NZ Post Prezzy Card flaw exposed - and 324 days later NZ Post follow it up

By tonyhughes Hughes, in , posted: 29-Nov-2007 21:26

## Update: I invited NZ Post to ask any specific questions they might have had, and recieved a valid response. I outlined pretty much what I have already said publicly to Computerworld, and also alluded to the fact that their problems are really not repairable from a technical perspective (the global payment processing model is flawed), and that marketing and product development/design and legal is where the changes should be made.

Thats as far as I went though, NZ Post really need to contract someone to fix their issues, simply asking customers for ideas is not enough.

Heres some extracts from my last communication with them...

I have some great ideas to fix it, but they are really marketing, legal and design ideas, not strictly technical measures. Nothing that a large corporation shouldn't be able to come up with themselves, with their best and brightest having a white-board session, with a table full of salad bagels and OJ.


But lets just say, if I was designing the Prezzy Card system from scratch, it would be significantly different, but still capture the essence of what the product is all about, and create some security and accountability from the outset, (although with the inherent global flaws in payment processing, you will never be able to totally remove the increased risk of fraud, in comparison with regular credit cards). But seeing as cost of fraud/theft should be a factor in your business planning anyway, that shouldn't present too large a problem.

--- original post starts here ---

Thats quite some time ago that I posted this article. 7776 hours in fact. Or 10 months and 20 days. (thats 27,993,600 seconds, 466,560 minutes, or 46 weeks rounded down).

But I am happy to just leave it at 324 days.

After my article about the flaw in this prepaid Visa card system, I was interviewed by Juha Saarinen for a Computerworld article about the exploit.

NZ Post was clearly aware of it, having responded to Computerworld:

Tunnicliffe explains that the case quoted to her by Computerworldindicates that the retailer was not authorising the transactions in real time, or immediately. The retailer is enabling transactions to be completed without consistently confirming that there are sufficient funds available on the Prezzy card being used, she says.

Thats NZ Posts General Manager for Payment Services, Terese Tunnicliffe, speaking to Computerworld in January.

Recently the issue has come to light again, showing that these problems are still occurring, and that Prezzy Card really is free money for anyone who wants it.

Tonight, I was contacted by a NZ Post staff member asking for further details about the exploit.

A bit strange after 324 days if you ask me (And yes, I believe the contact is genuine, and I will confirm that tomorrow.)

I never contacted them, but on my reasonably well read blog, I had posted this:

After my bad experience trying to notify ASB Banks Pago GM about a flaw in their mobile payment service which left them wide open to a simple social engineering hack, and a seperate client-hardware based attack, only to be basically ignored, with the GM doing nothing about my initally private warning, I found myself wondering what to do about my latest discovery.

Well - here goes... I decided to just post a notification of the flaw (but not details on how to take advantage of it) on the internet.

If NZ Post want to contact me, they are more than welcome to. Please note that I will require your company contact details, so that I can proactively call you back on a company line (otherwise any fool could ring me...). Drop me an email to tony at tall dot co dot nz.

I havent actually engaged them in conversation yet. I wonder what they actually want to know, that the Computerworld article doesn't tell them?

Happy spending...

Other related posts:
Kiwibank to offer personal finance via GE Money
TiVo in New Zealand - Do You Want One?
A new lease on life for a Squier California Strat

Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and shown in this blog post.

Your name:

Your e-mail:

Your webpage:

Subscribe To My RSS Feed