Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
Awesome
4868 posts

Uber Geek

Trusted
Subscriber

  # 735064 19-Dec-2012 16:58
Send private message

Perhaps they are proxying the sites and modify the code in the process to allow them to do what they need to do.

I think they call that a man in the middle attack.....?

In any case, what they are doing is at best, dodgy/irresponsible and at worst illegal






Twitter: ajobbins


28439 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 735065 19-Dec-2012 17:01
Send private message

BlakJak:

You're absolutely right. I guess my main point is that real-time should be doable, and it's gotta be better than this crummy POLi thing.


In 10 years maybe - you forget that banks typically run on mainframes, not modern real time banking platforms. The move to multi payments per day requires massive resources and is still a batch based system. Real time payments between all banks won't occur afor many, many years.

 
 
 
 


Awesome
4868 posts

Uber Geek

Trusted
Subscriber

  # 735067 19-Dec-2012 17:02
Send private message
28439 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 735069 19-Dec-2012 17:03
Send private message

I'd love to see all the big banks put big "POLi is dodgy" warning messages on the internet banking login pages and see if POLi strip it!

8 posts

Wannabe Geek


  # 735079 19-Dec-2012 17:04
Send private message

ajobbins: Looking at the source code of the real westpac IB login and the POLi version, there is lots of similar source code, but differences too. They are obviously hosting the page themselves.

Some subtle differences too. Eg.

Real Westpac site logo HTML:

<img src="images/westpac-logo.png" height="90" width="140" align="left" alt="Westpac" />

POLi HTML:

<img width="140" height="90" align="left" alt="Westpac" src="images/westpac-logo.png">


Same parameters, different order (and no closing / on the POLi code). Have to wonder if maybe Westpac is doing some testing and doing changes like that that don't affect the layout, but clearly show the source is different.


If you inspect those images and "open in a new tab/window", you will see that they are hosted on the POLi website, not Wespac. This is the same for their mimic of the ANZ site, and Kiwi Bank (these are the only other ones I've tried, I'm sure they are all the same though).

29 posts

Geek


  # 735081 19-Dec-2012 17:08
Send private message

I've just tested this with ANZ, going as far as the login page.  It's definitely a man-in-the-middle set-up:
*) The bank iframe is sourced from https://nz00400.apax.paywithpoli.com/IBCS/pgLogin, instead of secure.anz.co.nz
*) The only connections my browser establish go to 202.175.175.210, which belongs to Bluecentral Pty Ltd Hosting and Colocation Services in Melbourne, and is in no way associated with ANZ.
*) Most importantly, the only client side SSL handshakes use a certificate for *.apac.paywithpoli.com.  There is no handshake using a certificate for *.anz.co.nz, so the padlock in the iframe is misleading.  In other words, there is no end-to-end security between my browser and ANZ's servers.

Any NZ bank should be taking the same stance that ASB has - issue security warnings and cease and desist demands.  In the interim, they should block any access from IP ranges used by PoLi.

15283 posts

Uber Geek


  # 735084 19-Dec-2012 17:28
Send private message

I see ASB have now updated their website and it is now using an older version. 

Interesting to see that banks say using these third party services is breaching the internet banking t&c's. I guess this mean that if you use this type of system, and you lose money from the account for any reason, then you may not be covered for that loss. That is a real concern to everyone who uses online banking.

 
 
 
 


Awesome
4868 posts

Uber Geek

Trusted
Subscriber

  # 735086 19-Dec-2012 17:30
Send private message

POLi addresses some of ASB's points. So they are admitting a man in the middle approach. I can't believe they think this is OK.

POLi captures customer information
At no point does POLi capture or store customer information

POLi is spoofing/mirroring the ASB website
POLi is providing a pass through service whereby the bank sites are accessed via our secure servers.

ASB is unable to audit the security if POLi
Incorrect. POLi is and has always been open to any bank reviewing the security of its software.

http://www.polipayments.com/assets/docs/POLiAnnouncment19-12-12v1.0.pdf




Twitter: ajobbins


2483 posts

Uber Geek

Trusted

  # 735087 19-Dec-2012 17:30
Send private message

Just so to state this again: POLi Express isn't fully "spoofing" bank websites but providing a reverse proxy with some modifications, e.g. to links and images so that they fall within the same domain which is why you see some differences.

They don't appear to host content, but provide a method to access content through their own domain (so as to stay within cross domain security rules.) So they are correct when they say:
POLi is providing a pass through service whereby the bank sites are accessed via our secure servers


It's also why POLi can be easily broken - if banks change their pages, their automation processes coded into the JS will break. You can see then that they have put in 'validation' in their scripts to ensure that they only operate on known versions of bank websites, otherwise an error message is thrown.




Find me on Twitter!

I posted 1, 2 x 10^3 times!

3115 posts

Uber Geek

Trusted
Subscriber

  # 735121 19-Dec-2012 19:05
Send private message

TSB is "looking into it": https://twitter.com/tsbbank/status/281151556680814593

But since they actually have a real agreement with POLi, they probably will declare it OK.

28439 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 735135 19-Dec-2012 19:38
Send private message

ANZ now have a warning on their internet banking login page. Ironically this now shows within the POLi window, and they have left this link working, despite disabling all other hyperlinks on the webpage.

Blocking access to the ANZ site in my firewall leaves POLi fully functioning, so nothing is being retried or submitted directly to ANZ, it's all going via POLi.


608 posts

Ultimate Geek

Trusted
Lifetime subscriber

  # 735149 19-Dec-2012 20:26
Send private message

I often still have to wait overnight for payments between banks, even when I make the payment early morning.  I guess some banks are not participating?


I think all the banks need to participate.  However, that 5 times a day transfer means the number of transfers between banks, it is up to the recipient's bank to determine when to post / credit the payment to the receiver's account.

I believe currently only Kiwibank and ASB do hourly clearence for their customers.

3368 posts

Uber Geek

Trusted

  # 735153 19-Dec-2012 20:35
Send private message

AKLWestie:
I think all the banks need to participate.  However, that 5 times a day transfer means the number of transfers between banks, it is up to the recipient's bank to determine when to post / credit the payment to the receiver's account.

I believe currently only Kiwibank and ASB do hourly clearence for their customers.


So surely if I make a payment from my kiwibank acccount to an ASB account, that would show up within the hour (or at least 2 hours?) in theory?  

22742 posts

Uber Geek

Trusted
Subscriber

  # 735154 19-Dec-2012 20:36
Send private message

Yup, but also payments from other banks should as well.




Richard rich.ms

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces cryogenic control chip to enable quantum computers
Posted 10-Dec-2019 21:32


Vodafone 5G service live in four cities
Posted 10-Dec-2019 08:30


Samsung Galaxy Fold now available in New Zealand
Posted 6-Dec-2019 00:01


NZ company oDocs awarded US$ 100,000 Dubai World Expo grant
Posted 5-Dec-2019 16:00


New Zealand Rugby Selects AWS-Powered Analytics for Deeper Game Insights
Posted 5-Dec-2019 11:33


IMAGR and Farro bring checkout-less supermarket shopping to New Zealand
Posted 5-Dec-2019 09:07


Wellington Airport becomes first 5G connected airport in the country
Posted 3-Dec-2019 08:42


MetService secures Al Jazeera as a new weather client
Posted 28-Nov-2019 09:40


NZ a top 10 connected nation with stage one of ultra-fast broadband roll-out completed
Posted 24-Nov-2019 14:15


Microsoft Translator understands te reo Māori
Posted 22-Nov-2019 08:46


Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.