Poli Internet Banking Review
Type | Private company |
---|---|
Industry | Online banking |
Founded | 2006; 15 years ago |
Headquarters | Melbourne, Australia |
Products | Electronic commerce |
Website | www.polipayments.com |
One of the few licensed bookmakers offering internet banking POLi payments, bet365 delivers the same high-quality services in Australia as they do all around the world. The minimum deposit is AUD 5 while the maximum you can deposit in one transaction is set at AUD 20,000 - an amount that even high-rollers will consider more than generous. POLi payment is an online payment service in Australia and New Zealand that allows you to make a secure payment from your internet banking portal directly to a business such as WorldRemit. You don’t have to register, so no information is stored that can be used to access your bank account. The Commonwealth Bank does not have any working agreement with POLi Payments. A POLi casino is one that accepts payments via POLi, both on mobile and the online version of the site. What this payment system offers is primarily ease of use and a bit of added safety. Aussies and New Zealanders who prefer to use the money in their bank account for online gambling can now do so, without having to use a credit or debit card. Note that POLi does not store any sensitive information such as internet banking usernames and passwords. During a POLi transaction no one can access or see your internet banking login credentials. All communication via POLi takes place using HTTPS transport level security and no sensitive information is stored (not even cached).
POLi Payments Pty Ltd (formerly known as Centricom[1]) is an online payments company based in Melbourne, Australia. It is the developer and provider of POLi, an online payment system that is used by merchants and customers in Australia and New Zealand. POLi Payments has been acquired by SecurePay Holdings, a fully owned subsidiary of Australia Post.[2]
POLi enables customers to pay for goods or services directly from a merchant's website without the need for a credit card, but by using a direct connection to the user's internet banking. A benefit is that the merchant receives an instant receipt and that customers do not have to register to use POLi.[3] The service is used in Australia and New Zealand with its largest merchants being Jetstar, Virgin Australia, Air New Zealand, Sportsbet and Sportingbet.
The service has attracted widespread criticism from banks[4][5][6][7][8][9][10][11] and others.[12] The service has also been implicated in enabling payments that could be used for illegal gambling.[13][14]
History[edit]
POLi Version 3 was released in July 2012 and enabled payments on Macs and mobile devices; neither was possible on previous versions. The implementation logs into a user's online banking interface from an automated virtual machine using a user's provided bank credentials, in order to direct debit the purchase amount.[15][16]
Version 2 is a .NET FrameworkClickOnce application. This version is still operational in New Zealand Payments for several banks. This version to was built with security at the expense of user experience, as the process of downloading the .NET ClickOnce application is poor, and requires additional plugins for Firefox[17] and Chrome.[18]
POLi Version 1 was an ActiveX control. This version was used by some, but never gained traction due to security concerns with ActiveX. This version is no longer operational. Greg Day, a security analyst at McAfee stated 'Using ActiveX for online payments is the kind of thing that would make me run a mile. [It] is probably the most used route for hackers to get in ... and steal personal information.'.[19][20] Since 2008 the system has been operating on the .NET technology platform. This still gives rise to possible security breaches via downloading untrusted software, and the possible infiltration of malware.[21]
Security concerns[edit]
Although POLi Payments stresses that security is a high priority for POLi,[22][23] concerns remain regarding exposing the user's banking credentials to POLi, and liability for fraudulent transactions.[24][25][26]
ASB Bank, one of New Zealand's largest banks, has responded to POLi with a release stating that POLi is 'spoofing/mirroring' their on-line banking pages and capturing customer information, and 'due to the serious security and fraud risks' recommending that their customers not use it.[27][28][29] The release also claims that ASB has asked POLi to remove support for ASB customers from their service. POLi responded to the ASB advisory with an announcement, refuting the claims,[30] and apparently reverting the version of the payment system.[27]
ANZ New Zealand,[4][31][32]Bank of New Zealand,[5]Kiwibank,[6]Commonwealth Bank,[7][33]Westpac,[8][34]Bank of Queensland,[10]Bank Australia[11][35] and Police Bank[9] are also warning customers against using POLi.
ANZ and Kiwibank have further advised that use of POLi invalidated the bank's online guarantee, potentially making the customer liable for any losses if their online banking account were to be compromised.[6] POLi's terms and conditions note 'We are not making any representation that we or POLi™ have the approval or, an affiliation with, or any licence from or agreement with your financial institution to operate or make POLi™ available for use by you.'[36]
Unlike payments via credit cards, payments made via POLi cannot be reversed by the bank.[37][38]
Version 1 and 2 that used the ActiveX and .NET platforms have additional security concerns regarding the integrity of this software and compatibility with non-Windows platforms.
References[edit]
- ^'Centricom Pty, Ltd.: Private Company Information - Businessweek'. Retrieved 26 October 2016.
- ^'Ahmed Fahour's letter to ecommerce startups: Australia Post will accelerate you'. 2015. Retrieved 27 October 2016.
- ^'Buy - Pay with confidence from your internet banking'. Retrieved 26 October 2016.
- ^ ab'Important information for ANZ Internet Banking customers using POLi to make payments online'. Retrieved 19 December 2012.
- ^ ab'Important security update for BNZ customers using POLi to make online payments'. Archived from the original on 7 March 2013. Retrieved 26 October 2016. 'Providing log in details to a third party presents very serious security risks and contradicts both the New Zealand Code of Banking Practice and our terms and conditions.'
- ^ abcKiwibank Limited. 'Twitter: 'We advise against using POLiPayments...''. Retrieved 19 October 2020.'We advise against using POLiPayments as it invalidates our internet banking guarantee & is not secure'
- ^ abMichael Lee. 'NZ bank claims payment processor is capturing user details'. Retrieved 25 February 2014. 'The Commonwealth Bank does not have any working agreement with POLi Payments, and, as such, the payment site is not endorsed or supported by the bank. The bank urges customers making online payments to do so via the bank's own NetBank site, which guarantees the customer's security,' CBA told ZDNet.
- ^ abJohn Dunkerley. 'Who's got your back when you're banking?'. Retrieved 25 February 2014.
- ^ ab'POLi Not Recommended for Payments'. Archived from the original on 18 September 2015. Retrieved 26 October 2016.
- ^ ab'Pay anyone and multi-payments'. Retrieved 19 October 2020. 'We take your Internet Banking security very seriously and, for this reason, we do not support the use of 3rd party applications such as POLi.'
- ^ ab'Tweet from Bank Australia'. Archived from the original on 24 December 2015. Retrieved 20 November 2018. 'Unfortunately POLi payments don’t meet our security standards.'
- ^'POLi Payments: probably the worst idea for online payments, security-wise'. 2015. Retrieved 19 October 2020.
- ^'How Australia Post banks millions from offshore casinos - The New Daily'. 14 April 2016. Retrieved 28 October 2016.
- ^'Illegal Australian online casino faces investigation - The New Daily'. 17 April 2016. Retrieved 28 October 2016.
- ^'Anyone used POLi Payments ?'. www.geekzone.co.nz. Retrieved 20 November 2018.
Behind the scenes POLi is logging into your banking on a virtual machine hosted in AWS. Because of this, it is also very easy for banks to detect POLi and mark it in their fraud detection systems. From this point you've actually breaking the internet banking terms of conditions with most banks since you handed over your details to a third party.
- ^'PB Tech Black Friday Sale - 16th November'. www.geekzone.co.nz. Retrieved 20 November 2018.
- ^'FFClickOnce'. Retrieved 26 October 2016.
- ^'Archived copy'. Archived from the original on 30 January 2013. Retrieved 11 June 2013.CS1 maint: archived copy as title (link)
- ^Hargrave, Sean (20 March 2008). 'Experts cast a wary eye over new online payment systems'. Retrieved 26 October 2016 – via The Guardian.
- ^Symantec - example of a breach of an online payment system ActiveX control
- ^Forum at The Register
'they are installing an ActiveX control (shudder) whose only purpose is to make payments to arbitrary bank accounts when the user logs into their online banking. There is another name for software that does that. Internet Banking Trojan.'
'What a fantastic way to phish'
'Not meaning to be paranoid, but how can I be sure that the merchant's website is anymore genuine, and the POLi script anymore trustworthy than the average phishing email?'
'Not only is this an opportunity to phish people's bank details, you don't get the payment protection of using a credit card either.'
'Score out of 4: 1. MSIE only = fail, 2. Active X = fail, 3. Direct access to my bank acct = fail, 4. No CC protection = fail' - ^How POLi works 'Simple and secure'
- ^Rubens, Paul. 'How Bug Bounty Programs Bring Big Savings and Better Security'. Retrieved 28 October 2016.
- ^POLi Terms and Conditions - Disclaimer and Indemnity 'We will not be liable to you or any other party for any loss or damage, however caused (including through negligence), that you may directly or indirectly suffer in connection with your use of POLi™, including, without limitation, any loss or damage that arises as a result of your download or use of the third party software referred to above.', and
'If You believe that there has been an unauthorised or mistaken transaction, You should contact your financial institution and endeavour to address the issue under the terms and conditions applicable to your internet banking facility.' - ^Juha Saarinen, IT News (2012). 'Banks concerned over POLi security'. Retrieved 19 October 2020.
- ^George Lekakis, The New Daily (2016). 'Banks warn of increased risk of online fraud'. Retrieved 19 October 2020.
- ^ ab'Important security information for ASB and Bank Direct customers making online payments using POLi'. 2012. Archived from the original on 10 February 2013. Retrieved 26 October 2016. (Note appears on page under date heading of 19 Dec 2012)
- ^ASB Bank (2012). 'Important security information - online payments using POLi'. Retrieved 25 February 2014.
- ^ZDNet, Michael Lee (2012). 'NZ bank claims payment processor is capturing user details'. Retrieved 27 October 2016.
- ^'POLi response to ASB Advisory'(PDF). Retrieved 19 December 2012.
- ^'A 'honeypot' for fraudsters, or a simple way to pay online?'. Retrieved 19 October 2020.' An ANZ staffer responded by saying, 'to be super clear' ANZ do not support using Poli Pay and systems that involve logging in through a third party as it goes against the bank's terms and conditions. They also stated that If a customer had used this type of service 'we recommend they change their password immediately'.
- ^'Buying online during Level 3? Banks warn against popular payment system'. Retrieved 19 October 2020.'The banks warn that using POLi can be a breach of their various terms and conditions, posing a serious security and fraud risk.'
- ^https://www.commbank.com.au/support.digital-banking.using-poli-for-netbank-payments.html
- ^Westpac Bank (2015). 'Westpac Bank on Twitter'. Retrieved 19 October 2020.'POLI is not supported by the bank. If making online pymts, should do so via bank's own site which guarantees customer's security'
- ^'Why am I unable to perform Poli payments using my Bank Australia Account?'. Retrieved 19 October 2020.
- ^'POLi(TM) Terms & Conditions'. Retrieved 27 October 2016.
- ^'POLi - How Transactions Work'(PDF). Archived from the original(PDF) on 23 March 2012. Retrieved 27 October 2016. page 6 (from the Merchant's perspective) 'Unlike a credit card, once you receive a payment it can't be reversed by the bank.'
- ^Forum at The Register 'the price seems to be the loss of any consumer protection'
Further reading[edit]
- Baltazar, Michelle (2012). 'Just debit it: Centricom'. Financial Standard.
External links[edit]
Australian banks are looking into the security of Melbourne online payments intermediary POLi after a New Zealand bank warned customers against the service due to 'serious security and fraud risks'.
CommBank's trans-Tasman subsidiary ASB this week issued an advisory warning that POLi was spoofing or mirroring its internet banking sites and capturing customer information.
POLi stated in response (pdf) that it did not capture or store user information. Its terms and conditions indicated that it did not store usernames and passwords but 'the POLi Service may store your financial institution account number'.
Poli Internet Banking Reviews
'If You do not wish to disclose that information to Us, then you should not operate or use POLi,' it noted.
POLi targets users who do not have credit cards, offering what it describes as 'a pass through service whereby the bank sites are accessed via our secure servers'.
The service claims to be used by government organisations such as the New Zealand transport authority, most Australian and New Zealand banks, and companies like Jetstar, Virgin Australia, Skype, Travelex and Mantra Group.
Poli Internet Banking Reviewed
ASB's New Zealand competitors ANZ, BNZ and Kiwibank have also warned customers against POLi, with the latter warning that 'it invalidates our internet banking guarantee and is not secure'.
Poli Internet Banking Review 2018
CommBank told iTnews that the POLi Payments site was not endorsed or supported by the bank.
'The Commonwealth Bank does not have any working agreement with POLi Payments,' a spokesman said. 'The Bank urges customers making online payments to do so via the Bank’s own NetBank site, which guarantees the customer’s security.'
NAB said it monitored all third party payments options for security concerns, but recommended that customers use a NAB debit or credit card for online payments 'due to the additional security our systems provide and the NAB Defence fraud guarantee'.
'Customers are covered for any fraudulent transactions when it's clear they didn't contribute to the loss,' said a spokesman for the bank.
ASB highlights unauthorised sites
According to ASB, customers of websites that use POLi for payments are asked to enter their internet banking IDs and Netcodes into a page that resembles ASB's Fastnet Classic or Bank Direct Netdirect sites.
It said the look-alikes were not ASB's secure websites, although POLi used the information provided to log on to ASB internet banking sites for payments.
Poli Internet Banking Reviewer
ASB warned that it was unable to audit the security of the POLi service.
It requested that POLi immediately remove the unauthorised webpages, noting that it had never endorsed the service, and advised any customers who had used POLi to change their internet banking passwords.
Poli Internet Banking Reviews
POLi argued that ASB had not requested an audit of the software. It invited the bank to discuss its security concerns with it, and said it was willing to let ASB audit its software.
POLi claims to process 'millions of transactions ... per year' in Australia.
'We are not aware of any customer loss due to the POLi payment system,' the company stated.