Return home icon Return to research icon

Syrax Operations · Research Dossiers

Research 02 — PayID Identity Exposure and
Privacy-First Design

An analysis of how PayID identity resolution exposes real names during lookup, and how this behaviour can be abused for identity enumeration, social engineering, and downstream fraud.

Date

15 Dec 2025

Status

Completed

Focus

Digital Identity Exposure

Disclaimer

This document is based on independent research, observation, and conceptual analysis only. No unauthorised access, probing, scanning, testing, or interaction with banking systems was performed. All scenarios discussed are derived from publicly observable behaviour, documented system functionality, and hypothetical threat modelling for educational and defensive purposes.

Focus

This research analyses how PayID resolves and displays recipient identity information before a transaction is completed. The aim is to understand how convenience-driven design decisions can unintentionally expose personally identifiable information (PII) and enable scalable abuse.

Problem Context


  • PayID allows users to initiate payments using phone numbers or email addresses. When a valid PayID is entered, the system resolves and displays the recipient’s registered name before consent or transaction approval. While intended to prevent misdirected payments, this behaviour creates a passive identity disclosure surface.

Key Observations


  • Valid PayIDs return real or display names without recipient interaction.
  • Lookups can be repeated across large datasets of leaked or guessed phone numbers and emails.
  • Returned names can be easily cross-referenced with OSINT sources (social media, data brokers, caller ID apps).
  • The name–number pairing significantly lowers the barrier for targeted scams and impersonation.

Identity Enumeration & Abuse Path

Unauthorised actors can efficiently chain PayID lookups with open-source intelligence to build high-confidence identity profiles. These profiles can then be used to:

  • Personalise scam messages and calls.
  • Impersonate banks or government services.
  • Assist SIM-swap or account recovery attacks.

The risk does not come from technical exploitation, but from predictable and repeatable system behaviour.

Proposed Privacy-First Mitigations

  1. Alias-Based Identity Display — Allow users to set a default alias or nickname instead of revealing their legal name during initial PayID lookups.
  2. Consent-Based Name Reveal — Only disclose full identity details after a trusted relationship or confirmed transaction, limiting exposure to unknown parties.
  3. Lookup Rate Limiting & Monitoring — Detect and throttle excessive or sequential PayID lookups that resemble enumeration behaviour.
  4. User Visibility & Auditability — Provide optional notifications or audit logs showing when and how often a PayID has been queried.

Security Impact

These changes preserve PayID’s usability while reducing its effectiveness as an identity enumeration tool. By limiting unsolicited identity exposure, the system becomes more resistant to social engineering, phishing, and downstream fraud without disrupting legitimate payments.

Closing Note

This research highlights how small design decisions at the identity layer can have outsized security consequences at scale. By re-examining how and when identity data is revealed, PayID can better balance convenience with privacy, reducing its attractiveness as a passive data source for fraud and scam operations.

Return to Research Overview