I was then expected to log in to my internet banking, at which point I was presented with the pre-populated ANZ bank-transfer web page, with some fields disabled reference code, amount etc.
What was being done is, the POLi server was requesting the bank website from the ANZ server, massaging the HTML, and passing the HTML to me.
I then fill out the form, which is submitted back to the POLi server, who then passed that information back on to ANZ again.
This was repeated for every page. You are entering your internet banking credentials into an interface owned by a merchant.
The iframe comes from POLi, but there's no easy way for an end user to verify that, and the parent page would still have the opportunity to mess with the frame.
POLi not to have any vulnerabilities where other parties can gain information through including their interface in an iframe and using clickjacking.
This is difficult to fully prevent when your interface must allow iframing. POLi are effectively doing a man-in-the-middle attack on your online banking and predictably some banks are upset about that.
If you suffer from fraud whether or not related to use of the POLi service , your bank might be able to argue that you have some liability, for not keeping up your end of the bargain to keep your banking credentials secret from everyone but the bank.
POLi aren't the only party taking this approach—see for example Germany's Sofortüberweisung. I personally consider it an insane idea, but it's hardly the first insane idea to catch on from the financial world.
If you read their privacy statement it more or less says you give them full access to your bank account and the rights to your full banking transaction history if you use the service.
Personally I find this unacceptable. What I have done in the past is simply copied the reference number provided and sent the transaction manually to Air New Zealand whit the poli reference number in the particulars and not entered my details into the poli interface.
It potentially reduces the likelihood for mistaken transactions as the details of the transaction are pre-populated.
Some banks have raised concerns over Poli as it involves entering your internet banking details on a third-party site.
Some banks have said this could mean forfeiting your protection against unauthorised payments in the ePayments code on the basis that you have contributed to the loss.
Usernames and passwords aren't captured or stored by Poli, however your account number may be. On its website, the Commonwealth Bank says it "urges customers making online payments to do so via the Bank's own NetBank site, which guarantees the customer's security", while a NAB spokesperson told us that Poli services have similar levels of consumer protection to the 'pay anyone' function on internet banking.
Bpay is predominantly used as a bill payment service. It's generally available via your internet banking, but it's also offered as a payment method on some airlines' websites.
The biller may not charge a fee for using the Bpay service, but your financial institution might. And if you attempt to pay with a credit card, you may be charged for a cash advance and you won't have any chargeback rights.
You're using Eftpos whenever you use your card at the checkout and select cheque or savings account. To date, consumers have been less likely to pay a surcharge for the use of Eftpos than for credit cards, according to the RBA's The Changing Way We Pay: Trends in Consumer Payments report.
The downside with Eftpos has been that it isn't available for online purchases and it hasn't traditionally offered chargeback rights.
This is set to change, however, with the launch of Eftpos Online, which is expected to start appearing as a payment option on merchant sites next year.
An Eftpos spokesperson told CHOICE that it will continue to be a lower cost scheme than the credit cards, with the added benefit of offering chargebacks.
In addition to their credit card schemes, Visa and MasterCard also operate in the debit card space. The benefit of Visa and MasterCard Debit provided you select 'credit' when paying, rather than 'cheque' or 'savings' is that you'll have chargeback rights.
However, surcharges may still apply. The median surcharge for Visa and MasterCard Debit sits at 1.
Poli promises not to remember your login details between transactions. So can we trust Poli not to keep our login details?
There's a proviso, however. Web applications like this can be vulnerable to attacks called man-in-the-browser MITB , according to Welch.
But banks are equally vulnerable to these kind of attacks, said Welch, and it could be argued that Poli is more secure "because the MITB has no way of telling Poli to do a transaction such as a payment to a third party".
The Warehouse Group is one of the largest Kiwi merchants using the service. Michelle Anderson, chief digital officer said that they offer Poli because it allows their customers to shop on their sites without a credit or debit card, and said that it never sees an individual's banking information.
We have found Poli to be an extremely secure method of payment. Well, obviously when you are entering your banking login details on the POLi pop-up, you are disclosing them!
Even if they claim that they "do not capture or store usernames or passwords" POLi Security overview [archive] , your login and password is transmitted to the POLi servers, stored in memory and transmitted to your banks website.
Because POLi is in fact only a sophisticated "proxy" that navigates on the website of your bank with their servers. This so-called "payment solution" is definitely misleading and a major security risk should you disclose your banking credentials to them.
And I bet they get a number of credentials and transactions done as they seem to be doing everything to tell that they are really safe and secure and they are in fact just a proxy server, like Opera Mini.
Which is true, but this is not really reassuring. And one of the many problems of POLi is the fact that they are using an iframe embedded in the merchant website.
This means that even though you are disclosing your banking credentials on the POLi website, the fact that it is inside the merchants website means that the merchants website could access your banking credentials when you are entering them in the POLi frame, or even it could maybe exploit a security flaw in POLi proxy service and do other actions or transactions on your online banking using the POLi proxy server.
They all may access your banking credentials through the POLi frame as well. The fact that the embedded frame displays a Comodo logo and a padlock is even more misleading, as it suggests that the frame is served over HTTPS, which you have no way of knowing for sure.
We may also collect your financial information including bank account balances, bank account payment limits, a record of your previous banking transactions and information about your internet banking sessions.
Worse, their terms and conditions [archive] are deliberately wrong:. And it is repeated on the FAQ of Air New Zealand [archive] :.
During the course of your payment, Air New Zealand and POLi never have access to your internet banking identifier or password.
This is blatantly false, as you can see when you check the requests made from the POLi frame, your login and password are in fact sent to the POLi server:.
Not only their service is a terribly bad idea to begin with, but their own terms and conditions don't reflect the reality of what their service is actually doing.
So: don't use POLi. And I'm not the only one saying it [archive]. MSI Modern 15 Laptop Review Model A10RB. How much does the NBN really cost with a landline phone?
Ten ways to speed up your laptop. IoT Alliance Australia and nextmedia to create Australia's premier IoT event.
Widespread IoT, OT vulnerabilities reported. Hand sanitiser dispensers raise IOT security concern. Victoria trials real-time occupancy data on public transport.
City of Gold Coast plugs into mobile data. Log In Don't have an account? Register now!