Has anyone else ever used PoLi ???

Forums › Off topic › Has anyone else ever used PoLi ???

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | ... | 12

6034 posts

Uber Geek

Trusted

#671829 13-Aug-2012 14:10

sleemanj:
davidcole:
OFX already handles all of this. In NZ only ASB (I think) implement it, and then it's only for statement export. Bu tin reality, OFX (Open Financial Exchange) covers payments exports everything between apps and banks.

http://www.ofx.net/DownloadPage/Downloads.aspx

You have the wrong end of the stick.

I'm talking about an automated way for customers, people buying things, to be presented a pre-filled-out form, in their ordinary internet banking, to allow them to transfer money to you ("internet banking payment") with a given set of reference, to your specified account.

For example a link "Click Here To Pay With Yourbank Internet Banking", goes to the customers bank, the customer logs in, and they are presented with their normal type of make payment form but already completed with the details they need to provide.

OFX is about downloading transactions from your account, to your application, or indeed in some cases feeding the other direction. It's not about a customer initiating a payment.

No actually it is: http://www.ofx.net/AboutOFX/ServicesSupported.aspx

From Link:
Intrabank Funds Transfer
OFX supports transferring funds between two accounts at the same financial institution. Funds transfers in OFX can be immediate or scheduled. Scheduled transfers can repeat at specified intervals.
Interbank Funds Transfer
The “interbank funds transfer add request” provides a way for a clients to set up a single transfer between accounts at different financial institutions. Like intrabank funds transfers, the request designates source and destination accounts and the amount of the transfer. Also, as in the intrabank funds transfer, the FI must be able to authenticate the source account. However, interbank funds transfers differ from intrabank funds transfers in the following respects:

The routing and transit number of the destination account differs from the source account.
At the discretion of an FI, the destination account can be subject to pre-notification.
Source and destination accounts must be enabled for the Automated Clearing House (ACH).

In all other respects, interbank funds transfers function like intrabank funds transfers. The user can schedule, modify, and cancel them. They can recur at regular intervals.

Like I said, just not done over here. Used fairly extensively in the States. If you were an MS Money user from way back you would see all the payment functions in the app that were all turned off becuase our banks didn;'t support it.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#672825 15-Aug-2012 14:07

Just got an email back from Westpac - according to them, "Technically customers using POLi are breaching their Westpac Terms and Conditions as they are disclosing their online credentials to a third party." That's a direct quote.

They then go on to say that because they're reasonably comfortable with POLi's security, they'll let that slide and won't treat it as a breach, and won't void the zero liability guarantee.

I'm not wholly convinced that I want to rely on a service that requires my bank to let slide a violation of the terms on my account to use.

skiddy

1 post

Wannabe Geek

#673695 17-Aug-2012 14:17

I represent Merco, the NZ Distributor of the POLi payment system, most of the posts here relate to trust or technical issues so I've addressed these below. Can you trust it? This is an a decision that everyone has to make for themselves when making any payment, but as a couple of posts pointed out we have government agencies such as NZTA and MED, and Airlines such as Air New Zealand and Jetstar as our merchants, as well as Local Authorities, Universities and large online billers and retailers. They've done their due diligence on POLi and found no issue, and we've been operating POLi in NZ for about 5 years without any issues. If you want to read security reports from Verisign and Secure Assessments on POLi go to www.polipayments.com/merchants.html Tech issues - Mac, Browsers etc. As a couple of posts alluded to there is a new version of POLi due out soon that eliminates the need for payers to download our secure browser technology. It also eliminates most of the platform/browser dependencies, so Macs and other devices will work as long as you have a relatively up to date browser that supports Javascript.

davidcole

6034 posts

Uber Geek

Trusted

#673698 17-Aug-2012 14:20

skiddy: I represent Merco, the NZ Distributor of the POLi payment system, most of the posts here relate to trust or technical issues so I've addressed these below. Can you trust it? This is an a decision that everyone has to make for themselves when making any payment, but as a couple of posts pointed out we have government agencies such as NZTA and MED, and Airlines such as Air New Zealand and Jetstar as our merchants, as well as Local Authorities, Universities and large online billers and retailers. They've done their due diligence on POLi and found no issue, and we've been operating POLi in NZ for about 5 years without any issues. If you want to read security reports from Verisign and Secure Assessments on POLi go to www.polipayments.com/merchants.html Tech issues - Mac, Browsers etc. As a couple of posts alluded to there is a new version of POLi due out soon that eliminates the need for payers to download our secure browser technology. It also eliminates most of the platform/browser dependencies, so Macs and other devices will work as long as you have a relatively up to date browser that supports Javascript.

Hi, thanks for fronting up to explain the POLi side.

how do you respond to the post above, where Westpac say that this service may be breaching their terms and condictions?

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#673763 17-Aug-2012 17:16

davidcole:

Hi, thanks for fronting up to explain the POLi side.

how do you respond to the post above, where Westpac say that this service may be breaching their terms and condictions?

Westpac didn't say "may". They said, quite unequivocally, that it does violate their terms and conditions, specifically for the reason that they view it as giving your credentials to a third party. They choose not to enforce the violation based on their opinion that POLi is trustworthy. From my perspective, though, I would not trust the system because I do not wish to rely on a forebearance from my bank to prevent the loss of the zero-liability warranty.

Either way, if a merchant told me that it was POLi or credit card, and that credit cards incurred an extra fee, I'd be calling them up demanding they offer a sane option such as direct bank transfer without untrusted third parties having access to my bank account.

skiddy: I represent Merco, the NZ Distributor of the POLi payment system, most of the posts here relate to trust or technical issues so I've addressed these below. Can you trust it? This is an a decision that everyone has to make for themselves when making any payment, but as a couple of posts pointed out we have government agencies such as NZTA and MED, and Airlines such as Air New Zealand and Jetstar as our merchants, as well as Local Authorities, Universities and large online billers and retailers. They've done their due diligence on POLi and found no issue, and we've been operating POLi in NZ for about 5 years without any issues. If you want to read security reports from Verisign and Secure Assessments on POLi go to www.polipayments.com/merchants.html Tech issues - Mac, Browsers etc. As a couple of posts alluded to there is a new version of POLi due out soon that eliminates the need for payers to download our secure browser technology. It also eliminates most of the platform/browser dependencies, so Macs and other devices will work as long as you have a relatively up to date browser that supports Javascript.

I did read through those documents, but unfortunately POLi doesn't actually post the security reports, just an abstract which tells me nothing about what the auditors actually said, only the good bits which POLi decided to highlight. Actually posting the real security assessment would go a long way toward improving the credibility of the system.

I would like to know more about this upcoming new version of POLi as well - based on the way the current system is working, will the new one actually operate by having agreements with banks? And if not, how is it even possible? Javascript will not allow you to manipulate the DOM across frame boundaries, so the only way I can think of for it to work is for POLi to basically operate a screen scraping proxy script to log into online banking and manipulate the output - and personally I see this as even worse than the current system.

Oh, and not disclaiming all liability for fraud or system errors might help too. No way in hell will I use a system which offers me as a customer zero protection against dodgy merchants or errors.

manhinli

2483 posts

Uber Geek

Trusted

#673828 17-Aug-2012 19:35

skiddy: Tech issues - Mac, Browsers etc. As a couple of posts alluded to there is a new version of POLi due out soon that eliminates the need for payers to download our secure browser technology. It also eliminates most of the platform/browser dependencies, so Macs and other devices will work as long as you have a relatively up to date browser that supports Javascript.

Wow. When I said...

It might as well be some Greasemonkey-like script running on top.

... I didn't really expect that literally.

But...

Kyanar: I would like to know more about this upcoming new version of POLi as well - based on the way the current system is working, will the new one actually operate by having agreements with banks? And if not, how is it even possible? Javascript will not allow you to manipulate the DOM across frame boundaries, so the only way I can think of for it to work is for POLi to basically operate a screen scraping proxy script to log into online banking and manipulate the output - and personally I see this as even worse than the current system.

I've had a quick Google to find a demo page for POLi (I remembered they had one at launch but it seems to have disappeared and replaced with a walkthrough instead)

I found a demo at http://demo.centricom.com/pmobile/checkout.aspx and started POLi. I realise that they said you should use iBank (the demo bank) but there are other Australian banks there (you may get a list of New Zealand banks if surfing from NZ.)

If you hit Continue you get this (CBA example):

If you look carefully in Web Inspector, the frame is actually pointing to a .paywithpoli.com site and NOT .commbank.com.au as it reports at the top (and with a shoddy looking URL padlock to boot.)

Because the parent frame (at express.apac.paywithpoli.com) has the same root domain as the target frame, this allows any JS in the parent to manipulate the target.

I have not tested it with my or any random details because I am not going to risk it, but it does respond properly to the iframe - e.g. when you submit the form without details, it flashes "Please provide required fields"

Now this is appalling - even if POLi has access through third party means (which by the way should NEVER be allowed in the first place,) it blatantly reports a false URL for the end user (whether you believe it or not.)

Complete breach of trust in my opinion.

I cannot confirm whether this is an actual implementation of POLi as this is a demo site, though it is hosted on Centricom's site and has "Copyright 2012 Centricom Pty Ltd" on the bottom of the demo page, so it seems fresh enough to be believable.

Find me on Twitter!

I posted 1, 2 x 10^3 times!

manhinli

2483 posts

Uber Geek

Trusted

#673834 17-Aug-2012 19:50

It appears that NZ banks may result in the standard POLi application frame being used instead.

Try using http://demo.centricom.com/PMobile/Checkout.aspx?country=AU

Find me on Twitter!

I posted 1, 2 x 10^3 times!

Sharesies kids

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).

sleemanj

1490 posts

Uber Geek

#673835 17-Aug-2012 19:57

manhinli:
If you look carefully in Web Inspector, the frame is actually pointing to a .paywithpoli.com site and NOT .commbank.com.au as it reports at the top (and with a shoddy looking URL padlock to boot.)

Cue Michael Jackson with "Man in the Mirror Middle"!

Edit: Eh, Geekzone doesn't let strike through work (even though it's a button in the editor), you'll have to imagine a line through "Mirror" for hilarious times.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#673969 18-Aug-2012 14:02

manhinli:
Kyanar: I would like to know more about this upcoming new version of POLi as well - based on the way the current system is working, will the new one actually operate by having agreements with banks? And if not, how is it even possible? Javascript will not allow you to manipulate the DOM across frame boundaries, so the only way I can think of for it to work is for POLi to basically operate a screen scraping proxy script to log into online banking and manipulate the output - and personally I see this as even worse than the current system.

Now this is appalling - even if POLi has access through third party means (which by the way should NEVER be allowed in the first place,) it blatantly reports a false URL for the end user (whether you believe it or not.)

It gets worse. What I described is exactly how it works. For example, go to https://anz.apac.paywithpoli.com/personal/ - you'd think that if POLi was actually using some sort of API and just faking up the login page to make it look reputable that this would result in some sort of message saying "No, you can't do that" right? Wrong. Apparently, those POLi URLs are really, seriously, actually reverse proxying the bank's websites and fiddling with the HTML on the fly.

This is an absolute abomination, and POLi needs to be shut down RIGHT NOW. With this, POLi is teaching people that logging into your online banking on a site like http://www.mybank.fraudstersite.com/Logon is perfectly OK. It is not. POLi needs to turn the lights off, shut down the servers, and head back to elementary Computer Security 101 classes before they even consider launching this packaged phishing site.

RedJungle

Phil Gale
1108 posts

Uber Geek

Trusted

Red Jungle

Subscriber

#674056 18-Aug-2012 18:46

It gets worse. What I described is exactly how it works. For example, go to https://anz.apac.paywithpoli.com/personal/ - you'd think that if POLi was actually using some sort of API and just faking up the login page to make it look reputable that this would result in some sort of message saying "No, you can't do that" right? Wrong. Apparently, those POLi URLs are really, seriously, actually reverse proxying the bank's websites and fiddling with the HTML on the fly.

To be fair to POLi, there really is no common API that you can use with any NZ banks. If there were, 'hacks' like this wouldn't be necessary. While I agree with you that the approach is nasty. I'm also a realist and can see there is absolutely a need to provide a simple solution for automating direct bank to bank online payments, and that is just so unlikely to happen if we leave it up to the banks themselves.

I recall a recent project where we asked one of the major banks to help us automate making payments on behalf of a client. We wanted to simply be able to supply them nightly with a list of bank account numbers and an amount to transfer. We ended up getting back a 6 figure quote. It's no wonder POLi exists.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#674058 18-Aug-2012 18:58

RedJungle: To be fair to POLi, there really is no common API that you can use with any NZ banks. If there were, 'hacks' like this wouldn't be necessary. While I agree with you that the approach is nasty. I'm also a realist and can see there is absolutely a need to provide a simple solution for automating direct bank to bank online payments, and that is just so unlikely to happen if we leave it up to the banks themselves.

I recall a recent project where we asked one of the major banks to help us automate making payments on behalf of a client. We wanted to simply be able to supply them nightly with a list of bank account numbers and an amount to transfer. We ended up getting back a 6 figure quote. It's no wonder POLi exists.

While I agree that there is no solution, and that one does really need to exist, POLi is not the answer. In fact, I dare say their solution is worse than having no solution at all. If I were to encounter POLi in the wild, I would assume it is a phishing site and report it to my bank. It's that bad, and to be honest I cannot in good conscience be fair to them for implementing what they have - they are basically saying it's OK to enter your banking credentials on random sites just because they have a picture of your bank's address and a padlock. Which is why I am insistent that their solution needs to be shut down.

RmACK

196 posts

Master Geek

#674185 19-Aug-2012 11:17

From https://airnz.custhelp.com/app/answers/detail/a_id/2415/related/1 "When you pay with internet banking (POLi) the transaction is completed within the security of your bank’s online banking service and at no time are your personal banking details disclosed to Air New Zealand or POLi." Is the bit about your banking details not being disclosed to Air NZ the only bit of truth in that statement?

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#674228 19-Aug-2012 13:36

RmACK: From https://airnz.custhelp.com/app/answers/detail/a_id/2415/related/1 "When you pay with internet banking (POLi) the transaction is completed within the security of your bank’s online banking service and at no time are your personal banking details disclosed to Air New Zealand or POLi." Is the bit about your banking details not being disclosed to Air NZ the only bit of truth in that statement?

Yes. In the old system, you use a custom browser made by POLi which does have access to your banking details, although the likelihood of it disclosing them to POLi is low, because it's a closed source application it is within the realm of possibility (again, unlikely though). In the new system, you don't go anywhere near your bank's online banking - the POLi system downloads copies of your online banking pages, hacks and chops them to suit its needs, and sends them to you pretending to represent your bank. Basically, POLi phishes you.

manhinli

2483 posts

Uber Geek

Trusted

#674231 19-Aug-2012 13:40

I've been playing with it for a little while and found:

that yes, the proxy does indeed modify the page, such as to replace root links to point within .apac.paywithpoli.com. But it did screw up on at least one occasion (on right). Someone needs to learn their Regex, but then again who knows what could go wrong if the banks change their pages?
access to the proxy is limited by the use of a cookie, such as "Westpac_AU_Token", which is set when you use POLi. The value also happens to be the token that appears in the URL.

Now that's not problematic, except I've been able to continue surfing the proxy (for nearly two days now) merely by holding onto the cookie. I can also surf other bank proxy subdomains by copying the token into other cookies too!

Now I accept that it would not usually happen, but if the token is intended for an hour (the time set for the cookie originally) then the token itself should expire! Hopefully they don't keep sessions open like that.
the script has left me a little iffy about the people behind POLi Express (this version of POLi) - GetSequence() increments an integer representing the number of 'steps' taken within POLi, which is stored in the value of a input type="hidden". Yet it uses eval(n) instead of a safer alternative like parseInt(n,10) - there are use cases for eval(), but this is not one of them. Better yet, why not have it as part of a variable/object instead of going back and forth through the DOM? I don't know.

Find me on Twitter!

I posted 1, 2 x 10^3 times!

richms

28172 posts

Uber Geek

Trusted

Lifetime subscriber

#674233 19-Aug-2012 13:46

I really would be happy if the banks would outright put a stop to this and warn any of their customers that are using or thinking of using poli to accept payments.

To put a man in the middle and claim it as safe is totally absurd. Although if you can surf thru the poli proxy that would make it viable as an anonymizer service. I wonder what idiot there left that open? Goes to show that they clearly have no clue with security and for something that bad to be deployed it makes me have real concerns about their previous closed source version, since you would assume that things would get better - so the old version must be terrible.

Richard rich.ms

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | ... | 12