Security Incidents with Banking Apps

PayID PayID had a data breach that exposed bank details and personal data of a vast majority of clients, including those at big four banks. The breach originated with one of the Cuscal clients and affected most organisations. Cause: Enumeration attack Damage: Affected 92,000 customers. The information exposed included users’ full name, PayID nickname, mobile number, BSB and account number. Security enhancements: Additional alerting to mitigate against further incidents Lessons learnt: Services that allow learning user’s PII by entering phone numbers should have rate limits and API monitoring. Payment providers and banks have a shared responsibility and thus need to work together to ensure that their systems are secure and they can respond ASAP to data breaches. https://www.smh.com.au/business/banking-and-finance/payid-in-new-breach-affecting-customers-at-big-f our-banks-20190821-p52jby.html

OCBC OCBC was attacked by malicious actors who managed to get access to 790 bank accounts as soon as the victims clicked on a link provided by the attackers and typed in their credentials. Attack type: Phishing Damage: $13,7 million loss Security enhancements: Sending instant fund transfer alerts to customers, reducing default daily limit for PayNow transactions, removing clickable links in marketing emails, introducing a 24-hour cooling off period for key account changes, dedicated customer service care team, introduced a hotline for reports of suspected scams. Lessons learnt: Importance of educating customers about scams. https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline https://www.straitstimes.com/business/banking/ocbc-customers-hit-by-phishing-scam-790-lost-137m-in-t otal-bank-has-made-full-goodwill-payouts