Enumeration Attack

Nine have reported an enumeration attack against Westpac’s PayID (https://amp.nine.com.au/article/84c91581-90b6-464e-9137-a2d973492614). This attack is interesting because it uses a perfectly legitimate lookup technique to undertake mass lookups of phone numbers to names. It reminds me of the old telephone directories, where you could only lookup someone’s number by name (and not vice versa). At some point, enterprising people decided to scan the entire phone directory, and use OCR to build a database, thereby allowing number to name lookups. I am reminded of Dr George Weir’s paper on cybercriminals using “old wine in new bottles”: https://www.sciencedirect.com/science/article/pii/S1363412711000598