I don't think Air NZ has moved to the 'new' version of POLi yet which is spoofing the websites. The old version actually opens the real website using software to control what you can do while on there, and is able to validate the payment went through. Also dodgy
Well done ASB for at least publicly commenting on POLi.
It's probably taken this long because POLi only just recently started doing the reverse proxying of New Zealand bank websites and previous methods weren't so 'dangerous' so to speak (the act of providing credentials through 3rd party tools is another matter.)
Still this doesn't excuse banks because they all provide advice about potentially fraudulent services. Without actually acting on it, they allow violations of their own Terms of Service and in many cases leaving customers without the ability for recourse should something happen. Many of these banks have good monitoring (I've had to change my CommBank debit card because they picked up 'unusual attempts' at my account) but prevention is always better than the cure.
I'm still surprised nothing has really happened over the Tasman, or from ASB's parent, the Commonwealth Bank.
Don't forget POLi's Terms and Conditions say that use of their services is never guaranteed and absolves them of any liability. I suppose everyone has these sorts of legalese hidden somewhere but you have to wonder how that works when you're dealing with sensitive data. It also doesn't appear to be updated to cover the newer reverse proxy form of POLi.
Judging by the list of media releases on its site (bottom), it appears merchants opt into the new system. Whether they knowingly do so is for them to know, but it you could say that they, by extension, support or approve of the POLi Express payment option, which is basically now a form of legitimised phishing. I remembered that Air New Zealand tweeted that they are moving to a newer POLi soon, which most probably is the newer reverse proxy version:
We are working on installing a new POLi upgrade, that will work on Mac's, onto AirNZ booking engine. Ready between end of Dec - end of Jan — Air New Zealand (@FlyAirNZ) December 4, 2012
You could say there is some conspiracy going on (slugging relatively large CC surcharges to make people use a cheaper option) but many merchants wouldn't be large clients like Air New Zealand, and would really jump at the opportunity to use it.
freitasm: Basically what this does is give the common user on the street the idea that it is fine giving your bank login details to any third party - and this is never ok.
When I used the one on the AirNZ site, it does send you to log into your actual banks online banking website, so you supposedly aren't giving your details to any third party.
mattwnz: When I used the one on the AirNZ site, it does send you to log into your actual banks online banking website, so you supposedly aren't giving your details to any third party .
Unless AirNZ is doing something different, that's exactly what they WANT you to think, but it's not the case, as ASB is pointing out (and we all pointed out here a long time back).
POLi is proxying your connection to the bank, everything you do (including log in) in that POLi driven payment session is being passed through the POLi system, where they watch it and do certain actions for you. It's a man-in-the-middle system.
Edit to add: See Manhinli's posts on page 3 of this thread for more.
I am not here to say whether POLi is a trustworthy service or not, I am simply going to share what I have found after going through their payment process as it exists on The Warehouse's online store.
When you arrive at the POLi checkout page you are asked to select your bank, you do so, and continue. You are then taken to a page which looks like your bank's login page with the POLi header. This page includes a secondary "Address Bar" with a link to your secure banking website, however this is not the page you are currently viewing. The page you are viewing is "express.apac.paywithpoli.com/...", which you can see in your browsers Address Bar.
You are meant to believe that the page you are seeing is an iFrame (an include from another website, e.g. your bank's login page), however this is not the case. If you inspect any of the images on that page you can easily see that they are hosted directly on the POLi website, and therefor this cannot be an iFrame of your bank's login page.
Everything you do is running through the POLi system, not your bank. This is why ASB has issued this warning.
Does this mean that they are here to steal all our money and ruin our lives? No. But they are certainly going about providing this honest service in a very dishonest way.
sleemanj: Unless AirNZ is doing something different, that's exactly what they WANT you to think, but it's not the case, as ASB is pointing out (and we all pointed out here a long time back).
POLi is proxying your connection to the bank, everything you do (including log in) in that POLi driven payment session is being passed through the POLi system, where they watch it and do certain actions for you. It's a man-in-the-middle system.
Edit to add: See Manhinli's posts on page 3 of this thread for more.
That seems to differ from Air NZs own websites helppage, where it says you are logging into you banks login page.
Is internet banking (POLi) secure?
Answer: The POLi web browser (which is used to navigate to your internet banking facility), utilises some of the most advanced internet security features available. During the course of your payment, Air New Zealand and POLi never have access to your internet banking identifier or password - these are entered by you directly into your internet banking login page. The rest of the process takes place using the standard security of your internet banking facility.
Just had a look myself. They seem to have gone to a LOT of effort to masquerade as the banks site, including using the JavaScript 'blocking' of 'unimportant' links.
POLi released a statement to customers: ----------------------------------------------
POLi Payments NZ - Advisory Notification Issue Date: 19/12/2012 Summary
Merco response to ASB security advisory warning to their customer’s re the POLi Payment Service. When?
Immediate
Details This notification is to bring to your attention recent actions by ASB Bank that relate to the POLi Payment Service. ASB Bank has issued a security advisory warning to their customers not to use the POLi payment service. You can see this advisory on https://www.asb.co.nz/story24389.aspx
Merco and the POLi software provider Centricom strongly refute the claims and statements made by ASB Bank and will be seeking legal advice among other measures.
Please be rest assured that your customers personal information is secure with POLi.To clarify some concerns raised by ASB directly:
• At no point do we capture the customer usernames or passwords • ASB has never taken the opportunity to audit the POLi software
The POLi payment Service has been operating in Australasia since 2007 and currently processes millions of transactions per year. To our knowledge no customer has had any of their private information compromised, or suffered a loss of any kind as a result of using the POLi payment service.
As a gesture of good faith to ASB Bank we have reverted to POLi2 for ASB transactions as we seek to engage with ASB Bank management to resolve the issue. Thank you for your continued Support of the POLi service and we will advise you of developments as they occur.
ajobbins: Just had a look myself. They seem to have gone to a LOT of effort to masquerade as the banks site, including using the JavaScript 'blocking' of 'unimportant' links.
You can check out what I've found on Page 3 as well.
echoflight: If you inspect any of the images on that page you can easily see that they are hosted directly on the POLi website, and therefor this cannot be an iFrame of your bank's login page.
The bank's are gonna rain down on poli like a bag of hammers for spoofing their sites by replicating their actual logos ( which I am damn sure are trademark protected)
Also this from Poli's FAQ page is interesting, http://www.polipayments.com/faq
When you use POLi™ to complete your purchase everything is done within the security of your online banking facility and at no time are you required to disclose your personal banking details to any third party, (including POLi).
I would argue that typing anything into a website owned/controlled by Poli is prima facie "disclosing your personal details"
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly
to your computer or smartphone by using a feed reader.
Trusted
Red Jungle
