Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
3107 posts

Uber Geek

Trusted
Subscriber

  # 674263 19-Aug-2012 16:10
Send private message

manhinli: I've been playing with it for a little while and found:
  • that yes, the proxy does indeed modify the page, such as to replace root links to point within .apac.paywithpoli.com. But it did screw up on at least one occasion (on right). Someone needs to learn their Regex, but then again who knows what could go wrong if the banks change their pages? 


Actually, I believe that's intentional - it's to allow you to browse to links off the POLi proxy from the proxied page - though last time I tried it I had to middle click the link as they seemed to use javascript to "disable" them.

So, um, how long do you reckon before someone registers paywithpo1i.com and sends out "You've received a POLi payment request!" emails?  You'd get an awful lot of online banking logins.

2483 posts

Uber Geek

Trusted

  # 674268 19-Aug-2012 16:14
Send private message

Kyanar:
manhinli: I've been playing with it for a little while and found:
  • that yes, the proxy does indeed modify the page, such as to replace root links to point within .apac.paywithpoli.com. But it did screw up on at least one occasion (on right). Someone needs to learn their Regex, but then again who knows what could go wrong if the banks change their pages? 


Actually, I believe that's intentional - it's to allow you to browse to links off the POLi proxy from the proxied page - though last time I tried it I had to middle click the link as they seemed to use javascript to "disable" them.

I realise it's intentional because bank internet banking interfaces may require links being pushed (such as that of the NAB - you can see that it first goes to the homepage, then to IB.)

I was more pointing out the dangers of doing so and how that could break things.


Addendum: Speaking of their JS link clicking blocker - Westpac's site seems more resilient than most. You can easily break POLi's workflow by clicking "Sign in to..." at the top right and selecting one of the options other than "Westpac Online Banking". The page loads but obviously because POLi's page interpretation/matching script, it'll break the transaction.




Find me on Twitter!

I posted 1, 2 x 10^3 times!

 
 
 
 


2483 posts

Uber Geek

Trusted

  # 674280 19-Aug-2012 16:27
Send private message

Kyanar: So, um, how long do you reckon before someone registers paywithpo1i.com and sends out "You've received a POLi payment request!" emails?  You'd get an awful lot of online banking logins.

  1. Consumers don't usually use POLi as a result of a direct payment request via. email. However, there is a thing called POLi Link (which generates a poli.to/[ref] link) which can be implemented in such a fashion.
  2. I don't think most people associate with paywithpoli.com compared to say, a bank's site.
  3. However, the fact that POLi can be associated with a browser session rather than a verifiable ClickOnce application, it can allow merchants (whether genuine or malicious) to link to a POLi-like website where details can be recorded (in essence, just another standard phishing site, but exploiting the POLi brand rather than the bank directly)




Find me on Twitter!

I posted 1, 2 x 10^3 times!

3107 posts

Uber Geek

Trusted
Subscriber

  # 674358 19-Aug-2012 19:36
Send private message

manhinli: Consumers don't usually use POLi as a result of a direct payment request via. email. However, there is a thing called POLi Link (which generates a poli.to/[ref] link) which can be implemented in such a fashion.

You know that, I know that.  My grandmother probably doesn't.  Your secretary probably doesn't.  They'll see an email "from the power company" saying "Please go here to pay your recent power bill.  We use POLi, so it's totally legit to enter your online banking login to our unfamiliar webpage!"  And POLi teaches that this is OK.


manhinli: I don't think most people associate with paywithpoli.com compared to say, a bank's site.

Sadly, I don't think this is going to make a difference.  The mere existence of this service, especially when they see links to pay with it from NZTA, Air NZ, etc, mean that people are going to be conditioned to enter their online banking details on all kinds of unfamiliar sites because "the government said it was OK!"   I wonder what the cyber-crime unit would have to say if they paid any attention to it.

22625 posts

Uber Geek

Trusted
Subscriber

  # 674362 19-Aug-2012 19:44
Send private message

At the least Poli are violating the banks copyright by accessing their content and modifying it and presenting it to people online.

I hope to see this shutdown and the people behind poli charged with whatever they can be. It is the worst idea ever for payment short of asking people to email their internet banking password.




Richard rich.ms

2483 posts

Uber Geek

Trusted

  # 674419 20-Aug-2012 02:40
Send private message

Kyanar: They'll see an email "from the power company" saying "Please go here to pay your recent power bill.  We use POLi, so it's totally legit to enter your online banking login to our unfamiliar webpage!"  And POLi teaches that this is OK.

The mere existence of this service, especially when they see links to pay with it from NZTA, Air NZ, etc, mean that people are going to be conditioned to enter their online banking details on all kinds of unfamiliar sites because "the government said it was OK!"

I see your point that it softens people up when facing [quasi-]phishing.



The so called "security reports" are definitely lacking, and in the release regarding Verisign's peek into the POLi 2 client (the .NET application) one finds that they did want us to look at something:
Please see the Supplementary Extracts section included at the end of this document, for more details of the findings reported.
... which even if you scroll into the never-ending abyss of black you will never find. Nor was it in the earliest copy I could find either.


Also interesting is that POLi/Centricom has never properly stated they have full approval by banks even though their frameworks (ActiveX at first, .NET client and a new browser-proxy based "Express") all in some manner manipulate a bank's internet banking site:
Is POLi™ approved by my bank?

The POLi™ service and the POLi™ Web Browser are brought to you by Centricom Pty Ltd, an independent provider of innovative web-based transaction services and software.

Centricom is not a bank, and does not necessarily have relationships with banks accessible via POLi™.

... and this quote which makes me think that they were certainly in it not because they wanted to help us poor consumers:
But Mr Warner said the online debit system could go ahead without bank approval. "There is going to be cannibalisation when you introduce a new payment type ... [but] we're actually able to do this without banks' participation."

... which I think disregards all manner of proper processes in relation to handling financial transactions. Simon Warner, referred to in that article, is no longer the CEO of Centricom Pty. Ltd. - Jeffery McAllisteris.


Now if you head over to the Wikipedia article on Centricom, you'll find some great and poorly written segments as you'd expect from an article on good 'ol Wiki. Not least of which:
A new version of POLi has been released in beta mode that is device agnostic and smart phone/tablet compatible.

The new version currently released in beta mode has been reviewed by Security Assessments.

... both of which handily leave out citations.

I'd like to know if the beta version referred to is the "Express" one I've been looking into or something else. I doubt any decent security expert would approve of a poorly handled, unofficial proxy funnelling people's banking credentials and data through a remote server without banks knowing.

Head over to the revision history and you'll find a couple of edits, one of which with quite a lot of text removed, by a "Jefferymca". I don't think I need to say more for you to connect the dots, than to conclude that "Centricom" has already been banned before for being a user "mainly intended or used for promotional purposes of a company or group."




Find me on Twitter!

I posted 1, 2 x 10^3 times!

189 posts

Master Geek


  # 674425 20-Aug-2012 08:03
Send private message

That's a great analysis Manhinli! 
Regarding the comments on whether or not banks have had any official involvement, AirNZ further confirm that they don't in their FAQs (https://airnz.custhelp.com/app/answers/detail/a_id/2420):

Is internet banking (POLi) approved by my bank?
Answer:
The internet banking (POLi) service and web browser are provided by Centricom Pty Ltd, an independent provider of innovative web-based transaction services and software. Centricom is not a bank, and does not necessarily have relationships with banks accessible via internet banking (POLi).In other words NO. A politician couldn't have avoided the question better! Kyanar's response from Westpac is still the most telling though. Perhaps we should ask more banks...

 
 
 
 


3107 posts

Uber Geek

Trusted
Subscriber

  # 674452 20-Aug-2012 09:47
Send private message

RmACK: That's a great analysis Manhinli! 
Regarding the comments on whether or not banks have had any official involvement, AirNZ further confirm that they don't in their FAQs (https://airnz.custhelp.com/app/answers/detail/a_id/2420):

Is internet banking (POLi) approved by my bank?
Answer:
The internet banking (POLi) service and web browser are provided by Centricom Pty Ltd, an independent provider of innovative web-based transaction services and software. Centricom is not a bank, and does not necessarily have relationships with banks accessible via internet banking (POLi).In other words NO. A politician couldn't have avoided the question better! Kyanar's response from Westpac is still the most telling though. Perhaps we should ask more banks...


Just bear in mind that TSB is the exception.  They have an actual POLi payment page inside HomeBank (you only see it when using POLi though).

(Oh, forgot to add - the lines you quote are Centricom's official FAQ template).

1081 posts

Uber Geek


  # 674542 20-Aug-2012 12:53
Send private message

I received a fairly generic internet safety response from ASB, and for questions specific to PoLi I was referred to the Fastnet Helpdesk phone numbers.

I bought some Jetstar tickets on Friday, and was relieved to see that in addition to vouchers, credit card and PoLi, they still accept direct credit payments which I used. Despite the payment being ASB-ASB I still have not received confirmation of my booking...

1332 posts

Uber Geek
Inactive user


  # 676254 24-Aug-2012 09:15
Send private message

Interesting... ANZ's reply to this query:

"We support the Poli system as we have a direct relationship with them."

So apparently some banks do have a relationship with POLi. No mention on whether this contravenes their terms and conditions though, I imagine it technically might but reading it is so boring...

1332 posts

Uber Geek
Inactive user


  # 676258 24-Aug-2012 09:20
Send private message

Although there does not appear to be an out here.

I love this particular portion of their T&Cs. Amazing!

22625 posts

Uber Geek

Trusted
Subscriber

  # 676273 24-Aug-2012 09:39
Send private message

1080p: Although there does not appear to be an out here.

I love this particular portion of their T&Cs. Amazing!


So you just broke their terms and conditions? I guess by quoting you, I have aswell now. Oops. Good thing I never agreed to them ;)




Richard rich.ms

gzt

10947 posts

Uber Geek


  # 676343 24-Aug-2012 11:07
Send private message

1080p: Interesting... ANZ's reply to this query: "We support the Poli system as we have a direct relationship with them."

Yes, that is interesting. The obvious question here is: what is the nature of this relationship?

2483 posts

Uber Geek

Trusted

  # 676363 24-Aug-2012 11:48
Send private message

gzt:
1080p: Interesting... ANZ's reply to this query: "We support the Poli system as we have a direct relationship with them."

Yes, that is interesting. The obvious question here is: what is the nature of this relationship?

Possibly because ANZ MoneyManager is pretty much also a screen-scraping system to aggregate account balances from any bank.

Maybe they're sharing the same ideas or technology in the background... The FAQ is quite soft on the issue of privacy, only saying reiterating that the service is secure.




Find me on Twitter!

I posted 1, 2 x 10^3 times!

3107 posts

Uber Geek

Trusted
Subscriber

  # 676416 24-Aug-2012 13:59
Send private message

manhinli:
gzt:
1080p: Interesting... ANZ's reply to this query: "We support the Poli system as we have a direct relationship with them."

Yes, that is interesting. The obvious question here is: what is the nature of this relationship?

Possibly because ANZ MoneyManager is pretty much also a screen-scraping system to aggregate account balances from any bank.

Maybe they're sharing the same ideas or technology in the background... The FAQ is quite soft on the issue of privacy, only saying reiterating that the service is secure.


ANZ MoneyManager is run by a company called Yodlee.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.