There’s much excitement and hype in the banking industry today as PayID, the new way to make payments and transfer cash is launched. But there’s a privacy risk everyone should be aware of before signing up.
The system is called PayID – more formally it’s known as the New Payments Platform. All the major banks got together and worked out a new way to interface with each other to create a simple and immediate payment system for customers.
This means that once it’s up and running, you’ll be able to transfer money immediately from account to account, person to person, no matter which bank they are with – and you won’t be left waiting overnight or for days to see the money at the other side.
A huge win for consumers, and to make it even better it’s not just fast – it’s simple. Every account holder can register for PayID and link a unique number or code to their account. Meaning there’s no longer a need to hand out a BSB and Account Number – the PayID system is a gateway which directs the money to the correct BSB and Account Number based on the PayID that is entered.
Banks are marketing this as a way to link your email address, phone number of even ABN to your bank account for immediate payments. For a business, putting an ABN number as their “deposit code” is a simple way to get those payments made.
For average consumers, asking someone to pay you by simply giving them your phone number is just so simple.
However, there’s a privacy risk that everyone should be wary of.
Before your money is actually transferred, you are asked to verify who you are sending the payment to. At this point, the Account holder’s name, or PayID account holder’s name more accurately – is displayed on screen. This prevents any accidental payments to the wrong person. Great idea.
But – what if you went into your bank app, selected a PayID transfer, typed in a random mobile number, and then hit “Pay”, and on the next page you are shown the name of the person who own’s that mobile number? The PayID system essentially becomes a reverse phone lookup system.
This assumes everyone uses their mobile number to register for PayID – which is one of the two suggestions for average consumers (use your email address of mobile phone number).
The New Payment Platform call this a security measure – ensuring you are paying the person you think you’re paying:
Stephen Wilson, Privacy Consultant at Lockstep sees it differently, telling EFTM “the idea that people can retrieve your name from a phone number is like a reverse phone book” going on to say the public should “be careful about which personal identifiers you are going to use in this system.
It’s very similar to the advice I give on social media, don’t throw your phone number and date of birth around, they are unique identifiers that can help zero in on you”
Speaking about the New Payments Platform, Mr Wilson said “you would hope the NPP have done a privacy impact assessment, in particular with regard to metadata security around the information like the name associated with the unique PayID that is being displayed to users”
David Vaile, the Chair of the Australian Privacy Foundation is equally as concerned, telling EFTM “in the worst case it’s an invitation to use incomplete transactions as a way to discover identity elements that could be used for fraud and identity theft”.
“It’s also a first step toward social engineering, using a random phone number and linking a person’s name to it could lead to phone calls to that person which come with a misplaced level of trust simply because the person taking the call assumes they know the caller because the caller knows their name”
Unfortunately, Says Mr Vaile, this is a modern privacy problem “it’s a trade off between convenience and security” going on to say that in today’s world we often favour convenience at all costs.
It should be noted of course, that any user performing these transactions would be logged on to their own bank at the time, so they could possibly be traced – additionally there may be a limit to the number of transactions or attempted transactions each day – however in a world where people may use a system like this to track down an ex-lover or someone else in their life, a single search to validate a phone number could be all they need.
Now let’s be super clear here, many people’s mobile numbers can be linked directly to them by a simple Google Search. Be it because you were listed as the contact for the local sports team, or because you advertised to be contacted for some reason.
But for many, their number is private, and they don’t want people to be able to link their number to their name – especially using an online system like this.
It’s not the end of the world, and it’s not the worst privacy issue on the planet either – but for anyone who holds dearly their privacy – the advice is clear – don’t register your mobile number as your PayID with your bank. Instead consider your email address which is probably much more identifiable anyway, or a random number – if your bank allows it – though it seems the banks will be using a verification method to confirm the number or address you use is in fact your own so perhaps the new PayID system just isn’t for you.
We contacted the NPPA (New Payments Platform Australia) for comment about this issue – their full response is here:
“PayID and the New Payments Platform were designed with security and consumer protection front of mind, via collaboration by Australia’s financial services industry which remains committed to its strong track record at combatting financial fraud and crime. There were committees that consulted on the Platform during the design phases, including security subcommittees comprising various participant security departments and industry experts.
Australians have the choice to create a PayID, which will not affect whether or not their payments are sent via the New Payments Platform, and will be able to choose what identifier they use as their PayID, which can be a business name, an email address, or a phone number. Whatever they choose, their PayID can be used only as a pointer to their linked bank account.
Banks have their own terms and conditions for PayID, and these will vary from bank to bank, but under no circumstances can a PayID be used to take money out of an account or access that account. Furthermore, financial institutions have controls in place to detect and prevent improper use of PayID addressing. “
Sadly, the response does not touch on privacy of personal information – only security – so, as they say – you have the choice, and if this concerns you then you’ll have to stick with the old BSB and Account Number for your payments.
H/T Robert for the concern