Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
866 posts

Ultimate Geek


  # 735016 19-Dec-2012 16:03
Send private message

echoflight:
myopinion: Our page is insecure that's right but does that matter? The information getting sent is only a dollar amount and a reference number?


In order to send you that $ amount POLi requires that I log in to my banking, I have to fill in my username, and my password - the form I am doing this on is hosted on POLi's website. This means that I am sending POLi my username and password. I am not saying that they store this information, or do anything unlawful with it - I am simply stating that I am sending my details to a third party with no affiliation with my bank.


Yes I agree it seems that way.

921 posts

Ultimate Geek

Subscriber

  # 735019 19-Dec-2012 16:06
Send private message

A bit off topic but a BPAY type system over here would be excellent. All the banks support it and you can pay from your cheque/savings account etc. I've only had to develop an app supporting it once but basically how it worked is we had to register the company with with BPAY to get a Biller Code, each biller can then generate a reference number for the payment, this reference number uses an algorithm based on a Luhn mod 10 to verify that it's correct when the user enters it.

 
 
 
 


Awesome
4859 posts

Uber Geek

Trusted
Subscriber

  # 735021 19-Dec-2012 16:09
Send private message

BlakJak: With IP links now carrying most inter-bank transactions I don't see this as being difficult. 10 or 15 years ago when mutual dialup type tech was possibly involved, perhaps the story was different.


Until real time interbank payments are the norm, it wont work. For things like airline tickets, they need to verify a valid payment immediately in order to secure the ticket. Waiting a few hours or until the next day is too long.

Real time inter-bank payments are probably 5-10 years away. We still don't have proper same day interchange.

There are a lot of legacy systems in the banks not designed for real time, and these take a long time and cost a lost of money to fix.




Twitter: ajobbins


Awesome
4859 posts

Uber Geek

Trusted
Subscriber

  # 735022 19-Dec-2012 16:12
Send private message

myopinion: Guys we use it our website. Here's a test link if you want to have a look at how it works. Don't complete the process though, unless you want to give me $! :)

http://www.hyspecs.co.nz//2012/december/test/


You guys are using the legacy POLi system that requires the software. The problem is more with the new version that actually masquerades as the banks website rather than just reverse proxying it with restrictions.




Twitter: ajobbins


866 posts

Ultimate Geek


  # 735024 19-Dec-2012 16:14
Send private message

When I try to process it with my Mac it seems to be using the new system and is in the browser (Safari) as posted earlier. What were you using to test it?

710 posts

Ultimate Geek

Trusted

  # 735026 19-Dec-2012 16:22
Send private message

ajobbins:
BlakJak: With IP links now carrying most inter-bank transactions I don't see this as being difficult. 10 or 15 years ago when mutual dialup type tech was possibly involved, perhaps the story was different.


Until real time interbank payments are the norm, it wont work. For things like airline tickets, they need to verify a valid payment immediately in order to secure the ticket. Waiting a few hours or until the next day is too long.

Real time inter-bank payments are probably 5-10 years away. We still don't have proper same day interchange.

There are a lot of legacy systems in the banks not designed for real time, and these take a long time and cost a lost of money to fix.


You're absolutely right. I guess my main point is that real-time should be doable, and it's gotta be better than this crummy POLi thing.




No signature to see here, move along...

377 posts

Ultimate Geek


  # 735027 19-Dec-2012 16:23
Send private message

mattwnz:
jfanning: 

Nothing like a late reply...

NZ didn't change the rules, Visa and Mastercard, and the Banks did


I don't believe that is the case. I believe credit card companies have always charged businesses a % fee of the transaction. Previously however I believe the CC companies prevented businesses charging extra for CC payments. This is why many businesses used to offer a discount for cash, which was essentially the same thing as cahrging more for CC payemnts. Just worded differently. But I believe changes to the laws now allow retailers to charge extra for cc payments. However there is requirement for business to charge more for CC transactions, it is purely their choice. They can instead chose to absorb them as part of their running costs.


According to the commerce commission, the law didn't change.

http://www.comcom.govt.nz/media-releases/detail/2010/commerce-commission-watching-retailers-credit-card-surcharges

 
 
 
 


Awesome
4859 posts

Uber Geek

Trusted
Subscriber

  # 735030 19-Dec-2012 16:27
Send private message

myopinion: When I try to process it with my Mac it seems to be using the new system and is in the browser (Safari) as posted earlier. What were you using to test it?


I got the software pop up first, but when I hit cancel I then got the login. Looks like it tried the old system first, then reverts to the new one.



When I tried the warehouse site earlier, it just took me to the new POLi




Twitter: ajobbins


Awesome
4859 posts

Uber Geek

Trusted
Subscriber

  # 735045 19-Dec-2012 16:38
Send private message

Looking at the source code of the real westpac IB login and the POLi version, there is lots of similar source code, but differences too. They are obviously hosting the page themselves.

Some subtle differences too. Eg.

Real Westpac site logo HTML:

<img src="images/westpac-logo.png" height="90" width="140" align="left" alt="Westpac" />

POLi HTML:

<img width="140" height="90" align="left" alt="Westpac" src="images/westpac-logo.png">


Same parameters, different order (and no closing / on the POLi code). Have to wonder if maybe Westpac is doing some testing and doing changes like that that don't affect the layout, but clearly show the source is different.




Twitter: ajobbins


1539 posts

Uber Geek

Trusted

  # 735049 19-Dec-2012 16:43
Send private message

If you're after the Spoofed login page here is the Kiwibank one

https://nz00300.apac.paywithpoli.com

Awesome
4859 posts

Uber Geek

Trusted
Subscriber

  # 735052 19-Dec-2012 16:46
Send private message

boby55: If you're after the Spoofed login page here is the Kiwibank one

https://nz00300.apac.paywithpoli.com


Going to that link directly just bring up a page saying:

You seem to have cookies disabled in your browser. Please enable cookies and start the transaction again.

EDIT: If you start a payment with a merchant, then load the page, it works.

There is just no way that these guys aren't playing middle man here, which means that at some point they are 'collecting' your username and password. They might not be storing it in a database table - but it's sitting in their servers memory at some point - and there certainly is no guarantees of what they are doing.




Twitter: ajobbins


1539 posts

Uber Geek

Trusted

  # 735059 19-Dec-2012 16:51
Send private message

ajobbins:
boby55: If you're after the Spoofed login page here is the Kiwibank one

https://nz00300.apac.paywithpoli.com


Going to that link directly just bring up a page saying:

You seem to have cookies disabled in your browser. Please enable cookies and start the transaction again.


It must have some sort of cookie that allows you to the site as now that I've clicked BNZ it allows me to go to both 

The kiwibank one and BNZ (https://nz00200.apac.paywithpoli.com/) 

1539 posts

Uber Geek

Trusted

  # 735060 19-Dec-2012 16:53
Send private message

By the looks of things they have mirrored the entire site?
As shown below.


28369 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 735062 19-Dec-2012 16:57
Send private message

bagheera:


Of course, the more automated it can be, the less human interaction is required, making the whole thing cheaper, I suppose POLi is meant to provide for both this level of automation,and also some assurance on the part of the receiver that the transaction has actually taken place, without waiting for 'overnight transactions'... so all we need is for the banks to start talking to eachother in realtime instead of simply nightly?



it at least 5 time a day now days, not over night.

http://www.stuff.co.nz/business/money/6688633/Bank-to-bank-fund-transfers-speed-up


Fund being transferred between banks, and finds appearing in your account aren't the same thing.

With ANZ moving to Systematics the realtime functionality that did exist for the last few months has now gone, hence the news stories about beneficaries now complaining that they don't get their payments until the promised date, rather than the evening before which had been occuring.

1288 posts

Uber Geek


  # 735063 19-Dec-2012 16:57
Send private message

boby55: By the looks of things they have mirrored the entire site?
As shown below.



Cookies: See the posts on page 2/3, in short, as long as you keep their cookie, you can use their proxy to visit the sites.

Mirroring: They are proxying (and sniffing, modifying...), not actually mirroring (probably).  The HTML differences noted by a poster above will most likely IMHO be simply down to a htmlFromBank-read-ParseToDOM-modify-deparse-write-htmlToYou cycle where the read and write operations are not symmetric simply by nature.





---
James Sleeman
I sell lots of stuff for electronic enthusiasts...


1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.