Pago.co.nz Bad Security Practices Could Leave Users Out of Pocket

By tonyhughes Hughes, in , posted: 27-Nov-2006 21:46

As a follow on to my previous blog post, pago.co.nz is seriously flawed and putting users at risk of exploits possible through misuse of either the Telecom mobile network, or the Vodafone mobile network.

Both the exploits are already KNOWN problems, simply applied for different purposes.

This needs to be addressed immediately. I expected a call or email from ASB/pago late today, or a notification on their site that they were fixing this, or suspending the service, but this hasnt happened.

From Pago terms and conditions: (I will not attempt to read anything into these, they pretty much speak for themselves)
  • A Payment cannot be stopped, cancelled or altered once sent even if you make a mistake and enter the wrong details of the person you want to pay (i.e. incorrect email address or mobile phone number), the wrong amount is paid, or someone other than you accesses your Wallet and sends a Payment from it. If you lose money or make a mistake we will not refund you.
  • if someone else uses your mobile phone or pago Password and you lose money, we will not give it back to you;
  • if you make a Payment we will believe it is from you and we will not check whether this is true or not;
  • only you have a relationship with the company that supplies your mobile phone network or email account;
  • the New Zealand Bankers' Association Code of Banking Practice does not apply to your use of pago.
Its simply absurd that a banking institution would use one-factor authentication. Its like having an ATM card with no PIN that can be cloned remotely. The mobile carrier part in this, I believe is merely incidental, as two-factor authentication (requiring a PIN number to be included in a payment request) would totally eliminate these exploits.

Customers of pago.co.nz who are concerned about this can get Telecom to put a password on their mobile account - just phone *123 or visit a Telecom store and say "can I please have a password put on my account to prevent anybody from making changes". Which is indeed a good thing for any telephone account holder to do. I believe this is not done by default, as it can make things difficult when making legitimate changes to your account.

Vodafone customers are however, out of luck. No fix for you. (The Vodafone based exploit uses a completely different method to the Telecom one)

But even for Telecom customers, this doesnt eliminate the fact that single factor authentication is very easy to bypass. If you are a pago.co.nz member, I could still steal or borrow your phone to make payments. Again, a simple second tier of security (a simple 4 digit PIN) would make the fraud virtually impossible to commit in the first place.

Pago.co.nz is inherently insecure and should not be used until they implement a second factor of authentication.

The current service is like an ATM card with no pin that I can access remotely, without even having to physically get your ATM card.

Pago - fix this. Very soon... I gave you the courtesy of telling you first, but you need to act quickly and make your system more secure.

As for the exploits themselves, they are not that hard. Other people will figure them out sooner or later. Im picking sooner being the most likely of the two.


Tag(s):         


More information

Other related posts:
Kiwibank to offer personal finance via GE Money
TiVo in New Zealand - Do You Want One?
A new lease on life for a Squier California Strat








Comment by sbiddle, on 27-Nov-2006 22:33

Have you had any contact at all from them other than the call you mentioned earlier?

Might be time to spill the beans in a few days if they don't do anything about it. The Telecom exploit should be obvious to most people - I'm a little uncertain how you can exploit the system from a Vodafone mobile however.

To be honest after thinking about this and looking at the way the system works you can only wonder how the hell ASB found so many brain dead wannabe IT experts to build such an insecure system.


Comment by barnaclebarnes, on 28-Nov-2006 07:21

Most GSM phones should have the ability to add a PIN number to lock the phone so that if anyone did steal the phone they would need at least that number to even use the phone.


Author's note by tonyhughes, on 28-Nov-2006 07:51

The full details (not that its that hard) have been spilled to the media already..... just a matter of time now. Which is why pago should be all over this like a fly on poo.


Author's note by tonyhughes, on 28-Nov-2006 08:19

people dont like to walk around with their entire phone locked. besides, that makes zero difference for the two exploits i know of...


Comment by freitasm, on 28-Nov-2006 08:20

What do you mean by "media"? So the service didn't come back you you because you are only a consumer and blogged about it? So they don't believe in blogs?

Shees. Time for this people to read the Cluetrain M anifesto (www.cluetrain.com).


Comment by barnaclebarnes, on 28-Nov-2006 08:43

So can someone bypass the security if they don't have your phone? i.e. can the spoof your phone number and send money that way?


Comment by sbiddle, on 28-Nov-2006 08:54

Going back to your comment about PIN numbers on accounts, every Vodafone account automatically has a PIN against it. If you're on PrePay you need to enter an account PIN before you make the first call on the phone.


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and shown in this blog post.

Your name:

Your e-mail:

Your webpage:



Subscribe To My RSS Feed