Online payment system POLi Payments has found itself in hot water after allegations that it has been duplicating the sites of Australian and New Zealand banks, and prompting customers to enter their banking details.
ASB Bank New Zealand raised the alarm, stating that through its security and fraud-monitoring measures, it "identified the POLi payment service is 'spoofing/mirroring' the ASB and Bank Direct secure internet banking sites so that they look identical to our genuine sites, and capture customer information."
One of POLi Payments' offerings is to partner with businesses, so that their customers can use POLi to make payments from their bank accounts, eliminating or reducing merchant fees. When checking out with a POLi-enabled business, customers are prompted to log in to their bank account, where POLi handles making the transaction on the user's behalf.
Participating businesses include Jetstar, Virgin Australia, Air New Zealand, and Dodo.
However, ASB's claims are that users are actually presented with a duplicate of the site, not unlike how scammers attempt to phish for banking details, and informed that this is actually the legitimate banking website. Customer details are then sent via POLi to the bank's servers to log in and complete transactions.
POLi does not appear to have been using banking information in a malicious way, but it does not inform customers that their details may be entered on a server other than the bank's.
ASB Bank warned users that "these are not our secure websites, and we are unable to audit the security of the POLi service. Your information is then used by POLi to log on to our genuine sites in your name."
ASB Bank has since asked POLi to remove the duplicate sites, and recommends that customers do not use POLi.
"We are not associated with, and have never endorsed, POLi."
POLi has refuted the claims, stating that "at no point does POLi capture or store customer information," and that it is merely "providing a pass-through service whereby the bank sites are accessed via our secure servers."
ZDNet's own examination of the process shows that at the very least, the log-in screens for the Commonwealth Bank of Australia (CBA), ANZ, National Australia Bank (NAB), and Westpac have been re-hosted (with the exception of necessary scripts and images) on POLi's servers. POLi's own system shows that a "bank URL" that it might normally see doesn't reflect the actual content shown.
POLi CEO Jeffery McAlister told ZDNet that the bank URL displayed is intended to show who the customer is communicating with via POLi.
POLi continues to stand by its claims that it is not mirroring banks' sites, stating that it does not serve cached or static pages, that it is "not a mirror site; it is a pass-through service", and that "POLi never tries to hide the fact that a customer is performing a POLi transaction."
"When you transact through POLi, the web pages and requests are proxied through POLi's servers located at a secure datacentre.
"Specifically, the customer request comes from the customer's browser, through the POLi payments servers and then on to the bank website directly. All communication is encrypted under SSL for security."
Practice manager Steve Darrall from information security consulting firm Securus Global disagrees with the notion that POLi never had access to customers' banking details.
Darrall went through the payment process himself, entering log-in details and following its path of travel.
"That log-on information was sent to POLi's or to a POLi server, and not to the bank's server."
That isn't to say that the information wouldn't end up unscathed at the bank eventually, but Darrall highlighted that it introduces another factor that must be secured.
"If I'm using my online banking and I go direct to my bank site, I'm relying on their security and security alone," he said, with the proviso that his computer is free of malware.
"If you then go and use a third party, there's another link in the chain, so then you're relying on POLi's security and the bank's security."
POLi has every confidence in its own security, and told ZDNet that it has offered all major New Zealand banks the opportunity to audit its software and security procedures. McAlister also told ZDNet that it has entered into discussions with Australian banks at various times.
"On each engagement, we have tried to be as open and transparent as possible. Given this, I would like to offer all Australian banks the opportunity to review the POLi software."
The software was already assessed by Security-Assessment.com earlier this year. The audit gave POLi's software a clean bill of health, only finding "housekeeping issues or configuration settings" needing to be remediated.
It examined POLi's applications, as well as its "reverse proxy solution," and found that POLi Payments applications "did not store, transmit, or reuse internet banking details during the initiation of transactions." It also found that "it was not possible to gain access to internet banking credentials via any vulnerability or misconfiguration."
"Security-Assessment.com identified no vulnerabilities during the reverse proxy solution code review. The solution performs the necessary tasks without exposing banks or users to any security issues."
Australian banks are issuing a note of caution around entering their details on sites other than the banks' official websites.
"We monitor all third-party payments options for security concerns; however, our key recommendation to customers remains the same: use a NAB debit or credit card when making online payments, due to the additional security our systems provide and the NAB Defence fraud guarantee," NAB told ZDNet.
CBA also confirmed that POLi Payments is not an organisation that it works with directly, and stood by its former advice not to use third parties to handle payments where possible.
"The Commonwealth Bank does not have any working agreement with POLi Payments, and, as such, the payment site is not endorsed or supported by the bank. The bank urges customers making online payments to do so via the bank's own NetBank site, which guarantees the customer's security," CBA told ZDNet.
Introducing a third party into a transaction could also have implications for who might be liable for any fraud, regardless of who the third party is, Darrall said.
"My understanding of the terms and conditions from most of the banks is if you provide your details to a third party and then your account is abused, then the account holder is liable," he said, adding that the onus is generally on the customer to prove that they were not at fault.
NAB said that in POLi's case, customers would still be covered by its fraud guarantee "when it's clear they didn't contribute to the loss."
This same language is used by many other banks, which relies on the customer to prove that they were not directly responsible for the loss, thus shifting blame to the third party.
Responding to the claim that customers may be breaking their terms and conditions by using its services, POLi said that it "never captures user names or passwords, and therefore customers are not sharing with a third party."