Has anyone else ever used PoLi ???

Forums › Off topic › Has anyone else ever used PoLi ???

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12

866 posts

Ultimate Geek

# 735016 19-Dec-2012 16:03

echoflight:
myopinion: Our page is insecure that's right but does that matter? The information getting sent is only a dollar amount and a reference number?

In order to send you that $ amount POLi requires that I log in to my banking, I have to fill in my username, and my password - the form I am doing this on is hosted on POLi's website. This means that I am sending POLi my username and password. I am not saying that they store this information, or do anything unlawful with it - I am simply stating that I am sending my details to a third party with no affiliation with my bank.

Yes I agree it seems that way.

meesham

921 posts

Ultimate Geek

Subscriber

# 735019 19-Dec-2012 16:06

A bit off topic but a BPAY type system over here would be excellent. All the banks support it and you can pay from your cheque/savings account etc. I've only had to develop an app supporting it once but basically how it worked is we had to register the company with with BPAY to get a Biller Code, each biller can then generate a reference number for the payment, this reference number uses an algorithm based on a Luhn mod 10 to verify that it's correct when the user enters it.

ajobbins

Awesome
4859 posts

Uber Geek

Trusted

Subscriber

# 735021 19-Dec-2012 16:09

BlakJak: With IP links now carrying most inter-bank transactions I don't see this as being difficult. 10 or 15 years ago when mutual dialup type tech was possibly involved, perhaps the story was different.

Until real time interbank payments are the norm, it wont work. For things like airline tickets, they need to verify a valid payment immediately in order to secure the ticket. Waiting a few hours or until the next day is too long.

Real time inter-bank payments are probably 5-10 years away. We still don't have proper same day interchange.

There are a lot of legacy systems in the banks not designed for real time, and these take a long time and cost a lost of money to fix.

Twitter: ajobbins

ajobbins

Awesome
4859 posts

Uber Geek

Trusted

Subscriber

# 735022 19-Dec-2012 16:12

myopinion: Guys we use it our website. Here's a test link if you want to have a look at how it works. Don't complete the process though, unless you want to give me $! :)

http://www.hyspecs.co.nz//2012/december/test/

You guys are using the legacy POLi system that requires the software. The problem is more with the new version that actually masquerades as the banks website rather than just reverse proxying it with restrictions.

Twitter: ajobbins

myopinion

866 posts

Ultimate Geek

# 735024 19-Dec-2012 16:14

When I try to process it with my Mac it seems to be using the new system and is in the browser (Safari) as posted earlier. What were you using to test it?

BlakJak

710 posts

Ultimate Geek

Trusted

# 735026 19-Dec-2012 16:22

ajobbins:
BlakJak: With IP links now carrying most inter-bank transactions I don't see this as being difficult. 10 or 15 years ago when mutual dialup type tech was possibly involved, perhaps the story was different.

Until real time interbank payments are the norm, it wont work. For things like airline tickets, they need to verify a valid payment immediately in order to secure the ticket. Waiting a few hours or until the next day is too long.

Real time inter-bank payments are probably 5-10 years away. We still don't have proper same day interchange.

There are a lot of legacy systems in the banks not designed for real time, and these take a long time and cost a lost of money to fix.

You're absolutely right. I guess my main point is that real-time should be doable, and it's gotta be better than this crummy POLi thing.

No signature to see here, move along...

jfanning

377 posts

Ultimate Geek

# 735027 19-Dec-2012 16:23

mattwnz:
jfanning:

Nothing like a late reply...

NZ didn't change the rules, Visa and Mastercard, and the Banks did

I don't believe that is the case. I believe credit card companies have always charged businesses a % fee of the transaction. Previously however I believe the CC companies prevented businesses charging extra for CC payments. This is why many businesses used to offer a discount for cash, which was essentially the same thing as cahrging more for CC payemnts. Just worded differently. But I believe changes to the laws now allow retailers to charge extra for cc payments. However there is requirement for business to charge more for CC transactions, it is purely their choice. They can instead chose to absorb them as part of their running costs.

According to the commerce commission, the law didn't change.

http://www.comcom.govt.nz/media-releases/detail/2010/commerce-commission-watching-retailers-credit-card-surcharges

ajobbins

Awesome
4859 posts

Uber Geek

Trusted

Subscriber

# 735030 19-Dec-2012 16:27

myopinion: When I try to process it with my Mac it seems to be using the new system and is in the browser (Safari) as posted earlier. What were you using to test it?

I got the software pop up first, but when I hit cancel I then got the login. Looks like it tried the old system first, then reverts to the new one.

When I tried the warehouse site earlier, it just took me to the new POLi

Twitter: ajobbins

ajobbins

Awesome
4859 posts

Uber Geek

Trusted

Subscriber

# 735045 19-Dec-2012 16:38

Looking at the source code of the real westpac IB login and the POLi version, there is lots of similar source code, but differences too. They are obviously hosting the page themselves.

Some subtle differences too. Eg.

Real Westpac site logo HTML:

<img src="images/westpac-logo.png" height="90" width="140" align="left" alt="Westpac" />

POLi HTML:

<img width="140" height="90" align="left" alt="Westpac" src="images/westpac-logo.png">

Same parameters, different order (and no closing / on the POLi code). Have to wonder if maybe Westpac is doing some testing and doing changes like that that don't affect the layout, but clearly show the source is different.

Twitter: ajobbins

boby55

1539 posts

Uber Geek

Trusted

# 735049 19-Dec-2012 16:43

If you're after the Spoofed login page here is the Kiwibank one

https://nz00300.apac.paywithpoli.com

ajobbins

Awesome
4859 posts

Uber Geek

Trusted

Subscriber

# 735052 19-Dec-2012 16:46

boby55: If you're after the Spoofed login page here is the Kiwibank one

https://nz00300.apac.paywithpoli.com

Going to that link directly just bring up a page saying:

You seem to have cookies disabled in your browser. Please enable cookies and start the transaction again.

EDIT: If you start a payment with a merchant, then load the page, it works.

There is just no way that these guys aren't playing middle man here, which means that at some point they are 'collecting' your username and password. They might not be storing it in a database table - but it's sitting in their servers memory at some point - and there certainly is no guarantees of what they are doing.

Twitter: ajobbins

boby55

1539 posts

Uber Geek

Trusted

# 735059 19-Dec-2012 16:51

ajobbins:
boby55: If you're after the Spoofed login page here is the Kiwibank one

https://nz00300.apac.paywithpoli.com

Going to that link directly just bring up a page saying:

You seem to have cookies disabled in your browser. Please enable cookies and start the transaction again.

It must have some sort of cookie that allows you to the site as now that I've clicked BNZ it allows me to go to both

The kiwibank one and BNZ (https://nz00200.apac.paywithpoli.com/)

boby55

1539 posts

Uber Geek

Trusted

# 735060 19-Dec-2012 16:53

By the looks of things they have mirrored the entire site?
As shown below.

sbiddle

28369 posts

Uber Geek

Moderator

Trusted

Biddle Corp

Lifetime subscriber

# 735062 19-Dec-2012 16:57

bagheera:

Of course, the more automated it can be, the less human interaction is required, making the whole thing cheaper, I suppose POLi is meant to provide for both this level of automation,and also some assurance on the part of the receiver that the transaction has actually taken place, without waiting for 'overnight transactions'... so all we need is for the banks to start talking to eachother in realtime instead of simply nightly?

it at least 5 time a day now days, not over night.

http://www.stuff.co.nz/business/money/6688633/Bank-to-bank-fund-transfers-speed-up

Fund being transferred between banks, and finds appearing in your account aren't the same thing.

With ANZ moving to Systematics the realtime functionality that did exist for the last few months has now gone, hence the news stories about beneficaries now complaining that they don't get their payments until the promised date, rather than the evening before which had been occuring.

sleemanj

1288 posts

Uber Geek

# 735063 19-Dec-2012 16:57

boby55: By the looks of things they have mirrored the entire site?
As shown below.

Cookies: See the posts on page 2/3, in short, as long as you keep their cookie, you can use their proxy to visit the sites.

Mirroring: They are proxying (and sniffing, modifying...), not actually mirroring (probably). The HTML differences noted by a poster above will most likely IMHO be simply down to a htmlFromBank-read-ParseToDOM-modify-deparse-write-htmlToYou cycle where the read and write operations are not symmetric simply by nature.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12