Pago

Forums › Mobile handsets › Pago

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#10518 27-Nov-2006 10:00

Now that this is live what do people think? I think it's got the potential to be huge, ASB deserve some kudos for getting in first - both Vodafone and Telecom could have done the same but never quite made it.

1 | 2 | 3 | 4

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#53824 27-Nov-2006 13:35

It's a great idea. Just two things:

- http://www.geekzone.co.nz/forums.asp?ForumId=48&TopicId=10517
- http://www.geekzone.co.nz/tonyhughes/1780

[Moderator edit (bradstewart): Fixed hyperlink.. /me wanders off before Mauricio can take revenge for such pwnage]

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#53833 27-Nov-2006 14:15

It was a little scary that Tony found a possible exploit so quickly in a system that should have hopefully been built around a secure business model. I have't had a play with it yet but will sign up later on today.

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#53834 27-Nov-2006 14:22

Go back there and read my comment. The whole system is unsafe by definition. To send a payment you only need your mobile phone, when I'd expect at least a two form factor authentication system: the mobile MSISDN and a PIN.

I can't believe this thing is out in the open...

juha

1317 posts

Uber Geek

Trusted

#53846 27-Nov-2006 17:26

MSISDN?

Juha

juha

1317 posts

Uber Geek

Trusted

#53847 27-Nov-2006 17:28

Aha!

Get Your Cyborg Name

Juha

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#53848 27-Nov-2006 18:03

MSISDN.

alasta

6703 posts

Uber Geek

Trusted

Subscriber

#53857 27-Nov-2006 18:47

freitasm: Go back there and read my comment. The whole system is unsafe by definition. To send a payment you only need your mobile phone, when I'd expect at least a two form factor authentication system: the mobile MSISDN and a PIN.

But is having someone snatch your phone really any different to having someone snatch your conventional wallet? Like a conventional wallet, Pago appears to limit your potential losses to the amount of 'virtual cash' that you happen to be carrying. The only difference that I can see is that if someone accesses your Pago account fraudulently then you at least have some chance of tracking them down, whereas if someone steals your cash then it's gone for good.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#53858 27-Nov-2006 18:57

But with your credit card I'd still need to know your PIN or to forge a signature. With pago, I only need your mobile phone to transfer transfer money out of your account.

The card and PIN are two security factors (something you know and something you have). The phone is just one (something you have). Like a key.

alasta

6703 posts

Uber Geek

Trusted

Subscriber

#53865 27-Nov-2006 19:45

freitasm: But with your credit card I'd still need to know your PIN or to forge a signature. With pago, I only need your mobile phone to transfer transfer money out of your account.

Are you sure that Pago allows you to direct access to funds in a bank account or on a credit card? My interpretation of what's on their web site is that have to use a conventional direct credit payment to transfer funds from your bank account to your Pago account. Therefore if someone else gains access to your Pago account, then your potential loss is limited to the balance of the Pago account.

In other words, it's analogous to you withdrawing cash from an ATM. If your cash gets stolen then you've lost it, but being in possession of the cash doesn't give the thief access to your bank account to get more cash.

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#53866 27-Nov-2006 19:47

The funds are transferred by the owner, there's no automatic transfer. Payments are limited to $200/day.

This doesn't make the fact that a single authentication factor is used in the service and makes it unsecure for monetary transactions.

tonyhughes

Hawkes Bay
8476 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#53869 27-Nov-2006 19:50

to some people, $200 is more than they would ever have in their bank....

the amount is irelevant. its insecure, its exploitable/hackable, its single factor authentication, and their system is laughable from a security point of view.

I am no security specialist, and I found a working exploit for it within 15 mins of knowing the service existed.

How much did they pay to set this up, and where is my cut?

alasta

6703 posts

Uber Geek

Trusted

Subscriber

#53875 27-Nov-2006 20:14

I'm still not sure that I understand how this is any less safe than carrying cash. You wouldn't want to put more than $50-$100 into your Pago account for the same reason that you wouldn't want to carry more than that amount with you in cash, but I think that this service is targeted towards small dollar value transactions.

Still, whilst I see nothing wrong with the concept, I'm alarmed at how easily Tony was able to exploit their system and I won't be using the service in the immediate future for that reason alone.

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#53880 27-Nov-2006 20:46

That's a good point. But the $200 is a daily limit. You could have a few dollars more in your account, if you are a Trade Me merchant for example. And someone could send a transaction every day for a few days until you remember to block the pago service...

tonyhughes

Hawkes Bay
8476 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#53888 27-Nov-2006 21:31

if you carry cash, i must physically steal the cash to get it.

with pago, you can sit locked in a bank vault, and i can sit on the beach and still steal your pago cash without interacting with you, or even being in the same island in this silly little banana republic.

Cash is way safer than pago

paradoxsm

3000 posts

Uber Geek

Trusted

#53895 27-Nov-2006 22:20

Hideous system... What a FLOP. Having to "transfer" my money to a "wallet" from my internet banking is just SO complicated!

They should just offer this to ASB customers as a directlink service which creates a "parcel code" to the recipients mobile where they have say 14 days to "cash" the payment... this current platform is just GROSS!

A prime example of some overhyped, one-size-fits-all, typical of ASB.

1 | 2 | 3 | 4