Banks concerned over POLi security

Australian banks are looking into the security of Melbourne online payments intermediary POLi after a New Zealand bank warned customers against the service due to "serious security and fraud risks".

CommBank's trans-Tasman subsidiary ASB this week issued an advisory warning that POLi was spoofing or mirroring its internet banking sites and capturing customer information.

POLi stated in response (pdf) that it did not capture or store user information. Its terms and conditions indicated that it did not store usernames and passwords but "the POLi Service may store your financial institution account number".

"If You do not wish to disclose that information to Us, then you should not operate or use POLi," it noted.

POLi targets users who do not have credit cards, offering what it describes as "a pass through service whereby the bank sites are accessed via our secure servers".

The service claims to be used by government organisations such as the New Zealand transport authority, most Australian and New Zealand banks, and companies like Jetstar, Virgin Australia, Skype, Travelex and Mantra Group.

ASB's New Zealand competitors ANZ, BNZ and Kiwibank have also warned customers against POLi, with the latter warning that "it invalidates our internet banking guarantee and is not secure".

CommBank told iTnews that the POLi Payments site was not endorsed or supported by the bank.

"The Commonwealth Bank does not have any working agreement with POLi Payments," a spokesman said. "The Bank urges customers making online payments to do so via the Bank’s own NetBank site, which guarantees the customer’s security."

NAB said it monitored all third party payments options for security concerns, but recommended that customers use a NAB debit or credit card for online payments "due to the additional security our systems provide and the NAB Defence fraud guarantee".

"Customers are covered for any fraudulent transactions when it's clear they didn't contribute to the loss," said a spokesman for the bank.

ASB's notice to customers.

ASB highlights unauthorised sites

According to ASB, customers of websites that use POLi for payments are asked to enter their internet banking IDs and Netcodes into a page that resembles ASB's Fastnet Classic or Bank Direct Netdirect sites.

It said the look-alikes were not ASB's secure websites, although POLi used the information provided to log on to ASB internet banking sites for payments.

ASB warned that it was unable to audit the security of the POLi service.

It requested that POLi immediately remove the unauthorised webpages, noting that it had never endorsed the service, and advised any customers who had used POLi to change their internet banking passwords.

POLi argued that ASB had not requested an audit of the software. It invited the bank to discuss its security concerns with it, and said it was willing to let ASB audit its software.

POLi claims to process "millions of transactions ... per year" in Australia.

"We are not aware of any customer loss due to the POLi payment system," the company stated.