PayID is a convenient and innovative option for transactions offered by banks, credit unions and other organisations – but it's also potentially exposing its users to cyber criminals. The platform enables anyone to easily match a mobile phone number with a name, two crucial details of a person's identity.
To make a payment, users enter a payee's mobile number. If the payee is registered with PayID their name will pop up so the payer can confirm that they're paying the right person. This is all done from the security of their online banking portal.
PayID relies on a centralised database or directory where users' identifiers, including phone numbers (as well as email or ABNs for businesses), are stored and mapped to their corresponding bank account details. This directory is then accessible to payment service providers and financial institutions that participate in the PayID network.
The problem is that this name pop-up could be used for malicious purposes by cyber criminals as one step towards stealing someone's identity or tricking them into a cyber scam.
I tried this myself.
First, I logged into my bank account and selected 'Payment to a New Payee'. The system allowed me to choose whether I wanted to pay using a BSB and account number, a mobile number or an email address. I chose 'mobile number' and typed in 10 digits at random, making sure it followed the conventions of an Australian mobile phone number. I tried this 20 times and corresponding names popped up for almost half of these numbers.
Given that many Australians have set up PayID using their mobile phone number, it would be very easy to use PayID as a 'reverse look-up' engine to match mobile numbers with names.
My colleague Masoud Afshari Mofrad, a cyber security researcher and member of Macquarie University's Centre for Risk Analytics, suggests that scammers could potentially create an automated process that uses the online banking portal to match a large number of random mobile numbers with real names of PayID users.
The more information scammers or cyber criminals can gather about individuals, the more likely they are to impersonate legitimate entities, target individuals with tailored scams or craft convincing phishing attempts, posing significant risks to victims' financial security and wellbeing.
Also, individuals are much more likely to enter a conversation with a potential scammer if the scammer knows their name. It establishes a greater level of trust. The Australian Competition and Consumer Commission's (ACCC) most recent Targeting Scams report reveals that Australians lost a record $3.1 billion to scams in 2022.
I believe banks need to do more to address these reverse mobile privacy and security concerns.
Most individuals consider their mobile phone numbers to be private information, shared only with trusted contacts. A reverse look-up undermines this expectation of privacy by allowing anyone with access to such services to discover personal details about individuals without their consent.
It is often the case that a system designed for convenience and user-friendliness, through an exploitable design flaw, comes at the price of the potential invasion of privacy and the risk of misuse of personal information.
Are the banks taking action?
Since its launch in February 2018, PayID has become very popular. By the end of 2022, over 100 financial institutions and 12.7 million Australians had registered their details with PayID, according to the Australian Banking Association. It doesn't seem that banks are alerting their customers to the danger of cyber criminals matching phone numbers to names.
PayID has not been immune from scams. In February 2023, Scamwatch, the Australian government's anti-scam centre, reported that users had lost $260,000 to PayID-specific impersonation scams the previous year. Many banks warned their customers that these scams targeted people selling second-hand items, such as furniture, on websites.
National Australia Bank warned its customers that because PayID is a free service, a genuine transaction would never involve someone asking you to send money first to receive a payment, or take any additional action, such as demanding you upgrade your account or pay additional fees, before money can be received into your bank account.
Nor would a customer receive communication directly from PayID via email, text or messenger. PayID is managed by your bank.
Stefan Trueck, Professor of Business Analytics at the Macquarie Business School
I believe banks need to do more to address these reverse mobile privacy and security concerns. Regulatory authorities should impose stringent guidelines and requirements on PayID service providers to safeguard users' personal information and ensure compliance with data protection regulations.
When it comes to safeguarding PayID-related transactions, Masoud suggests that instead of showing the person's full name, the financial institution could include asterisks in place of some of the letters instead. For example, my name might show as St**** Tru***. This would reassure the sender that they have the right recipient, but it doesn't reveal my identity.
This is an area that needs more research and attention to reduce the potential of identity theft.
Stefan Trueck is a Professor of Business Analytics, the Director of Macquarie University's Centre for Transforming Energy Markets and Co-Director of the Centre for Risk Analytics at Macquarie Business School.