Australian banks and credit unions will have their transactional systems secretly penetration tested to arrest deficiencies and stop fraud and abuse of institutional infrastructure plugged into to the New Payments Platform after two PayID look-up attacks.
The NPP on Monday confirmed it was quickly taking its own steps to look for security holes among participants, a move bolstered by looming designation of particular security settings, like PayID address query limits, under its scheme rules.
The designations, which will go before the NPP board within a fortnight, can attract fines of $500,000 for non-compliant institutions.
Centralised monitoring by the NPP of institutions is also being significantly escalated. That shift will allow the NPP to more quickly spot abuse efforts and intervene before they snowball.
The moves to independently check NPP participant bank security settings follows two data breaches linked to automated address look-up attacks that hit Westpac and then Cuscal because of insufficient or defective monitoring of queries that institutions should have had have activated.
While the attacks did not result in direct financial loss or fraud to customers, they allowed the harvesting of customers’ personal data prompting embarrassing breach notifications.
The PayID look-up facility, which essentially runs a database query against an address book that links together names, mobile and bank account numbers, is a key function of the NPP that banks are allowed to access so that funds and data can be transferred to a payments recipient.
The function is supposed to be protected at an institutional level by monitoring transactions in real time and cutting off automated harvesters that hit banks with thousands of requests in a short time.
Part of the problem has been that bank security systems, and the mindsets of their custodians, have for the most part have been geared towards spotting and halting unauthorised withdrawal attempts rather than deposits being pushed towards a bank account.
Essentially, even though banks said they had basic security settings nailed down, key protections were either not turned on or properly plugged in.
While the potential for look-up abuse had been recognised at the time the NPP was being built, banks signing-up to the platform, which replaces the archaic BSB [bank-state-branch] identifier system, are supposed to have Pay ID monitoring and limiting mechanisms in place when they go live.
The strong response by the NPP to unilaterally boost its own monitoring and protections comes against the backdrop of frustrations at the NPP’s regulatory backer, the Reserve Bank of Australia, with resistance by some large institutions coupled with escalating online credit card fraud.
While banks now collectively lose around $480 million a year to online fraud, dubbed card not present fraud, they shift the bulk online payments fraud back onto merchants who are forced to carry losses for systemic deficiencies.
At the same time Australian retail banks reap around $2 billion from interchange fees (exclusive of interest and annual card fees) from payments that ride on the rails of US credit card giants like Mastercard and Visa.
Unless material, the online fraud losses of individual institutions are not split out. The breakdown between online credit and debit transaction fraud is also kept under wraps, meaning that cash plundered from savings accounts linked to scheme cards is also shielded from view.
The RBA for the last decade has been pushing to speed-up, lower the cost and enhance the functionality of payments in the Australian economy by regulating interchange fees and backing new payments infrastructure like the NPP that uses the RBA’s fast settlements service.
The introduction of real time payments also negated the legacy practice of banks sitting on funds deposited for two days before batched clearing (T+2), a practice known as ‘sitting on the float’ that meant merchants often waited five days before getting card funds over a long weekend.
For some banks, the rollout of the NPP and real time payments has created significant pressure.
Aside from the need to renew infrastructure to enhance services and security, some institutions will need to retire what has to date been highly lucrative legacy infrastructure.
The move by the new payments infrastructure provider to independently stress test for participant deficiencies indicates that pressure will not abate.
