Has anyone else ever used PoLi ???

Forums › Off topic › Has anyone else ever used PoLi ???

1 | ... | 6 | 7 | 8 | 9 | 10 | 11 | 12

3775 posts

Uber Geek
+1 received by user: 1295

Trusted

#735157 19-Dec-2012 20:44

(Sorry to stray a bit off topic, but I think this is sort relevant since more frequent clearance should mean less need for something like poli at all)

So what you're saying is any payments to my kiwibank (or an ASB account) should show up pretty quick (within at most 4 hours if I'm reading that stuff article right) regardless of what bank they originate from? If so, nice! I hadn't realised this.

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

AKLWestie

650 posts

Ultimate Geek
+1 received by user: 115

Trusted

Lifetime subscriber

#735159 19-Dec-2012 20:47

sidefx:
AKLWestie:
I think all the banks need to participate. However, that 5 times a day transfer means the number of transfers between banks, it is up to the recipient's bank to determine when to post / credit the payment to the receiver's account.

I believe currently only Kiwibank and ASB do hourly clearence for their customers.

So surely if I make a payment from my kiwibank acccount to an ASB account, that would show up within the hour (or at least 2 hours?) in theory?

Yes, I tried it personally. I think if you transfer between ASB and Kiwibank between 7am and 11pm (roughly), it should show up within 1 to 2 hours.

I remember using my ASB account to pay someone having a Kiwibank account for a trademe transaction. He got the money with a few hours and send me the parcel right away.

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#735163 19-Dec-2012 20:55

sidefx: (Sorry to stray a bit off topic, but I think this is sort relevant since more frequent clearance should mean less need for something like poli at all)

So what you're saying is any payments to my kiwibank (or an ASB account) should show up pretty quick (within at most 4 hours if I'm reading that stuff article right) regardless of what bank they originate from? If so, nice! I hadn't realised this.

No. Westpac, TSB and ANZ still only process outbound transactions once a day at 10pm.

richms

29104 posts

Uber Geek
+1 received by user: 10222

Trusted

Lifetime subscriber

#735194 19-Dec-2012 21:47

Well from BNZ pay arrives into my ASB and did into the former bank direct account by 5 pm most days. Sometimes it was delayed till 8pmish.

Richard rich.ms

coffeebaron

6304 posts

Uber Geek
+1 received by user: 3567

Trusted

Lifetime subscriber

#735216 19-Dec-2012 22:32

Regardless of how secure or not Poli is, there is no way I will use it. It also flies in the face of banks warning their customers, only ever log in to your Internet banking by typing in the bank website address directly, do click on links to get to it.
So even if it is all secure and bank approved, the way it is done is just bad.

A smarter way would be some real time code generation and bank intergration i.e.:
-Buy something
-Pay by Poli
-Here is your code nkcds7cyscbs7s
-Go to your bank website
-Log in
-Click on the Pay by Poli link
-Enter the code
-Payment details all entered etc
-Bank fires a "paid" or "declined" message back to Poli

Rural IT and Broadband support.

Broadband troubleshooting and master filter installs.
Starlink installer - one month free: https://www.starlink.com/?referral=RC-32845-88860-71
Wi-Fi and networking
Cel-Fi supply and installer - boost your mobile phone coverage legally

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

Nil Einne

469 posts

Ultimate Geek
+1 received by user: 35

#735239 20-Dec-2012 04:40

Skolink:
coffeebaron: Looks like ASB aren't keen on this
https://www.asb.co.nz/story24389.aspx

Just saw that too! I wonder why I got such a generic response from ASB when I asked about handing over my details to PoLi, way back in August.

Probably the person who replied to you didn't really understand well enough why this was a bad thing and didn't raise it higher. (Or perhaps they did, but only in a 'look in to this' manner rather then a 'this customer needs help' manner so it took this long for it to be given proper consideration.) This isn't that surprising, actually I would suggest it's somewhat to be expected.

Interesting enough from http://www.itnews.com.au/News/326827,banks-concerned-over-poli-security.aspx ANZ, BNZ and Kiwibank have also issued warnings.

While I can't find a press release http://www.westpac.co.nz/who-we-are/newsroom/media-releases-2012/ , Westpac is now warning people on Twitter https://twitter.com/WestpacNZ not to enter credentials on any non official site, despite some in August being told using Poli violated the T&C but they'll let it slide....

When I first read this on ASB and looked in to it, I was surprised it took so long, this entire thread confirms plenty of people noticed this a long time ago. You have to wonder how it took so long for it to raise to the necessary level at the banks or for them to do something. May be they all decided to turn a blind eye to avoid annoying customers but once ASB brought it to the fore, they realised they couldn't be seen to be publicly endorsing something like that given the mixed message and risk it may pose if people start to think entering their details in to other websites is something the banks allows.

Edit: Interesting enough, reading further bank is another one who told a customer it was okay even if they were violating ANZ's T&C, because they evidentally had a relationship with Poli. As per earlier and https://comms.anz.co.nz/betterinternetbanking/article/detail.html?id=15009 , it seems this has changed their minds although like Westpac they don't single out Poli. Interesting enough they also warn against using account aggregation services despite as per previous discussions evidentally having one themselves http://www.anz.com/anz-moneymanager/ . Well technically it's okay to use the ANZ service since even if it's run by someone else ANZ doesn't consider it a third party so basically what they're suggesting is it's okay to violate other banks T&C, just don't violate ours ;-)

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

ajobbins

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#735329 20-Dec-2012 10:16

Be interesting to see if POLi makes another press release today after slamming ASB yesterday, before all the other banks joined the chorus

Twitter: ajobbins

echoflight

8 posts

Wannabe Geek

#735395 20-Dec-2012 11:49

An email from Air New Zealand. My question included a link to ASB's security warning. I simply asked what their position is.

Thank you for your email regarding our POLi payment facility.

Air New Zealand has been offering POLi as a form of payment for more than four years with no security issues. Maintaining the privacy and protecting the security of our customers’ banking details is paramount and would not tolerate a situation where these were put these at risk. We remain fully confident in the integrity of each form of payment we accept. Your bank details are not stored or kept by the providers of POLi.

Kind Regards

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#735408 20-Dec-2012 11:58

echoflight: An email from Air New Zealand. My question included a link to ASB's security warning. I simply asked what their position is.

Thank you for your email regarding our POLi payment facility.

Air New Zealand has been offering POLi as a form of payment for more than four years with no security issues. Maintaining the privacy and protecting the security of our customers’ banking details is paramount and would not tolerate a situation where these were put these at risk. We remain fully confident in the integrity of each form of payment we accept. Your bank details are not stored or kept by the providers of POLi.

Kind Regards

Their statement is actually a lie too. POLi specifically said that they may keep your bank account number when you use their service (see the terms and conditions).

ajobbins

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#735448 20-Dec-2012 12:35

Kyanar: Their statement is actually a lie too. POLi specifically said that they may keep your bank account number when you use their service (see the terms and conditions).

It's probably not so much a lie, but more a show of ignorance. I'm sure POLi gave them a nice sales pitch about how secure the system is, and the retailers (Not being IT, Security or payments experts) probably don't know any better.

The simple matter is that no matter what POLi say, they MUST in fact store your banking username or password details at some point, if even only momentarily as they pass through their reverse proxy to the bank's website. Even if the software was 'audited' by the banks, there is nothing to stop POLi (or someone else with malicious intentions) changing something on the system to then start storing or sending the login details that have been passed through the proxy.

The banks should be pushing to stop POLi doing this immediately. If nothing else, it sends a bad message to consumers that it is OK to use your banking login details on a website other than your banks official site.

They are also faking the SSL information. If you click on their little padlock next to their bank URL box, you get a nice HTML pop up window that resembles the browsers own dialogue box with the SSL info, but it's just an HTML page they have created. This again is poor practise as it sends a message that is OK to believe SSL info in a pop up window, and not officially from the browser.

The whole approach POLi uses is bad. It sends the wrong messages about online payment security and the banks should get it killed. There is clearly a market here for this, but POLi needs to work with the banks to come up with a more secure approach, perhaps using a secure payment gateway.

POLi is nothing more than a 'best intentions' man in the middle attack.

A few other news articles are popping up now too:
http://www.scmagazine.com.au/News/326952,banks-concerned-over-poli-security.aspx
http://www.zdnet.com/au/nz-bank-claims-payment-processor-is-siphoning-user-details-7000008995/
http://www.stuff.co.nz/business/money/8101389/Banks-bristle-over-web-go-between

Twitter: ajobbins

echoflight

8 posts

Wannabe Geek

#735470 20-Dec-2012 13:15

I responded to the Air New Zealand email simply by supplying them some additional links, and suggesting that they keep an eye on what is happening.

No doubt that it is as you say, ignorance.

HP

Shop now for HP laptops and other devices (affiliate link).

mattwnz

20520 posts

Uber Geek
+1 received by user: 4797

#735478 20-Dec-2012 13:25

I am just wondering about liability, should someone use a third party system, and then someone suffers a loss from their bank account (possibly even unrelated to the third party system). The banks make it pretty clear from their press releases and terms, that it wouldn't be covered under their terms if you use any third party system. Certainly I wouldn't be happy using a retailers third party payment system, only to learn that it has invalided my online banking agreement with my bank.
Would it be the retailer using the system who could be liable? Probably best to use on an account with a very small balance, and just have the account solely for this purpose, just to be 100% safe. Or use a bank that endorses the third party system.

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#735655 20-Dec-2012 17:22

Somebody should submit this to slashdot, don't have the energy to write it up myself, but it's a story that would probably get quite some interest there.

Or the DailyWTF, whichever ;-)

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41071

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#735657 20-Dec-2012 17:24

BNZ now has an alert:

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

ajobbins

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#735659 20-Dec-2012 17:30

mattwnz: I am just wondering about liability, should someone use a third party system, and then someone suffers a loss from their bank account (possibly even unrelated to the third party system). The banks make it pretty clear from their press releases and terms, that it wouldn't be covered under their terms if you use any third party system. Certainly I wouldn't be happy using a retailers third party payment system, only to learn that it has invalided my online banking agreement with my bank.
Would it be the retailer using the system who could be liable? Probably best to use on an account with a very small balance, and just have the account solely for this purpose, just to be 100% safe. Or use a bank that endorses the third party system.

POLi's terms and conditions state they aren't liable for any loses as a result of using the system, so you would be pretty much on your own. Unless your bank or POLi decided to cover it in good faith, you would probably have to fight one of them in court for it.

Twitter: ajobbins

1 | ... | 6 | 7 | 8 | 9 | 10 | 11 | 12