Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
Awesome
4859 posts

Uber Geek

Trusted
Subscriber

  # 735064 19-Dec-2012 16:58
Send private message

Perhaps they are proxying the sites and modify the code in the process to allow them to do what they need to do.

I think they call that a man in the middle attack.....?

In any case, what they are doing is at best, dodgy/irresponsible and at worst illegal






Twitter: ajobbins


28369 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 735065 19-Dec-2012 17:01
Send private message

BlakJak:

You're absolutely right. I guess my main point is that real-time should be doable, and it's gotta be better than this crummy POLi thing.


In 10 years maybe - you forget that banks typically run on mainframes, not modern real time banking platforms. The move to multi payments per day requires massive resources and is still a batch based system. Real time payments between all banks won't occur afor many, many years.

 
 
 
 


Awesome
4859 posts

Uber Geek

Trusted
Subscriber

  # 735067 19-Dec-2012 17:02
Send private message
28369 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 735069 19-Dec-2012 17:03
Send private message

I'd love to see all the big banks put big "POLi is dodgy" warning messages on the internet banking login pages and see if POLi strip it!

8 posts

Wannabe Geek


  # 735079 19-Dec-2012 17:04
Send private message

ajobbins: Looking at the source code of the real westpac IB login and the POLi version, there is lots of similar source code, but differences too. They are obviously hosting the page themselves.

Some subtle differences too. Eg.

Real Westpac site logo HTML:

<img src="images/westpac-logo.png" height="90" width="140" align="left" alt="Westpac" />

POLi HTML:

<img width="140" height="90" align="left" alt="Westpac" src="images/westpac-logo.png">


Same parameters, different order (and no closing / on the POLi code). Have to wonder if maybe Westpac is doing some testing and doing changes like that that don't affect the layout, but clearly show the source is different.


If you inspect those images and "open in a new tab/window", you will see that they are hosted on the POLi website, not Wespac. This is the same for their mimic of the ANZ site, and Kiwi Bank (these are the only other ones I've tried, I'm sure they are all the same though).

29 posts

Geek


  # 735081 19-Dec-2012 17:08
Send private message

I've just tested this with ANZ, going as far as the login page.  It's definitely a man-in-the-middle set-up:
*) The bank iframe is sourced from https://nz00400.apax.paywithpoli.com/IBCS/pgLogin, instead of secure.anz.co.nz
*) The only connections my browser establish go to 202.175.175.210, which belongs to Bluecentral Pty Ltd Hosting and Colocation Services in Melbourne, and is in no way associated with ANZ.
*) Most importantly, the only client side SSL handshakes use a certificate for *.apac.paywithpoli.com.  There is no handshake using a certificate for *.anz.co.nz, so the padlock in the iframe is misleading.  In other words, there is no end-to-end security between my browser and ANZ's servers.

Any NZ bank should be taking the same stance that ASB has - issue security warnings and cease and desist demands.  In the interim, they should block any access from IP ranges used by PoLi.

15232 posts

Uber Geek


  # 735084 19-Dec-2012 17:28
Send private message

I see ASB have now updated their website and it is now using an older version. 

Interesting to see that banks say using these third party services is breaching the internet banking t&c's. I guess this mean that if you use this type of system, and you lose money from the account for any reason, then you may not be covered for that loss. That is a real concern to everyone who uses online banking.

 
 
 
 


Awesome
4859 posts

Uber Geek

Trusted
Subscriber

  # 735086 19-Dec-2012 17:30
Send private message

POLi addresses some of ASB's points. So they are admitting a man in the middle approach. I can't believe they think this is OK.

POLi captures customer information
At no point does POLi capture or store customer information

POLi is spoofing/mirroring the ASB website
POLi is providing a pass through service whereby the bank sites are accessed via our secure servers.

ASB is unable to audit the security if POLi
Incorrect. POLi is and has always been open to any bank reviewing the security of its software.

http://www.polipayments.com/assets/docs/POLiAnnouncment19-12-12v1.0.pdf




Twitter: ajobbins


2483 posts

Uber Geek

Trusted

  # 735087 19-Dec-2012 17:30
Send private message

Just so to state this again: POLi Express isn't fully "spoofing" bank websites but providing a reverse proxy with some modifications, e.g. to links and images so that they fall within the same domain which is why you see some differences.

They don't appear to host content, but provide a method to access content through their own domain (so as to stay within cross domain security rules.) So they are correct when they say:
POLi is providing a pass through service whereby the bank sites are accessed via our secure servers


It's also why POLi can be easily broken - if banks change their pages, their automation processes coded into the JS will break. You can see then that they have put in 'validation' in their scripts to ensure that they only operate on known versions of bank websites, otherwise an error message is thrown.




Find me on Twitter!

I posted 1, 2 x 10^3 times!

3107 posts

Uber Geek

Trusted
Subscriber

  # 735121 19-Dec-2012 19:05
Send private message

TSB is "looking into it": https://twitter.com/tsbbank/status/281151556680814593

But since they actually have a real agreement with POLi, they probably will declare it OK.

28369 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 735135 19-Dec-2012 19:38
Send private message

ANZ now have a warning on their internet banking login page. Ironically this now shows within the POLi window, and they have left this link working, despite disabling all other hyperlinks on the webpage.

Blocking access to the ANZ site in my firewall leaves POLi fully functioning, so nothing is being retried or submitted directly to ANZ, it's all going via POLi.


608 posts

Ultimate Geek

Trusted
Lifetime subscriber

  # 735149 19-Dec-2012 20:26
Send private message

I often still have to wait overnight for payments between banks, even when I make the payment early morning.  I guess some banks are not participating?


I think all the banks need to participate.  However, that 5 times a day transfer means the number of transfers between banks, it is up to the recipient's bank to determine when to post / credit the payment to the receiver's account.

I believe currently only Kiwibank and ASB do hourly clearence for their customers.

3340 posts

Uber Geek

Trusted

  # 735153 19-Dec-2012 20:35
Send private message

AKLWestie:
I think all the banks need to participate.  However, that 5 times a day transfer means the number of transfers between banks, it is up to the recipient's bank to determine when to post / credit the payment to the receiver's account.

I believe currently only Kiwibank and ASB do hourly clearence for their customers.


So surely if I make a payment from my kiwibank acccount to an ASB account, that would show up within the hour (or at least 2 hours?) in theory?  

22647 posts

Uber Geek

Trusted
Subscriber

  # 735154 19-Dec-2012 20:36
Send private message

Yup, but also payments from other banks should as well.




Richard rich.ms

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.