Building secure digital wallets is a challenge when it comes to balancing between convenience and security while fighting the threats. Let’s take a broad picture of security failures before investing in security solutions.
with Banking Apps
PayID had a data breach that exposed bank details and personal data of a vast majority of
clients, including those at big four banks. The breach originated with one of the Cuscal clients
and affected most organisations.
Cause: Enumeration attack
Damage: Affected 92,000 customers. The information exposed included users’ full name,
PayID nickname, mobile number, BSB and account number.
Security enhancements: Additional alerting to mitigate against further incidents
Lessons learnt: Services that allow learning user’s PII by entering phone numbers should
have rate limits and API monitoring. Payment providers and banks have a shared
responsibility and thus need to work together to ensure that their systems are secure and
they can respond ASAP to data breaches.
OCBC was attacked by malicious actors who managed to get access to 790 bank accounts
as soon as the victims clicked on a link provided by the attackers and typed in their
Attack type: Phishing
Damage: $13,7 million loss
Security enhancements: Sending instant fund transfer alerts to customers, reducing
default daily limit for PayNow transactions, removing clickable links in marketing emails,
introducing a 24-hour cooling off period for key account changes, dedicated customer
service care team, introduced a hotline for reports of suspected scams.
Lessons learnt: Importance of educating customers about scams.