Dan Tyrrell said the Adelaide-based firm had a portal that provided access to credit card transaction details and some packaging functionality.
He provided iTWire with a sample reset password in plaintext. The general way a password reset takes place is for the website to email a user with an URL; clicking on that takes the user to a page that allows the user to choose a new password of their choice, after first authenticating with their old password.
But in the case of AccessPay, an email comes back with the message: "Your AccessPay password has been reset. Please log in using the new password: (new_password_in_plaintext)."
"Given it is such a basic flaw it makes me concerned about the overall security of the system and therefore how exposed my personal data is from other attacks and exploits," Tyrrell said.
AccessPay has no media contact listed on its website. iTWire sent an email to company's business development manager seeking a reaction, but there has been no reply.
The debit cards that are issued to users are from Mastercard. A Mastercard spokesperson, responding to a query about the security involved, had this reply: "Mastercard is the payment scheme of choice, while EML is the prepaid card issuer for AccessPay.
"While Mastercard conducts due diligence for all of its customers, all customers and third parties will continue to bear the responsibility to comply with applicable laws and regulations."
In many cases, an employer chooses the company that handles salary packaging and the employees have no option but to use it.
Of its role, AccessPay says: "Put simply, salary packaging is allocating a portion of your pre-tax salary to the payment of certain expenses, like your mortgage, rent, groceries or insurance, to reduce the amount of income tax you pay and increase your disposable income."
Tyrrell said: "I had assumed any organisation running a portal to debit card details would be required to run security audits and pen testing as part of the agreement they have with the card supplier. I would also expect the card supplier to audit customers.
"A worst case scenario is that a rogue operator with access to an organisation's email system could move large amounts of money out of accounts and offshore very easily. Think of an organisation with a few thousand employees and the coming pay run for the Christmas break with holiday pay and potential bonuses."