~bohwaz/blog/

Avec de vrais morceaux de 2.0 !

POLi Payments: probably the worst idea for online payments, security-wise

You are ordering something online, like a new TV, on an online store, or maybe you are ordering an airplane ticket on Air New Zealand. You complete your order, then comes the time to pay. You can't find your credit card which must be in your tuesday pants, which are buried under two weeks worth of dirty clothes in a corner of your bedroom. Or you don't want to pay the credit card surcharge charged by Air NZ. So on the payment webpage you spot this intriguing payment option: Internet Bank Payment.

This looks like a safe thing, practical and all, when you click on help, Air NZ assures you[archive] that this is a legit thing, and "you can use to safely pay for your flights directly from your bank account". Seems nice, why not try it. You don't know what this "POLi" thing is, but if it says it's safe, why not? It even tells you that "at no time are your personal banking login details disclosed to Air New Zealand or POLi". Sounds great. Let's do it!

First you have to chose your bank in a dropdown menu, fill a captcha code. If there is a captcha it must be secure. You click next and a nice popup show in the page, asking you... your online banking credentials. Oh. Wait. Didn't I read on every email and letter ever sent by my bank that I should never disclose my online banking credentials to anyone?

OK. This is where you should be stopping and never entering your banking details in that form and never trust POLi Payments. And you will see why.

So, what is POLi Payments[archive]? It is a private company, a subsidiary of Australia Post, that provides a "payment solution" for merchants so that Australian and New Zealanders customers can pay an order via their own bank account. You must think that this is a very serious business, and that they should have agreements with all the australian and NZ banks, and that they must be using some kind of banking API or back-end to make transactions.

Well, you are wrong. POLi Payments don't have agreements with the banks. They don't use a secure API or anything like that.

Do you remember the scam and phishing websites your bank tells you about? That you should be careful of not entering your banking details on any website other than the one of your bank? Well they work by doing something simple: they build a fake website asking your credentials, then they collect them, store them and use them to connect to your banks website and do fraudulent transactions.

And what does POLi exactly? They ask for your banking credentials, they collect them and use them to connect to your banks website and do a "legitimate" transaction, in fact they just do a wire transfer. Yup, pretty similar stuff.

The only difference is that POLi is supposed to be a legitimate business, and they tell you that it's really secure. OK, then would you write down on a paper your banking login and password to give to the cashier at the supermarket so that he could make a transfer to the supermarket account to pay for your groceries? Yes, probably not. Even if he assured you that he would destroy the paper after the transfer, you couldn't see him destroy it. This seems a bit unsafe no? Well, it's the same thing that POLi is doing. Yes. They are in fact doing a man-in-the-middle attack on your bank website, there is no other word for it.

Remember when the Air NZ website said: "at no time are your personal banking login details disclosed to Air New Zealand or POLi"? Well, obviously when you are entering your banking login details on the POLi pop-up, you are disclosing them! Even if they claim that they "do not capture or store usernames or passwords" (POLi Security overview[archive]), your login and password is transmitted to the POLi servers, stored in memory and transmitted to your banks website. Because POLi is in fact only a sophisticated "proxy" that navigates on the website of your bank with their servers.

This so-called "payment solution" is definitely misleading and a major security risk should you disclose your banking credentials to them. And I bet they get a number of credentials and transactions done as they seem to be doing everything to tell that they are really safe and secure and they are in fact just a proxy server, like Opera Mini. Which is true, but this is not really reassuring. And one of the many problems of POLi is the fact that they are using an iframe embedded in the merchant website. This means that even though you are disclosing your banking credentials on the POLi website, the fact that it is inside the merchants website means that the merchants website could access your banking credentials when you are entering them in the POLi frame, or even it could maybe exploit a security flaw in POLi proxy service and do other actions or transactions on your online banking using the POLi proxy server. And did you think about other resources used on the merchants website? Like for example a script for analytics, or an external javascript library sideloaded from another website, or ads. They all may access your banking credentials through the POLi frame as well.

The fact that the embedded frame displays a Comodo logo and a padlock is even more misleading, as it suggests that the frame is served over HTTPS, which you have no way of knowing for sure.

And it doesn't stop here, as POLi is using the access to your online banking to collect informations on your bank account, including past transactions or account balances, as it is written in their privacy policy[archive]:

We may also collect your financial information including bank account balances, bank account payment limits, a record of your previous banking transactions and information about your internet banking sessions.

Worse, their terms and conditions[archive] are deliberately wrong:

Your account access information such as usernames and passwords are not captured or stored by POLi™ or by our website.

And it is repeated on the FAQ of Air New Zealand[archive]:

During the course of your payment, Air New Zealand and POLi never have access to your internet banking identifier or password

This is blatantly false, as you can see when you check the requests made from the POLi frame, your login and password are in fact sent to the POLi server:

Not only their service is a terribly bad idea to begin with, but their own terms and conditions don't reflect the reality of what their service is actually doing.

So there is a lot of problems with POLi and in my opinion no one should use it. Why?

  • You should never enter your banking login or password on any other site that the one of your bank. NEVER.
  • You would have to trust POLi that they don't keep your credentials.
  • POLi is not a bank, not a secure payment solution, and doesn't have to comply to any security guidelines or external audit. So you can't really trust their servers to be secure and not compromised.
  • POLi doesn't have agreements with the banks and most banks advise against using it.
  • The merchant has potential access to your banking credentials. And even if the merchant website was safe, merchants websites are not immune to XSS attacks, and what about their advertisers, analytics or dozens of othen external resources? There is no way to analyze and check that everything in the chain is and will stay secure.
  • POLi collect details about your banking transaction history and account balance. This should stay private.
  • It potentially breaches your bank terms and conditions.

So: don't use POLi. Ever. And I'm not the only one saying it[archive]. No, really[archive].

And merchants shouldn't use it either as it just shows how bad they are at understanding the safety of their customers. If they accepted to use POLi as a payment option, you should really be worried as how they store and process other private informations. In the case of AirNZ I am really worried as they seem to process credit card numbers themselves. I do not want to know how they store them!

If you are not convinced check out what the banks are thinking below. I don't know why the POLi servers are not blocked by the banks, but it is clear that they don't like this idea:

KiwiBank (NZ)[archive]
We advise against using POLiPayments as it invalidates our internet banking guarantee & is not secure.

KiwiBank (NZ)[archive]
Providing your details through a third party is against terms and conditions and we very much advise against it.

Commonwealth (AU)[archive]
The Commonwealth Bank does not have any working agreement with POLi Payments. The Bank urges customers making online payments to do so via the Bank’s own NetBank site, which guarantees the customer’s security.

ASB (NZ)[archive]
we recommend that you do not use the POLi payment service due to the security risks involved

ASB (NZ)[archive]
Using POLi or Account2Account’s payment system requires users to input their username and password to a third party which breaches ASB FastNet Classic’s Terms and Conditions.

Westpac (AU)[archive]
POLI is not supported by the bank. If making online pymts, should do so via bank's own site which guarantees customer's security

ANZ (NZ)[archive]
ANZ reminds customers not to enter your ANZ Internet Banking log on information when using non-ANZ sites.

BNZ
Providing log in details to a third party presents serious security risks and contradicts both the New Zealand Code of Banking Practice and our terms and conditions.

Bank Australia[archive]
Unfortunately POLi payments don’t meet our security standards.

Bank of Queensland[archive]
We take your Internet Banking security very seriously and, for this reason, we do not support the use of 3rd party applications such as POLi. While it may seem that you are in complete control of the Internet Banking session whilst using POLi, we cannot guarantee the security of your logon credentials unless you access Internet Banking via the BOQ website.

The fact that an idea like POLi is allowed to legally exist is a major problem. How can you seriously educate people to never give out their banking details if you allow this kind of "service"?

Write a comment
(optional)
(optional)
(mandatory)
     _ _            
  __| (_) ___ _   _ 
 / _` | |/ _ \ | | |
| (_| | |  __/ |_| |
 \__,_|_|\___|\__,_|
                    
(mandatory)

URLs will create links automatically.
Allowed HTML tags: <blockquote> <cite> <pre> <code> <var> <strong> <em> <del> <ins> <kbd> <samp> <abbr>

Dedicated Proxies

What is role of POLi proxy service? Thanks for information about POLi Payments, And thanks for describing how it worse as we consider it for security purpose.

Relieved

I was so close to making an online payment through Poli, and out of gut feeling decided to read the Privacy Policy...

I could not believe when I saw that they collect your bank balance and transaction history!

Im glad I stumbled on this article while searching for verification for what I saw in the policy, now I know I'm not being paranoid! I didn't even know they also collect your username and password.

That part in their policy claiming they don't capture your credentials confuses me. Why would they lie? Maybe there's a miscommunication between their tech and legal department? Or maybe they are somehow loopholing. For example maybe the server grabbing the credentials is 'not owned' by Poli? So many questions.

Anonymous

Wow thanks ya this is eyeopening. POLi is such a worrisome way of payment, very risky. Is "Account2Account" very similar to this system?