to see here, we know best.

  8. OffBeatMammal

    so, is this only displaying details of people who have signed up for PayID and used their phone number as the key, or does this do a reverse look-up on any AU phone number?

    makes me pretty sure I'll be using a unique email address for this, and not sharing my phone number as an identifier

  9. The Central Scrutinizer

    My bank sent me an email only today wanting me to sign up for it. I laughed and deleted the email.

    1. Winkypop Silver badge
      Thumb Up

      I prefer to delete the email and THEN laugh.

      But each to their own.

  10. Michael Kean

    Doesn't seem any different to using Paypal really - except that I can use a phone number instead of an email address if I so desire.

  11. Hello-World

    To verify you have the correct recipient details:

    Send them 1p (or whatever your preferred currency)

    Ask them if they have received 1p from you.

  12. -tim
    Alert

    No Privacy Payments?

    So a hacker has to send 100 million request to enumerate all phones in the country?

    If their API can talk over the phone network, that would nearly use a months data on most of the lower end prepaid plans. Without a rate limit and a good network (say a Not Built Network 1G plan), that should take a few minutes.

    Why is there so much ignorance about side channel attacks? So they have a rate limit. My bank card also has a rate limit but if someone hacks a grocery store, all they have to do is try all cards with pin 1234 the 1st day, 8520 the next day and in 30 days they will have 30% of all card PINs without hitting the rate limit on any card.

  13. Anonymous Coward
    Anonymous Coward

    Correct me if I’m wrong

    I’m pretty sure Paym - the UK equivalent, does exactly the same by revealing the recipients name prior to payment.

  14. Anonymous Coward
    Anonymous Coward

    Just paying would be nice

    I don't remember peoples phone numbers or email addresses !

    I usually use my mobile phone or a teledex for remembering numbers, there are thousands

    and if it comes to my own bank account, I really only want to refer to it occasionally.

    Anyone could keep their own bank account number on card in their wallet or purse for when they need it.

    And is useless for many. How will they make people who owe them money use it !?

    3 days of waiting as it goes through the system is nothing, much debt owed is over 6 months old,

    Just bloody pay up what you owe !

  15. bep

    Hang on

    I would also like to see the story updated on whether they do a look-up on ALL mobile numbers or just the foo...people who sign up for this abomination.

  16. Francis Boyle Silver badge

    Hold on

    Are people seriously suggesting that crimminal types don't already have access to reverse phone number lookup? I remember there was a supposed above board service in Australia a decade or two back. I think Telstra had that shut down. But since the technology exists. . .

  17. Colin Tree

    stupid fish

    This is just for stupid fish who can't remember the milk.

    I never remember phone numbers, they're in my phone. The numbers have been verified because I talk or text with the other parties. People are names not numbers.

    I would pre verify a new number putting them in my contacts then talking with them before transferring funds.

    The banks have it round the wrong way. Their app has to verify with my contact list.

  18. Mr Templedene

    star out all but the first and last 2 letters of the name

    e.g. John Doe would be Jo*****oe

    Enough for a human to identify that it's almost certainly going to the right person, as the chances of a wrong number giving the same details is minimal enough to be insignificant, and Robert's your fathers brother.

  19. PayID Email

    Some Answers

    Look-up on ALL mobile numbers? No. Only mobiles of those who have registered a PayID with their bank can be looked up.

    On that note, with my credit union in online banking I was given an option of making the PayID name first name and surname initial e.g. John S. Nobody would know I was John Smith. I used that one. I heard others have surname in all options.

    Not for everyone, but I signed up for a @payid.email account. It is like a purpose-built throwaway privacy providing email.

    Early days here in Oz. See how NPP goes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019