Has anyone else ever used PoLi ???

Forums › Off topic › Has anyone else ever used PoLi ???

1 | ... | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#735064 19-Dec-2012 16:58

Perhaps they are proxying the sites and modify the code in the process to allow them to do what they need to do.

I think they call that a man in the middle attack.....?

In any case, what they are doing is at best, dodgy/irresponsible and at worst illegal

Twitter: ajobbins

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#735065 19-Dec-2012 17:01

BlakJak:

You're absolutely right. I guess my main point is that real-time should be doable, and it's gotta be better than this crummy POLi thing.

In 10 years maybe - you forget that banks typically run on mainframes, not modern real time banking platforms. The move to multi payments per day requires massive resources and is still a batch based system. Real time payments between all banks won't occur afor many, many years.

ajobbins

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#735067 19-Dec-2012 17:02

This was just posted in the last half hour

http://www.itnews.com.au/News/326827,banks-concerned-over-poli-security.aspx

Twitter: ajobbins

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#735069 19-Dec-2012 17:03

I'd love to see all the big banks put big "POLi is dodgy" warning messages on the internet banking login pages and see if POLi strip it!

echoflight

8 posts

Wannabe Geek

#735079 19-Dec-2012 17:04

ajobbins: Looking at the source code of the real westpac IB login and the POLi version, there is lots of similar source code, but differences too. They are obviously hosting the page themselves.

Some subtle differences too. Eg.

Real Westpac site logo HTML:

<img src="images/westpac-logo.png" height="90" width="140" align="left" alt="Westpac" />

POLi HTML:

<img width="140" height="90" align="left" alt="Westpac" src="images/westpac-logo.png">

Same parameters, different order (and no closing / on the POLi code). Have to wonder if maybe Westpac is doing some testing and doing changes like that that don't affect the layout, but clearly show the source is different.

If you inspect those images and "open in a new tab/window", you will see that they are hosted on the POLi website, not Wespac. This is the same for their mimic of the ANZ site, and Kiwi Bank (these are the only other ones I've tried, I'm sure they are all the same though).

Rubicon

29 posts

Geek

#735081 19-Dec-2012 17:08

I've just tested this with ANZ, going as far as the login page. It's definitely a man-in-the-middle set-up:
*) The bank iframe is sourced from https://nz00400.apax.paywithpoli.com/IBCS/pgLogin, instead of secure.anz.co.nz
*) The only connections my browser establish go to 202.175.175.210, which belongs to Bluecentral Pty Ltd Hosting and Colocation Services in Melbourne, and is in no way associated with ANZ.
*) Most importantly, the only client side SSL handshakes use a certificate for *.apac.paywithpoli.com. There is no handshake using a certificate for *.anz.co.nz, so the padlock in the iframe is misleading. In other words, there is no end-to-end security between my browser and ANZ's servers.

Any NZ bank should be taking the same stance that ASB has - issue security warnings and cease and desist demands. In the interim, they should block any access from IP ranges used by PoLi.

Dyson

Shop now for Dyson appliances (affiliate link).

mattwnz

20520 posts

Uber Geek
+1 received by user: 4798

#735084 19-Dec-2012 17:28

I see ASB have now updated their website and it is now using an older version.

Interesting to see that banks say using these third party services is breaching the internet banking t&c's. I guess this mean that if you use this type of system, and you lose money from the account for any reason, then you may not be covered for that loss. That is a real concern to everyone who uses online banking.

ajobbins

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#735086 19-Dec-2012 17:30

POLi addresses some of ASB's points. So they are admitting a man in the middle approach. I can't believe they think this is OK.

POLi captures customer information
At no point does POLi capture or store customer information

POLi is spoofing/mirroring the ASB website
POLi is providing a pass through service whereby the bank sites are accessed via our secure servers.

ASB is unable to audit the security if POLi
Incorrect. POLi is and has always been open to any bank reviewing the security of its software.

http://www.polipayments.com/assets/docs/POLiAnnouncment19-12-12v1.0.pdf

Twitter: ajobbins

manhinli

2483 posts

Uber Geek
+1 received by user: 4

Trusted

#735087 19-Dec-2012 17:30

Just so to state this again: POLi Express isn't fully "spoofing" bank websites but providing a reverse proxy with some modifications, e.g. to links and images so that they fall within the same domain which is why you see some differences.

They don't appear to host content, but provide a method to access content through their own domain (so as to stay within cross domain security rules.) So they are correct when they say:

POLi is providing a pass through service whereby the bank sites are accessed via our secure servers

It's also why POLi can be easily broken - if banks change their pages, their automation processes coded into the JS will break. You can see then that they have put in 'validation' in their scripts to ensure that they only operate on known versions of bank websites, otherwise an error message is thrown.

Find me on Twitter!

I posted 1, 2 x 10^3 times!

graciem

32 posts

Geek

Trusted

#735119 19-Dec-2012 18:58

here are all the bank warnings:

ASB: https://www.asb.co.nz/story24389.aspx
ANZ: https://comms.anz.co.nz/betterinternetbanking/article/detail.html?id=15009
BNZ: http://www.bnz.co.nz/about-us/media/archives/important-security-update-poli
Kiwibank (twitter): https://twitter.com/KiwibankNZ/status/281228162996772865

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#735121 19-Dec-2012 19:05

TSB is "looking into it": https://twitter.com/tsbbank/status/281151556680814593

But since they actually have a real agreement with POLi, they probably will declare it OK.

Lego

Shop now for Lego sets and other gifts (affiliate link).

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#735135 19-Dec-2012 19:38

ANZ now have a warning on their internet banking login page. Ironically this now shows within the POLi window, and they have left this link working, despite disabling all other hyperlinks on the webpage.

Blocking access to the ANZ site in my firewall leaves POLi fully functioning, so nothing is being retried or submitted directly to ANZ, it's all going via POLi.

AKLWestie

650 posts

Ultimate Geek
+1 received by user: 115

Trusted

Lifetime subscriber

#735149 19-Dec-2012 20:26

I often still have to wait overnight for payments between banks, even when I make the payment early morning. I guess some banks are not participating?

I think all the banks need to participate. However, that 5 times a day transfer means the number of transfers between banks, it is up to the recipient's bank to determine when to post / credit the payment to the receiver's account.

I believe currently only Kiwibank and ASB do hourly clearence for their customers.

sidefx

3775 posts

Uber Geek
+1 received by user: 1295

Trusted

#735153 19-Dec-2012 20:35

AKLWestie:
I think all the banks need to participate. However, that 5 times a day transfer means the number of transfers between banks, it is up to the recipient's bank to determine when to post / credit the payment to the receiver's account.

I believe currently only Kiwibank and ASB do hourly clearence for their customers.

So surely if I make a payment from my kiwibank acccount to an ASB account, that would show up within the hour (or at least 2 hours?) in theory?

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

richms

29109 posts

Uber Geek
+1 received by user: 10225

Trusted

Lifetime subscriber

#735154 19-Dec-2012 20:36

Yup, but also payments from other banks should as well.

Richard rich.ms

1 | ... | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12