About a minute later I also thought "Hey... I could hack that, really easily" (Not that i would).
I went through one by one, all the steps required, and have decided that yes, it is definitely vulnerable, and that I could demonstrate the exploit if required, and generate a valid payment very easily, without requiring the theft of any private data, or any physical equipment. With the right knowledge, many would be able to within a few minutes, without outlaying any cash to do so.
As soon as I discovered the flaw, a friend gave me the details for pagos GM, whom i have spoken to over the phone, described the flaw to, and who assures me that their development and security team will be looking into this.
By the way, if you are struggling for a fix, I have a couple of ideas, you have my number, feel free to call anytime...
After signing up for pago, it says I MUST have my Pago account name EXACTLY matching my bank account name. My bank account name is my initials, but the Pago account requires the full name. If I follow their instructions, I theoretically cant sign up...
Other related posts:
Kiwibank to offer personal finance via GE Money
TiVo in New Zealand - Do You Want One?
A new lease on life for a Squier California Strat
Comment by freitasm, on 27-Nov-2006 14:21
This is so flawed... I was just reading the FAQ about payments (http://www.pago.co.nz/payments.asp) and noticed that you have a single authentication form in the whole process: your mobile phone.
Being backed by a bank the system should required at least two form factor authentication. Users should be able to create a PIN and be required to enter this PIN as part of a transaction.
This way if someone stole your mobile or spoofed your MSISDN then the system would still be able to block transaction by checking the PIN in each transaction.
Comment by sbiddle, on 27-Nov-2006 15:33
I'm just trying to sign up now and finding it frustrating
"Your name (together with any title) exactly as it appears on your bank statement,e.g. Ms P J Smith"
So I enter : S J Biddle
"Sorry, your bank account name and the name you gave us in the Personal Details screen must match exactly (including any middle name or initial). If you would like to edit your name details in the Personal Details screen please click on the 'Back' button"
Argh! So you can't enter your full name in the personal details because my bank statement doesn't have my full name on it!
Comment by sbiddle, on 27-Nov-2006 15:38
And now this for the security question
"Dads middle name and how many brothers and sisters does he have?"
so I enter xxxxx2 (5 character name and the number 2)
to be told
The answer for your security question must contain at least 6 letters and at least 2 numeric characters. Please try again.The confirm your security answer must contain at least 6 letters and at least 2 numeric characters. Please try again.
This is really annoying me - I can't even sign up!
Comment by sbiddle, on 27-Nov-2006 15:44
And now I can't transfer any money - following their instructions
Login to ANZ's internet banking 2. Go to Pay Anyone 3. Click on Update My Pay Anyone Payee List 4. Click on Add a new payee 5. Enter Payee DescriptionPagoWallet6. Enter Account Number12-3456-0900123-0227. Enter Account NamePago Limited8. Click Submit
I get an ANZ internet banking error:
"The bank account number you have entered should only have a 2 digit suffix, please recheck the account number with your Payee and enter a 2 digit suffix.
Comment by chiefie, on 27-Nov-2006 16:37
The Suffix in the past is 2 digits, but some banks use 3 digits. So just remove the first digit (normally a Zero) and you should be fine. I haven't tried register this, and looks like I will avoid it for a while, even though i'm an ASB customer.
Comment by sbiddle, on 27-Nov-2006 17:05
My copy/paste didn't work too well, the -0227. should be -022 7.
I know the 0 should be removed but the simple fact is many people don't know that - they are trying to give you bank specific instructions on this page http://www.pago.co.nz/payments_topping_up.asp (image map has at least been fixed now, that was broken as well) but they should be sending the same instructions when you select ANZ as your initial bank.
Comment by taniwha, on 27-Nov-2006 17:48
so... Tony blogs that the system is easily hacked, and you all rush to sign up? you're all mad!
Comment by freitasm, on 27-Nov-2006 18:01
Comment by juha, on 27-Nov-2006 19:23
We all want to pwn Teh Tony Pago!