Real-time payments are on the way

Instant online transfers promise to remove the often frustrating delays that come with online payment transfers. With the ability to use an email address or phone number to transfer money (instead of BSB and account number) about to increase, it all adds up to online payments becoming quicker and easier than ever.

CHOICE looks at the new technology, security considerations and potential outcomes with our latest article on real-time payments:

*EDIT At last check, the service intended for launch in early 2018. Check the Osko website for the latest updates.

5 Likes

New Payments Platform (NPP) didn’t happen in 2017. But media statements now saying it will happen after January 2018.
(not to be confused with National Privacy Principles (NPP) )

RBA has information on NPP for 2018 The New Payments Platform | RBA

BPay company has a product called OSCO https://www.osko.com.au/

3 Likes

I downloaded the app about a month ago to use with my local credit union, but am still waiting for it to start.

2 Likes

Thanks for highlighting my error @vombatis, I’ve edited my comment to reflect the reality. The initial launch was also delayed, so it seems to be a case of ‘wait and see’ at the moment.

1 Like

The latest word from PayID/Osko is introduction shortly after Australia Day

3 Likes

Part of the changes involved in NPP is the ability to register a label for your account (for example use your email address or phone number as identity for your account) so that the payee does not need to know/remember your BSB and account number. This PayID is an RBA initiative.
Yet we haven’t heard concrete anything from the financial organisations about how we register these labels. If that isn’t done there won’t be anything to make work next month.
My bank’s website says:
“When the service is launched in early 2018, we’ll be in touch with all the info you need to register your PayID via the bank app or Internet Banking.”

2 Likes

That is our story of life. ‘when’. I will be more impressed when I read something our illustrious governments have done that can be published with present or past tense rather than future tense. Waiting for Godot is not a very gratifying life.

4 Likes

A rather significant privacy issue has arisen with the PayID aspect of NPP:

Basically, those who sign up are adding their phone number or e-mail address to a reverse look-up database anyone can use. This isn’t unprecedented - social media platforms let you search for other members in the same way, but people are wise to that and have their privacy settings set accordingly. We have different expectations about how banks handle our personal info.

I find NPAA’s response a bit disingenuous. They describe it as an optional feature that individual customers are making their own, informed decision about. In their view, “a person chooses to create a PayID they do so with their full consent, informed by the terms and conditions of their financial institution”. In the real world, few read T&Cs and the banks are only promoting the benefits.

Is it any more of a worry than the phone book? Not sure that’s the right question. It’s a different database linking different pieces of information - e-mail or phone number to a name, rather than name to a physical address and phone number.

6 Likes

PayID is here, there, and everywhere apparently.

https://au.finance.yahoo.com/news/westpac-breach-100000-aussies-fall-victim-012827145.html

2 Likes

This article highlights a number of issues.

  1. You probably ought not use this functionality unless you are a business. I would assume that most businesses intentionally publicise their phone number (they want to be contacted!) and the number could typically be mapped to the name using a search engine anyway.
    Perhaps that is the test for whether to opt in. Search the web for your mobile number. If your name comes up then this new system isn’t much worse.
    How long before scammers use this in order to send better text messages? Right now they may send to a whole lot of random mobile numbers but they might not be able to include the correct name to address the recipient with in each text message. This database helps the scammers with that.

  2. While it may be opt in, users may not be giving informed consent if they don’t know about all the relevant considerations. The worst case would be where someone has intentionally opted out of the white pages for safety reasons but ends up in this database anyway. The typical scenario would be a woman escaping an abusive partner.

  3. There are too many valid phone numbers compared with the length of a phone number. The fact that someone can even guess valid phone numbers is not ideal. If you had a one in a zillion chance of even guessing a valid phone number, that would slow the scammers and spammers down.

Presumably this whole thing would be more satisfactory if you register an email address rather than a mobile phone number - since you can invent as many new email addresses as you want at essentially no cost.

Not having used this system (yet) I wonder whether, as an individual (not a business), it is possible and permitted to register a “false” name against the mobile number and/or email address. When giving out the mobile number or email address to legitimate payers you could tell them what the expected name will be.

Pretty much anything to do with money or banking is more of a worry than a phone book.

3 Likes

More on PayID’s vulnerabilities. A simple hack with a simple remedy.

4 Likes

An article regarding Pay ID data risks.

1 Like

Apparently we have an answer to my question then … no more than 4 months. :frowning:

1 Like

I am always annoyed when a company sends me an email with a link. They should know better by now - I certainly do, and if it appears to be actionable I log into my account entirely separately to the email.

Some companies say “you know it’s from us because we use your name”. Oh great - that’s an incredibly secure way to do business, as shown by PayID.

2 Likes

If you have requested a password reset sometimes it is an active link in an email you get to action the change. Hopefully they provide a link you can copy and paste as well but I have had some that do not and even with some of the copied links you have to hope the link is a safe one. I also prefer the links that have a time limit to use them so that once expired time wise no one else can use that link to take action on your account.

Two factor authentication is also useful in these cases eg you request the change but no link is sent until you type in the code supplied by email or SMS.

5 Likes

This is one of very few instances in which I will click a link - because a fraudster would need to know that I had requested the reset. Of course, as I use a password manager it does not occur very often.

2 Likes

With my bank even if logged in I need to request a change using 2 factor authentication, while not a link it still is an extra step worth having. Nor do some sites allow me to change internally until I have authorised the change by validating by an email link as an added security measure. Certainly Password Managers make the problem of forgotten passwords much less likely.

With my banks if I am making a payment to a new payee (even with PayID) then I am also required to authorise that new payee/payment by responding with a one time code. Again a safety feature to reduce the risk of a fraudulent transaction being actioned by a third party.

4 Likes

Even then I’m sure many people would check where the link is going against what is plausible. That won’t catch all scams but it is a good idea.

Just putting it out there … mass data breach of large mainstream company, the company in question sends out a notice to all customers informing them of the breach and suggesting that customers change their password (perhaps even though the plaintext password has not been compromised), then it might be possible for a scammer to inject random emails with fake links and get an acceptable hit rate to make it worth his or her while.

If in fact the scammer was responsible for the data breach then the hit rate can be close to 100%. (The scammer might still want to do this because it converts a salted and hashed, best practice, password into a plaintext password.)

3 Likes

I am the same as the reset password email usually comes in within seconds of requesting to reset the password with the account holding website. If an email came in without a request, it would automatically be suspicious. The risk of this email being hijacked and amended in between the request and its receipt is almost zero.

The only risk is using a clickable link to reset a website password as this may divert one to a website which looks authentic, but is fishing for information. Such is only likely to occur if scammer, for example, send an email saying that your account has been suspected/expired and one needs to update their password using the provided link. This in itself should raise alarm bells and one show only ever request a password reset either through typing in the relevant URL or using that stored and known in one’s password manager.

3 Likes

Absolutely - but if it is a mass data breach then I will want to verify it independently and go to the affected website without clicking on a link.

I’m not paranoid, the universe is against me!

3 Likes