Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
4555 posts

Uber Geek

Trusted

  # 671829 13-Aug-2012 14:10
Send private message

sleemanj:
davidcole:
OFX already handles all of this.  In NZ only ASB (I think) implement it, and then it's only for statement export.  Bu tin reality, OFX (Open Financial Exchange) covers payments exports everything between apps and banks.

http://www.ofx.net/DownloadPage/Downloads.aspx


You have the wrong end of the stick.

I'm talking about an automated way for customers, people buying things, to be presented a pre-filled-out form, in their ordinary internet banking, to allow them to transfer money to you ("internet banking payment") with a given set of reference, to your specified account.

For example a link "Click Here To Pay With Yourbank Internet Banking", goes to the customers bank, the customer logs in, and they are presented with their normal type of make payment form but already completed with the details they need to provide.

OFX is about downloading transactions from your account, to your application, or indeed in some cases feeding the other direction.  It's not about a customer initiating a payment.



No actually it is: http://www.ofx.net/AboutOFX/ServicesSupported.aspx

From Link:
Intrabank Funds Transfer
OFX supports transferring funds between two accounts at the same financial institution. Funds transfers in OFX can be immediate or scheduled. Scheduled transfers can repeat at specified intervals.
Interbank Funds Transfer
The “interbank funds transfer add request” provides a way for a clients to set up a single transfer between accounts at different financial institutions. Like intrabank funds transfers, the request designates source and destination accounts and the amount of the transfer. Also, as in the intrabank funds transfer, the FI must be able to authenticate the source account. However, interbank funds transfers differ from intrabank funds transfers in the following respects:
  • The routing and transit number of the destination account differs from the source account.
  • At the discretion of an FI, the destination account can be subject to pre-notification.
  • Source and destination accounts must be enabled for the Automated Clearing House (ACH).
In all other respects, interbank funds transfers function like intrabank funds transfers. The user can schedule, modify, and cancel them. They can recur at regular intervals.





Like I said, just not done over here.  Used fairly extensively in the States.  If you were an MS Money user from way back you would see all the payment functions in the app that were all turned off becuase our banks didn;'t support it.





Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


3107 posts

Uber Geek

Trusted
Subscriber

  # 672825 15-Aug-2012 14:07
Send private message

Just got an email back from Westpac - according to them, "Technically customers using POLi are breaching their Westpac Terms and Conditions as they are disclosing their online credentials to a third party." That's a direct quote.

They then go on to say that because they're reasonably comfortable with POLi's security, they'll let that slide and won't treat it as a breach, and won't void the zero liability guarantee.

I'm not wholly convinced that I want to rely on a service that requires my bank to let slide a violation of the terms on my account to use.

 
 
 
 


1 post

Wannabe Geek


  # 673695 17-Aug-2012 14:17
Send private message

 I represent Merco, the NZ Distributor of the POLi payment system, most of the posts here relate to trust or technical issues so I've addressed these below. Can you trust it?   This is an a decision that everyone has to make for themselves when making any payment, but as a couple of posts pointed out we have government agencies such as NZTA and MED, and Airlines such as Air New Zealand and Jetstar as our merchants, as well as Local Authorities, Universities and large online billers and  retailers.  They've done their due diligence on POLi and found no issue, and we've been operating POLi in NZ for about 5 years without any issues.  If you want to read security reports from Verisign and Secure Assessments on POLi go to  www.polipayments.com/merchants.html  Tech issues - Mac, Browsers etc.  As a couple of posts alluded to there is a new version of POLi due out soon that eliminates the need for payers to download our secure browser technology.   It also eliminates most of the platform/browser dependencies, so Macs and other devices will work as long as you have a relatively up to date browser that supports Javascript.

4555 posts

Uber Geek

Trusted

  # 673698 17-Aug-2012 14:20
Send private message

skiddy:  I represent Merco, the NZ Distributor of the POLi payment system, most of the posts here relate to trust or technical issues so I've addressed these below. Can you trust it?   This is an a decision that everyone has to make for themselves when making any payment, but as a couple of posts pointed out we have government agencies such as NZTA and MED, and Airlines such as Air New Zealand and Jetstar as our merchants, as well as Local Authorities, Universities and large online billers and  retailers.  They've done their due diligence on POLi and found no issue, and we've been operating POLi in NZ for about 5 years without any issues.  If you want to read security reports from Verisign and Secure Assessments on POLi go to  www.polipayments.com/merchants.html  Tech issues - Mac, Browsers etc.  As a couple of posts alluded to there is a new version of POLi due out soon that eliminates the need for payers to download our secure browser technology.   It also eliminates most of the platform/browser dependencies, so Macs and other devices will work as long as you have a relatively up to date browser that supports Javascript.


Hi, thanks for fronting up to explain the POLi side.

how do you respond to the post above, where Westpac say that this service may be breaching their terms and condictions?




Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


3107 posts

Uber Geek

Trusted
Subscriber

  # 673763 17-Aug-2012 17:16
Send private message

davidcole:

Hi, thanks for fronting up to explain the POLi side.

how do you respond to the post above, where Westpac say that this service may be breaching their terms and condictions?


Westpac didn't say "may".  They said, quite unequivocally, that it does violate their terms and conditions, specifically for the reason that they view it as giving your credentials to a third party.  They choose not to enforce the violation based on their opinion that POLi is trustworthy.  From my perspective, though, I would not trust the system because I do not wish to rely on a forebearance from my bank to prevent the loss of the zero-liability warranty.

Either way, if a merchant told me that it was POLi or credit card, and that credit cards incurred an extra fee, I'd be calling them up demanding they offer a sane option such as direct bank transfer without untrusted third parties having access to my bank account.

skiddy:  I represent Merco, the NZ Distributor of the POLi payment system, most of the posts here relate to trust or technical issues so I've addressed these below. Can you trust it?   This is an a decision that everyone has to make for themselves when making any payment, but as a couple of posts pointed out we have government agencies such as NZTA and MED, and Airlines such as Air New Zealand and Jetstar as our merchants, as well as Local Authorities, Universities and large online billers and  retailers.  They've done their due diligence on POLi and found no issue, and we've been operating POLi in NZ for about 5 years without any issues.  If you want to read security reports from Verisign and Secure Assessments on POLi go to  www.polipayments.com/merchants.html  Tech issues - Mac, Browsers etc.  As a couple of posts alluded to there is a new version of POLi due out soon that eliminates the need for payers to download our secure browser technology.   It also eliminates most of the platform/browser dependencies, so Macs and other devices will work as long as you have a relatively up to date browser that supports Javascript.


I did read through those documents, but unfortunately POLi doesn't actually post the security reports, just an abstract which tells me nothing about what the auditors actually said, only the good bits which POLi decided to highlight.  Actually posting the real security assessment would go a long way toward improving the credibility of the system.

I would like to know more about this upcoming new version of POLi as well - based on the way the current system is working, will the new one actually operate by having agreements with banks?  And if not, how is it even possible?  Javascript will not allow you to manipulate the DOM across frame boundaries, so the only way I can think of for it to work is for POLi to basically operate a screen scraping proxy script to log into online banking and manipulate the output - and personally I see this as even worse than the current system.

Oh, and not disclaiming all liability for fraud or system errors might help too.  No way in hell will I use a system which offers me as a customer zero protection against dodgy merchants or errors.

2483 posts

Uber Geek

Trusted

  # 673828 17-Aug-2012 19:35
Send private message

skiddy: Tech issues - Mac, Browsers etc.  As a couple of posts alluded to there is a new version of POLi due out soon that eliminates the need for payers to download our secure browser technology.   It also eliminates most of the platform/browser dependencies, so Macs and other devices will work as long as you have a relatively up to date browser that supports Javascript.


Wow. When I said...
It might as well be some Greasemonkey-like script running on top.
... I didn't really expect that literally.

But...

Kyanar: I would like to know more about this upcoming new version of POLi as well - based on the way the current system is working, will the new one actually operate by having agreements with banks?  And if not, how is it even possible?  Javascript will not allow you to manipulate the DOM across frame boundaries, so the only way I can think of for it to work is for POLi to basically operate a screen scraping proxy script to log into online banking and manipulate the output - and personally I see this as even worse than the current system.


I've had a quick Google to find a demo page for POLi (I remembered they had one at launch but it seems to have disappeared and replaced with a walkthrough instead)

I found a demo at http://demo.centricom.com/pmobile/checkout.aspx and started POLi. I realise that they said you should use iBank (the demo bank) but there are other Australian banks there (you may get a list of New Zealand banks if surfing from NZ.)

If you hit Continue you get this (CBA example):


If you look carefully in Web Inspector, the frame is actually pointing to a .paywithpoli.com site and NOT .commbank.com.au as it reports at the top (and with a shoddy looking URL padlock to boot.)

Because the parent frame (at express.apac.paywithpoli.com) has the same root domain as the target frame, this allows any JS in the parent to manipulate the target.

I have not tested it with my or any random details because I am not going to risk it, but it does respond properly to the iframe - e.g. when you submit the form without details, it flashes "Please provide required fields"


Now this is appalling - even if POLi has access through third party means (which by the way should NEVER be allowed in the first place,) it blatantly reports a false URL for the end user (whether you believe it or not.)

Complete breach of trust in my opinion.



I cannot confirm whether this is an actual implementation of POLi as this is a demo site, though it is hosted on Centricom's site and has "Copyright 2012 Centricom Pty Ltd" on the bottom of the demo page, so it seems fresh enough to be believable.




Find me on Twitter!

I posted 1, 2 x 10^3 times!

2483 posts

Uber Geek

Trusted

  # 673834 17-Aug-2012 19:50
Send private message

It appears that NZ banks may result in the standard POLi application frame being used instead.

Try using http://demo.centricom.com/PMobile/Checkout.aspx?country=AU




Find me on Twitter!

I posted 1, 2 x 10^3 times!

 
 
 
 


1288 posts

Uber Geek


  # 673835 17-Aug-2012 19:57
Send private message

manhinli:
If you look carefully in Web Inspector, the frame is actually pointing to a .paywithpoli.com site and NOT .commbank.com.au as it reports at the top (and with a shoddy looking URL padlock to boot.)


Cue Michael Jackson with "Man in the Mirror Middle"!

Edit: Eh, Geekzone doesn't let strike through work (even though it's a button in the editor), you'll have to imagine a line through "Mirror" for hilarious times.





---
James Sleeman
I sell lots of stuff for electronic enthusiasts...


3107 posts

Uber Geek

Trusted
Subscriber

  # 673969 18-Aug-2012 14:02
Send private message

manhinli:
Kyanar: I would like to know more about this upcoming new version of POLi as well - based on the way the current system is working, will the new one actually operate by having agreements with banks?  And if not, how is it even possible?  Javascript will not allow you to manipulate the DOM across frame boundaries, so the only way I can think of for it to work is for POLi to basically operate a screen scraping proxy script to log into online banking and manipulate the output - and personally I see this as even worse than the current system.


Now this is appalling - even if POLi has access through third party means (which by the way should NEVER be allowed in the first place,) it blatantly reports a false URL for the end user (whether you believe it or not.)


It gets worse.  What I described is exactly how it works.  For example, go to https://anz.apac.paywithpoli.com/personal/ - you'd think that if POLi was actually using some sort of API and just faking up the login page to make it look reputable that this would result in some sort of message saying "No, you can't do that" right?  Wrong.  Apparently, those POLi URLs are really, seriously, actually reverse proxying the bank's websites and fiddling with the HTML on the fly.

This is an absolute abomination, and POLi needs to be shut down RIGHT NOW.  With this, POLi is teaching people that logging into your online banking on a site like http://www.mybank.fraudstersite.com/Logon is perfectly OK.  It is not.  POLi needs to turn the lights off, shut down the servers, and head back to elementary Computer Security 101 classes before they even consider launching this packaged phishing site.

Phil Gale
1108 posts

Uber Geek

Trusted
Red Jungle
Subscriber

  # 674056 18-Aug-2012 18:46
Send private message

It gets worse.  What I described is exactly how it works.  For example, go to https://anz.apac.paywithpoli.com/personal/ - you'd think that if POLi was actually using some sort of API and just faking up the login page to make it look reputable that this would result in some sort of message saying "No, you can't do that" right?  Wrong.  Apparently, those POLi URLs are really, seriously, actually reverse proxying the bank's websites and fiddling with the HTML on the fly.


To be fair to POLi, there really is no common API that you can use with any NZ banks. If there were, 'hacks' like this wouldn't be necessary. While I agree with you that the approach is nasty. I'm also a realist and can see there is absolutely a need to provide a simple solution for automating direct bank to bank online payments, and that is just so unlikely to happen if we leave it up to the banks themselves.

I recall a recent project where we asked one of the major banks to help us automate making payments on behalf of a client. We wanted to simply be able to supply them nightly with a list of bank account numbers and an amount to transfer. We ended up getting back a 6 figure quote. It's no wonder POLi exists.




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

3107 posts

Uber Geek

Trusted
Subscriber

  # 674058 18-Aug-2012 18:58
Send private message

RedJungle: To be fair to POLi, there really is no common API that you can use with any NZ banks. If there were, 'hacks' like this wouldn't be necessary. While I agree with you that the approach is nasty. I'm also a realist and can see there is absolutely a need to provide a simple solution for automating direct bank to bank online payments, and that is just so unlikely to happen if we leave it up to the banks themselves.

I recall a recent project where we asked one of the major banks to help us automate making payments on behalf of a client. We wanted to simply be able to supply them nightly with a list of bank account numbers and an amount to transfer. We ended up getting back a 6 figure quote. It's no wonder POLi exists.


While I agree that there is no solution, and that one does really need to exist, POLi is not the answer.  In fact, I dare say their solution is worse than having no solution at all.  If I were to encounter POLi in the wild, I would assume it is a phishing site and report it to my bank.  It's that bad, and to be honest I cannot in good conscience be fair to them for implementing what they have - they are basically saying it's OK to enter your banking credentials on random sites just because they have a picture of your bank's address and a padlock.  Which is why I am insistent that their solution needs to be shut down.

189 posts

Master Geek


  # 674185 19-Aug-2012 11:17
Send private message

From https://airnz.custhelp.com/app/answers/detail/a_id/2415/related/1 "When you pay with internet banking (POLi) the transaction is completed within the security of your bank’s online banking service and at no time are your personal banking details disclosed to Air New Zealand or POLi."  Is the bit about your banking details not being disclosed to Air NZ the only bit of truth in that statement? Surprised

3107 posts

Uber Geek

Trusted
Subscriber

  # 674228 19-Aug-2012 13:36
Send private message

RmACK: From https://airnz.custhelp.com/app/answers/detail/a_id/2415/related/1 "When you pay with internet banking (POLi) the transaction is completed within the security of your bank’s online banking service and at no time are your personal banking details disclosed to Air New Zealand or POLi."  Is the bit about your banking details not being disclosed to Air NZ the only bit of truth in that statement? Surprised


Yes.  In the old system, you use a custom browser made by POLi which does have access to your banking details, although the likelihood of it disclosing them to POLi is low, because it's a closed source application it is within the realm of possibility (again, unlikely though).  In the new system, you don't go anywhere near your bank's online banking - the POLi system downloads copies of your online banking pages, hacks and chops them to suit its needs, and sends them to you pretending to represent your bank.  Basically, POLi phishes you.

2483 posts

Uber Geek

Trusted

  # 674231 19-Aug-2012 13:40
Send private message

I've been playing with it for a little while and found:
  • that yes, the proxy does indeed modify the page, such as to replace root links to point within .apac.paywithpoli.com. But it did screw up on at least one occasion (on right). Someone needs to learn their Regex, but then again who knows what could go wrong if the banks change their pages?


  • access to the proxy is limited by the use of a cookie, such as "Westpac_AU_Token", which is set when you use POLi. The value also happens to be the token that appears in the URL.



    Now that's not problematic, except I've been able to continue surfing the proxy (for nearly two days now) merely by holding onto the cookie. I can also surf other bank proxy subdomains by copying the token into other cookies too!



    Now I accept that it would not usually happen, but if the token is intended for an hour (the time set for the cookie originally) then the token itself should expire! Hopefully they don't keep sessions open like that.
  • the script has left me a little iffy about the people behind POLi Express (this version of POLi) - GetSequence() increments an integer representing the number of 'steps' taken within POLi, which is stored in the value of a input type="hidden". Yet it uses eval(n) instead of a safer alternative like parseInt(n,10) - there are use cases for eval(), but this is not one of them. Better yet, why not have it as part of a variable/object instead of going back and forth through the DOM? I don't know.





Find me on Twitter!

I posted 1, 2 x 10^3 times!

22604 posts

Uber Geek

Trusted
Subscriber

  # 674233 19-Aug-2012 13:46
Send private message

I really would be happy if the banks would outright put a stop to this and warn any of their customers that are using or thinking of using poli to accept payments.

To put a man in the middle and claim it as safe is totally absurd. Although if you can surf thru the poli proxy that would make it viable as an anonymizer service. I wonder what idiot there left that open? Goes to show that they clearly have no clue with security and for something that bad to be deployed it makes me have real concerns about their previous closed source version, since you would assume that things would get better - so the old version must be terrible.




Richard rich.ms

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07


LG Electronics begins distributing the G8X THINQ
Posted 24-Oct-2019 10:58



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.