Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | ... | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
myopinion
938 posts

Ultimate Geek


  #735016 19-Dec-2012 16:03
Send private message

echoflight:
myopinion: Our page is insecure that's right but does that matter? The information getting sent is only a dollar amount and a reference number?


In order to send you that $ amount POLi requires that I log in to my banking, I have to fill in my username, and my password - the form I am doing this on is hosted on POLi's website. This means that I am sending POLi my username and password. I am not saying that they store this information, or do anything unlawful with it - I am simply stating that I am sending my details to a third party with no affiliation with my bank.


Yes I agree it seems that way.



meesham
973 posts

Ultimate Geek


  #735019 19-Dec-2012 16:06
Send private message

A bit off topic but a BPAY type system over here would be excellent. All the banks support it and you can pay from your cheque/savings account etc. I've only had to develop an app supporting it once but basically how it worked is we had to register the company with with BPAY to get a Biller Code, each biller can then generate a reference number for the payment, this reference number uses an algorithm based on a Luhn mod 10 to verify that it's correct when the user enters it.

ajobbins
5052 posts

Uber Geek

Trusted

  #735021 19-Dec-2012 16:09
Send private message

BlakJak: With IP links now carrying most inter-bank transactions I don't see this as being difficult. 10 or 15 years ago when mutual dialup type tech was possibly involved, perhaps the story was different.


Until real time interbank payments are the norm, it wont work. For things like airline tickets, they need to verify a valid payment immediately in order to secure the ticket. Waiting a few hours or until the next day is too long.

Real time inter-bank payments are probably 5-10 years away. We still don't have proper same day interchange.

There are a lot of legacy systems in the banks not designed for real time, and these take a long time and cost a lost of money to fix.




Twitter: ajobbins




ajobbins
5052 posts

Uber Geek

Trusted

  #735022 19-Dec-2012 16:12
Send private message

myopinion: Guys we use it our website. Here's a test link if you want to have a look at how it works. Don't complete the process though, unless you want to give me $! :)

http://www.hyspecs.co.nz//2012/december/test/


You guys are using the legacy POLi system that requires the software. The problem is more with the new version that actually masquerades as the banks website rather than just reverse proxying it with restrictions.




Twitter: ajobbins


myopinion
938 posts

Ultimate Geek


  #735024 19-Dec-2012 16:14
Send private message

When I try to process it with my Mac it seems to be using the new system and is in the browser (Safari) as posted earlier. What were you using to test it?

BlakJak
1249 posts

Uber Geek

Trusted

  #735026 19-Dec-2012 16:22
Send private message

ajobbins:
BlakJak: With IP links now carrying most inter-bank transactions I don't see this as being difficult. 10 or 15 years ago when mutual dialup type tech was possibly involved, perhaps the story was different.


Until real time interbank payments are the norm, it wont work. For things like airline tickets, they need to verify a valid payment immediately in order to secure the ticket. Waiting a few hours or until the next day is too long.

Real time inter-bank payments are probably 5-10 years away. We still don't have proper same day interchange.

There are a lot of legacy systems in the banks not designed for real time, and these take a long time and cost a lost of money to fix.


You're absolutely right. I guess my main point is that real-time should be doable, and it's gotta be better than this crummy POLi thing.




No signature to see here, move along...

jfanning
438 posts

Ultimate Geek


  #735027 19-Dec-2012 16:23
Send private message

mattwnz:
jfanning: 

Nothing like a late reply...

NZ didn't change the rules, Visa and Mastercard, and the Banks did


I don't believe that is the case. I believe credit card companies have always charged businesses a % fee of the transaction. Previously however I believe the CC companies prevented businesses charging extra for CC payments. This is why many businesses used to offer a discount for cash, which was essentially the same thing as cahrging more for CC payemnts. Just worded differently. But I believe changes to the laws now allow retailers to charge extra for cc payments. However there is requirement for business to charge more for CC transactions, it is purely their choice. They can instead chose to absorb them as part of their running costs.


According to the commerce commission, the law didn't change.

http://www.comcom.govt.nz/media-releases/detail/2010/commerce-commission-watching-retailers-credit-card-surcharges

 
 
 
 

Trade NZ and US shares and funds with Hatch (affiliate link).
ajobbins
5052 posts

Uber Geek

Trusted

  #735030 19-Dec-2012 16:27
Send private message

myopinion: When I try to process it with my Mac it seems to be using the new system and is in the browser (Safari) as posted earlier. What were you using to test it?


I got the software pop up first, but when I hit cancel I then got the login. Looks like it tried the old system first, then reverts to the new one.



When I tried the warehouse site earlier, it just took me to the new POLi




Twitter: ajobbins


ajobbins
5052 posts

Uber Geek

Trusted

  #735045 19-Dec-2012 16:38
Send private message

Looking at the source code of the real westpac IB login and the POLi version, there is lots of similar source code, but differences too. They are obviously hosting the page themselves.

Some subtle differences too. Eg.

Real Westpac site logo HTML:

<img src="images/westpac-logo.png" height="90" width="140" align="left" alt="Westpac" />

POLi HTML:

<img width="140" height="90" align="left" alt="Westpac" src="images/westpac-logo.png">


Same parameters, different order (and no closing / on the POLi code). Have to wonder if maybe Westpac is doing some testing and doing changes like that that don't affect the layout, but clearly show the source is different.




Twitter: ajobbins


boby55
1539 posts

Uber Geek

Trusted

  #735049 19-Dec-2012 16:43
Send private message

If you're after the Spoofed login page here is the Kiwibank one

https://nz00300.apac.paywithpoli.com

ajobbins
5052 posts

Uber Geek

Trusted

  #735052 19-Dec-2012 16:46
Send private message

boby55: If you're after the Spoofed login page here is the Kiwibank one

https://nz00300.apac.paywithpoli.com


Going to that link directly just bring up a page saying:

You seem to have cookies disabled in your browser. Please enable cookies and start the transaction again.

EDIT: If you start a payment with a merchant, then load the page, it works.

There is just no way that these guys aren't playing middle man here, which means that at some point they are 'collecting' your username and password. They might not be storing it in a database table - but it's sitting in their servers memory at some point - and there certainly is no guarantees of what they are doing.




Twitter: ajobbins


boby55
1539 posts

Uber Geek

Trusted

  #735059 19-Dec-2012 16:51
Send private message

ajobbins:
boby55: If you're after the Spoofed login page here is the Kiwibank one

https://nz00300.apac.paywithpoli.com


Going to that link directly just bring up a page saying:

You seem to have cookies disabled in your browser. Please enable cookies and start the transaction again.


It must have some sort of cookie that allows you to the site as now that I've clicked BNZ it allows me to go to both 

The kiwibank one and BNZ (https://nz00200.apac.paywithpoli.com/) 

boby55
1539 posts

Uber Geek

Trusted

  #735060 19-Dec-2012 16:53
Send private message

By the looks of things they have mirrored the entire site?
As shown below.


sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #735062 19-Dec-2012 16:57
Send private message

bagheera:


Of course, the more automated it can be, the less human interaction is required, making the whole thing cheaper, I suppose POLi is meant to provide for both this level of automation,and also some assurance on the part of the receiver that the transaction has actually taken place, without waiting for 'overnight transactions'... so all we need is for the banks to start talking to eachother in realtime instead of simply nightly?



it at least 5 time a day now days, not over night.

http://www.stuff.co.nz/business/money/6688633/Bank-to-bank-fund-transfers-speed-up


Fund being transferred between banks, and finds appearing in your account aren't the same thing.

With ANZ moving to Systematics the realtime functionality that did exist for the last few months has now gone, hence the news stories about beneficaries now complaining that they don't get their payments until the promised date, rather than the evening before which had been occuring.

sleemanj
1490 posts

Uber Geek


  #735063 19-Dec-2012 16:57
Send private message

boby55: By the looks of things they have mirrored the entire site?
As shown below.



Cookies: See the posts on page 2/3, in short, as long as you keep their cookie, you can use their proxy to visit the sites.

Mirroring: They are proxying (and sniffing, modifying...), not actually mirroring (probably).  The HTML differences noted by a poster above will most likely IMHO be simply down to a htmlFromBank-read-ParseToDOM-modify-deparse-write-htmlToYou cycle where the read and write operations are not symmetric simply by nature.





---
James Sleeman
I sell lots of stuff for electronic enthusiasts...


1 | ... | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Logitech G522 Gaming Headset Review
Posted 18-Jun-2025 17:00


Māori Artists Launch Design Collection with Cricut ahead of Matariki Day
Posted 15-Jun-2025 11:19


LG Launches Upgraded webOS Hub With Advanced AI
Posted 15-Jun-2025 11:13


One NZ Satellite IoT goes live for customers
Posted 15-Jun-2025 11:10


Bolt Launches in New Zealand
Posted 11-Jun-2025 00:00


Suunto Run Review
Posted 10-Jun-2025 10:44


Freeview Satellite TV Brings HD Viewing to More New Zealanders
Posted 5-Jun-2025 11:50


HP OmniBook Ultra Flip 14-inch Review
Posted 3-Jun-2025 14:40


Flip Phones Are Back as HMD Reimagines an Iconic Style
Posted 30-May-2025 17:06


Hundreds of School Students Receive Laptops Through Spark Partnership With Quadrent's Green Lease
Posted 30-May-2025 16:57


AI Report Reveals Trust Is Key to Unlocking Its Potential in Aotearoa
Posted 30-May-2025 16:55


Galaxy Tab S10 FE Series Brings Intelligent Experiences to the Forefront with Premium, Versatile Design
Posted 30-May-2025 16:14


New OPPO Watch X2 Launches in New Zealand
Posted 29-May-2025 16:08


Synology Premiers a New Lineup of Advanced Data Management Solutions
Posted 29-May-2025 16:04


Dyson Launches Its Slimmest Vaccum Cleaner PencilVac
Posted 29-May-2025 15:50









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.