What happens when email is used as the Id?
Just curious.
Would not be surprised if the persons name was again displayed.
I'm staying well away from it.
The brand-new app implementing Australia’s New Payment Platform (NPP) system has a user enumeration flaw, but the organisation responsible for it considers it to be a feature. The NPP is an instant-money-transfer scheme implemented by Australia’s banks to give customers an app that can transfer money between account-holders, …
Yes, but there's still potential for enumeration in that system--albeit a lengthier, and far more annoying method.
If someone wanted to find out the phone number of a particular individual, all they would have to do is run through all the possible combinations of phone numbers, to see which ones hit. Now, if phone numbers were a purely random 10 digit number, it would be quite daunting to brute force your way through 10 billion possible numbers. Since phone numbers are generated in a predictable fashion, it's not hard to guess someone's area code--so, for any given area code, there is a range of 10 thousand to 10 million possible phone numbers, which would be far easier for a computer to brute force.
To avoid the issue of payments being made incorrectly to the wrong person, AND avoid enumeration attacks, the service would need to require that both name and phone number were provided by the sender. Then, after pressing the "Send" button, the service would need to respond to all attempts in the exact same fashion. After a several minute delay, the sender would then receive an email with either a confirmation that it was sent successfully--or a message that said that the name did not match the, and they would need to try it again.
That extra step would induce a massive delay, making any attempts to brute force the system so painfully slow, it becomes unfeasible--but it also require that someone first commit to sending cash, before it ever performs the check that would generate the confirmation message.
I'm sure that there are other folks that are much smarter that could come up with fancier ways to solve that problem, but if they're looking for a quick and dirty solution to the problem, my proposal wouldn't be hard to implement.
These are almost all mobile numbers, and mobile numbers do not have "area codes" in Australia. They all start with 04 (02 is NSW, 03 Victoria etc.). Long, long ago, the next two digits were the mobile provider, but when numbers became portable between telcos that nexus gradually fell away.
So you need to enumerate at least 8 digits.
It's not all bad. The way this is being implemented. many of the stop fraud checks that are done will be by-passed. Which means that your bank account could be emptied before the bank could ring you to advise of the potential fraud
So if you're an online crim this is great news. Me, I'm putting a whole jot of daylight between my money and this new payment platform
Britain, where online banking fraud jumped 132 per cent after it introduced a faster payments system in 2008.
See:
http://www.smh.com.au/business/rising-fraud-risk-tipped-from-move-to-realtime-payments-20170127-gtzulk.html
And:
http://www.afr.com/business/banking-and-finance/cyber-fraud-risks-rise-ahead-of-instant-payments-20170612-gwpeva
Credit card, Eftpos, Tap and Go & RF proximity, QR code, Bpay Direct Debit and Cash aren't quick and convenient enough, yet all could be made to operate quickly up to a nominated limit, as the RBA desire.
Smaller banks want PayID so as to increase their coverage and service capabilities, not for transaction speed.
Banks could allow customers to nominate specific accounts to do direct payments to via Bpay and phone access. but this is banned until you get into their less safe internet-banking website.
and now you have PayID doing just that.
People cannot remember their account numbers - while businesses were years ago recommended to use in-accounts and out-accounts or at least separate numbers for those type of transactions.
My bank gave me a customer number, on top of my account number, other accounts have cards for them that I don't want, I just want them linked internally. I only want one transaction account for personal business.
And then I wonder how long until you can direct debit your friends for that concert ticket your buying as a group by using PayID, instead of waiting for them to pay you via PayID.
And when you change your phone number or email address you better make sure you don't delete it until you have notified everybody that owes you money or someone else would get it by mistake.
If it were up to me I'd give everybody a transaction number much like IVP6, it could apply so that everyone has approx one transaction account with in/out numbers, that is less than the total number of devices predicted to be on the internet by 2030.
a better use of numbers. and provides a number that would last for a lifetime.
From my reading up of PayID, for a business I think it is a good idea, where the business PayID could be their email address (dildos.r.us@sex.xxx), and when you enter the email address there is nothing privacy concerning about then seeing the businesses details (since they have to be publicly available on various government registries to be a business):
Dildos'R'US
1800 dildo
345 vibration st,
Wanktown
....
Or using a business telephone number that is often advertised in annoying campaigns, e.g. 131 888:
Domino's Pizza
(blah blah)
For these types of uses there is no privacy implication, however this is different story when it comes to private individuals using PayID to receive funds.
Personally, as a business I think it is useful, but I would never set up a personal PayID because of the privacy issues. It's not like I have people clamoring to send me money who need an easier way than a bank transfer (BSB, account number, etc) or just giving me cash the next time they see me...
Anyone with a Pay-ID can establish the limit by hammering away and counting the attempts until it locks up - if it ever does.
Luckily a crim would never think of doing that.
Security Investigator: "What day of the week is it?"
NPP "We decline to answer that question for security reasons"
So a hacker has to send 100 million request to enumerate all phones in the country?
If their API can talk over the phone network, that would nearly use a months data on most of the lower end prepaid plans. Without a rate limit and a good network (say a Not Built Network 1G plan), that should take a few minutes.
Why is there so much ignorance about side channel attacks? So they have a rate limit. My bank card also has a rate limit but if someone hacks a grocery store, all they have to do is try all cards with pin 1234 the 1st day, 8520 the next day and in 30 days they will have 30% of all card PINs without hitting the rate limit on any card.
I don't remember peoples phone numbers or email addresses !
I usually use my mobile phone or a teledex for remembering numbers, there are thousands
and if it comes to my own bank account, I really only want to refer to it occasionally.
Anyone could keep their own bank account number on card in their wallet or purse for when they need it.
And is useless for many. How will they make people who owe them money use it !?
3 days of waiting as it goes through the system is nothing, much debt owed is over 6 months old,
Just bloody pay up what you owe !
This is just for stupid fish who can't remember the milk.
I never remember phone numbers, they're in my phone. The numbers have been verified because I talk or text with the other parties. People are names not numbers.
I would pre verify a new number putting them in my contacts then talking with them before transferring funds.
The banks have it round the wrong way. Their app has to verify with my contact list.
star out all but the first and last 2 letters of the name
e.g. John Doe would be Jo*****oe
Enough for a human to identify that it's almost certainly going to the right person, as the chances of a wrong number giving the same details is minimal enough to be insignificant, and Robert's your fathers brother.
Look-up on ALL mobile numbers? No. Only mobiles of those who have registered a PayID with their bank can be looked up.
On that note, with my credit union in online banking I was given an option of making the PayID name first name and surname initial e.g. John S. Nobody would know I was John Smith. I used that one. I heard others have surname in all options.
Not for everyone, but I signed up for a @payid.email account. It is like a purpose-built throwaway privacy providing email.
Early days here in Oz. See how NPP goes.