POLi........issues and who uses it?

  • Thread starter Thread starter Deleted member 29185
  • Start date Start date
Status
Not open for further replies.
AndyGoodyear said:
I just did a quick web search on POLi prompted by this thread, and it's interesting that two NZ banks are currently warning their customers against using POLi, saying that POLi is imitating their web banking login pages.
Click to expand...

It's true. POLi's new "mac compatible" pages mean they now proxy the connection between you and your bank. The sign in page you get is a POLi hosted page, not a bank hosted one.
-- for a decent rundown check out the screenshots here, as much as I don't like ZDnet- NZ bank claims payment processor is capturing user details | ZDNet

Your username and password are sent to POLi. POLi then send it on to the banks on your behalf, but there's nothing stopping someone (or something) in POLi's world from keeping your password and then using it later.
Now, their business would fall over in a second if they did it deliberately or maliciously, but frankly what they're doing now has crossed a line.

I have never, and will never trust POLi, and I'd rather pay the few dollars in a card fee to make a payment securely. (Not to mention get all the complimentary insurances that come with using my card)

(just my 2 cents...)
 
pythonisman said:
POLi then send it on to the banks on your behalf, but there's nothing stopping someone (or something) in POLi's world from keeping your password and then using it later.
Click to expand...
Actually I think you'd find that it you ask a lawyer on this there are things (i.e. laws) stopping them from capturing this information. Is your opinion just that or is it based on an analysis of NZ laws?
 
Check out the latest credit card signup bonus point offers
Read our AFF credit card guides and start earning more points now.

AFF Supporters can remove this and all advertisements

burmans said:
Actually I think you'd find that it you ask a lawyer on this there are things (i.e. laws) stopping them from capturing this information. Is your opinion just that or is it based on an analysis of NZ laws?
Click to expand...

Yes, stealing this information is against the law. Pages that capture online banking usernames and passwords and pretend that they're the bank are known as phishing or ghost websites. POLi's page is functionally equivalent - it presents you with a bankname.paywithpoli.com page (e.g. from the article, commbank.apac.paywithpoli.com/netbank/Logon/Logon.aspx for CBA). It looks exactly like your bank's logon page, but it's actually somewhere else. The assumption that POLi don't keep your details is still an unknown. I don't think they do, but there's nothing (technically, based on their solution architecture) stopping them from doing it.

- Note, up until these articles started flying around, i.e. about 3 days ago, POLi displayed a "Bank URL" box and a Padlock that made it look more like you were on the bank's page, but they've now removed that.

You'll also notice that if you try to visit any links on the bank page that aren't "log in", that your mouse will change to a little "no" symbol and you can't do that, and if you hover over and look down the bottom you'll see the link is to a page hosted by POLi. So, if you've forgotten your password, you can't follow that link.
For them to say that they don't capture your credentials is complete hogwash, because they're sent to POLi's "secure server". (But you have to take their word on that, who knows what security practices they actually observe). After POLi gets them, they replay them to the bank server in the back end.

There are a few things that are "stopping them" from keeping your credentials:
- Decency, and reputability (i.e. they're probably not an evil company that's out to steal your information)
- It is indeed illegal
But the nature of their service is that they capture them (in all likelihood to just send to the bank). But what they do is evil.

Banks disable phishing/ghost websites daily, and all will tell you to only ever log in if you've typed the bank URL in yourself, and not followed a link. Whether the link is in a spam email, or from a payment page on Jetstar, technically speaking, you're still being socially engineered into doing something you think is actually something else.

POLi's old system of requiring an ActiveX control which observed you doing a transaction while you logged into the actual internet banking was an order of magnitude less evil, in my opinion anyway.

Sorry for the somewhat off topic post.
 
The fact that POLi exists at all, is a pretty good indication that there is a demand for what they are doing. While accessing your transaction account during an online purchase sounds like a good idea, and is, the fact remains that the banks don't provide a solution.

They can give access via debit MasterCard or debit visa, but as we know, the merchant them slugs you a fee for doing so ( with some exceptions).

The real answer, I think, is to get the banking industry to provide a better solution. One answer may be to extend the eftpos network to allow online transactions. There may be others.
 
pythonisman said:
Yes, stealing this information is against the law. Pages that capture online banking usernames and passwords and pretend that they're the bank are known as phishing or ghost websites. POLi's page is functionally equivalent - it presents you with a bankname.paywithpoli.com page (e.g. from the article, commbank.apac.paywithpoli.com/netbank/Logon/Logon.aspx for CBA). It looks exactly like your bank's logon page, but it's actually somewhere else. The assumption that POLi don't keep your details is still an unknown. I don't think they do, but there's nothing (technically, based on their solution architecture) stopping them from doing it.

- Note, up until these articles started flying around, i.e. about 3 days ago, POLi displayed a "Bank URL" box and a Padlock that made it look more like you were on the bank's page, but they've now removed that.

You'll also notice that if you try to visit any links on the bank page that aren't "log in", that your mouse will change to a little "no" symbol and you can't do that, and if you hover over and look down the bottom you'll see the link is to a page hosted by POLi. So, if you've forgotten your password, you can't follow that link.
For them to say that they don't capture your credentials is complete hogwash, because they're sent to POLi's "secure server". (But you have to take their word on that, who knows what security practices they actually observe). After POLi gets them, they replay them to the bank server in the back end.

There are a few things that are "stopping them" from keeping your credentials:
- Decency, and reputability (i.e. they're probably not an evil company that's out to steal your information)
- It is indeed illegal
But the nature of their service is that they capture them (in all likelihood to just send to the bank). But what they do is evil.

Banks disable phishing/ghost websites daily, and all will tell you to only ever log in if you've typed the bank URL in yourself, and not followed a link. Whether the link is in a spam email, or from a payment page on Jetstar, technically speaking, you're still being socially engineered into doing something you think is actually something else.

POLi's old system of requiring an ActiveX control which observed you doing a transaction while you logged into the actual internet banking was an order of magnitude less evil, in my opinion anyway.

Sorry for the somewhat off topic post.
Click to expand...

Yes - stealing this information is against the law - but POLi are not stealing this. To start the post with that line suggests they are even if that is not your intention. Saying 'but what they do is evil' seems a little over the top to be honest.

As I said in another post - people make payments over the internet constantly via credit card, paypal and various other payment methods. Any of these methods carry a risk - someone can always get your info if they have the relevant level of know how and desire. Someone else posted here who has had experience in the CC payments industry - I'm not saying this to discredit your opinion, but I think there is far too much scare-mongering (especially in Australia) when it comes to anything new. And most of this scare mongering, whether it be from the banks, Today Tonight or A Current Affair, usually carries another agenda (i.e. banks don't want to lose
 
AndyGoodyear said:
Someone else posted here who has had experience in the CC payments industry
Click to expand...

So? I'm an IT security engineer (CISSP). Is my opinion less worthy just because I haven't worked on a PCI project?

Beware of "False Expert" syndrome.
 
Mal said:
So? I'm an IT security engineer (CISSP). Is my opinion less worthy just because I haven't worked on a PCI project?

Beware of "False Expert" syndrome.
Click to expand...

No not at all - I'm not getting into a 'do you know what I do' argument here. Quite simply - you don't like the idea of POLi, and that's fine. It doesn't mean they are doing anything wrong though just because you don't like the idea of their system. As stated in a previous reply to you - if they were contravening laws or the data protection act, they would have been shut down already.

Innocent until proven guilty right?
 
oz_mark said:
The real answer, I think, is to get the banking industry to provide a better solution. One answer may be to extend the eftpos network to allow online transactions. There may be others.
Click to expand...


Bank or banking industry and solution in the one sentence is about as clear a definition of an oxymoron as you can get.
 
AndyGoodyear said:
POLi have a statement on their website refuting these claims:
Click to expand...

Providing log in details to a third party presents very serious security risks and contradicts both the New Zealand Code of Banking Practice and our terms and conditions.
Click to expand...

The bank can choose to do what they want, including not covering fraud or investigating chargebacks relating to POLi usage. POLi's response is inadequate - because they have to "capture" the information being input (to pass through their "secure" servers).

Note the "Verisign" report which gives them a glowing review is from 2008. The 2012 report from Security-Assessment is actually a pretty light-on summary. I do wonder what tests were performed, and depending on what the client requested may or may not be a complete review.

And yes, POLi WERE spoofing bank websites, however, they appear to have "modified" their practices since.
 
AndyGoodyear said:
I've read that - there is no proof. The story has the word 'claims' in the title.
Click to expand...

ZDNet state:

ZDNet's own examination of the process shows that at the very least, the log-in screens for the Commonwealth Bank of Australia (CBA), ANZ, National Australia Bank (NAB), and Westpac have been re-hosted (with the exception of necessary scripts and images) on POLi's servers. POLi's own system shows that a "bank URL" that it might normally see doesn't reflect the actual content shown.
Click to expand...

rehosting a website is spoofing the website.
 
Status
Not open for further replies.

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Recent Posts

Currently Active Users

Total: 566 (members: 11, guests: 555)
Back
Top