Online shoppers in the UK will be able to pay direct from their online bank account rather than via a credit or debit card, thanks to a new service. The POLi online bank payment platform aims to increase payment choice while reducing card-not-present fraud, a category of fraud covering ecommerce transactions which is on the rise …
Service is Windoze/IE only - uses ActiveX
Well, their FAQ seems to completely ignore the fact that there are people out there who choose not to have a Windows PC, but as they rely on ActiveX, that locks out Macs, Linux and any Internet Exploder refuseniks.
So their soopa-secure service relies on a technology that lots of people really don't trust.
(T.G.T.B.T. alarm activated, hopefully falsely!)
Looking for the catch, hoping there isn't one.
Anything that makes it harder for someone to thieve my HEC gets my (qualified) thumbs up!
Web standards ??
Looking at the demo on their website, it appears to use an activex control - I thought they went out of fashion long ago ? It begs the question, why should I trust a ropey, non-standards browser on an even more ropey, non-standards operating system to transfer money from my account to the one it fills in for you ?
This will teach non-net-savvy users that it is OK to open activex controls that fill in arbitary details into your bank website. How long before a phishing scam does /exactly/ the same thing, but redirects you to a copy of your bank's website?
Sorry, no. Try again.
Surely encouraging people to log in to their online banking following a link from a website is just going to encourage phishing. You could just set up a link that says "Pay by POLi", get the user to choose their bank account, and take them to a fake page to grab their details. You could even get an SSL certificate that has POLi somewhere in the name which would convince a lot of people etc...
From the FAQ:
13. What are the system requirements for my computer to use POLi?
POLi requires Microsoft's Internet Explorer browser, from version 6.0 onwards. Other browsers such as Mozilla Firefox are not supported.
Not so great.
That's more secure?
I've just had a look at the demo at http://www.centricom.com/flash%20demo/POLi_demo.html . You visit the merchant site, click on the Poli logo and if it's your first visit from that PC it installs an ActiveX control, that opens your bank website in a new window, you log into the bank, Poli takes you to the payment page and fills in some details and you do the rest and then finally Poli closes the bank website and returns you to the merchant site.
How much scope is there here for a dodgy website to add a fake Poli logo? User's will be used to installing an ActiveX control which, from a dodgy website, could be anything and then a window opens with a potentially bogus ebanking website to capture your ebanking details......
I'll give it a miss thanks.....
Cheaper than a European developed solution?
The benelux region have had something like this for sometime. iDeal is brilliantly effective and, I believe, trumps credit card transactions for volume of online purchases.
Not to mention the other continental European banking perks like instantaneous (bill) payments, money transfers, personal service, local call centres....
This worries me..
Most online banking setups are susceptible to Man-in-the-middle attacks, which 2 factor authentication does not address at all (start with the assumption that the client PC is compromised). Let's hope these guys are also working on new solutions.
I know we do, about to roll out phase 1..
This has been done before, UsemyBank.com does much the same. These services are fairly pointless in the UK, as, unlike AU and NZ, we already can shop online and pay from our bank account using Maestro/Switch. Over here, they tend to be used by online betting services, who get hammered with credit and debit card fraud.
I can see few benefits for the consumer here, they are installing an ActiveX control (shudder) whose only purpose is to make payments to arbitrary bank accounts when the user logs into their online banking. There is another name for software that does that. Internet Banking Trojan.
Who stands to gain?
The merchant is no longer at risk of fraud as the payment is guaranteed.
The bank is no longer at risk because the bank directly pays the merchant with money it knows the consumer has.
Doesn't this just turn it into a hi-tech Western Union transfer when the goods fail to be delivered?
I can see how it's more secure, granted; but the price seems to be the loss of any consumer protection.
What a fantastic way to phish
What a fantastic way to phish for bank account details. Set up a site with a POLI logo. Dupe the log on screen for the High Street banks: you can even make it a secure page, and go....
"Here's how you shop with POLi:
1) Select the POLi logo.
2) POLi will present you with a list of banks- select your bank.
3) Login as you normally would to begin an internet banking session.
4) POLi calls up your "pay anyone" screen and automatically fills in the merchant's details and the amount of the purchase.
5) Simply click "Pay" to purchase with money that's in your bank account. "
So I have to trust the merchant's website enough to allow a script to remain active while I log into my bank account, answer all the usual security questions and then have it fill in the payments form for me?
Not meaning to be paranoid, but how can I be sure that the merchant's website is anymore genuine, and the POLi script anymore trustworthy than the average phishing email? Using an ActiveX control, as it does, I'm also forced to use MSIE, which I don't like...
Also, of course, when I pay with Visa or Mastercard, I have some insurance against fraud. When I bay by BACS, I have none.
It's a lovely idea, but flawed, no?
single use cards
Wouldnt it be easier and more secure to adopt more virtual single use cards for online transactions?
I have a webcard with my bank account and it allows me to set a limit on a virtual card, once its hit the limit it cant be used again. This means if somebody steals the info or tries to run up multiple times it wont work.
Seems a simple and affective solution, shame that some payment merchants wont allow them as payment.
Doesnt protect against key loggers, but a step in the right direction.
Sounds to me like people will just end up losing their online banking details to fraudsters instead of their credit card details.
There's no way I'd feel comfortable letting even a legitimate 3rd party log me into my bank account (even if they do say: "POLi does not access or store any of your Internet banking account details."
Just KNEW it was TGTGB.
polli wants a cookie? polli wants a cookie? polli wants a cookie?
Isn't Paypal as effective as this?
RE: Cheaper than a European developed solution?
Yes I would just like to add that Finland have operated a system very similar to this for some time and it is fantastic, works in Firefox, Safari, Opera and even opera mini run on a S60 phone. It's great!
Not only is this an opportunity to phish people's bank details, you don't get the payment protection of using a credit card either.
Scores from the United Kingdom? Nul points
3 strikes and you're out
Strike 1: Windows only.
Strike 2: IE only.
Strike 3: ActiveX
Evidently news of persistent insecurities in all 3 of these facilities has failed to reach Down Under. Someone, somewhere, who doesn't know their technical/security ass from a hole in the ground, said yes to a technical proposal that on the surface looks very dangerous.
Oh, dear, time to repeat one of the important mantras: "Windows is a consumer grade operating system and as such inherently unsuitable for mission-critical applications."
I can remember years ago when I worked for one of the Seven Dwarf computer companies and trying to make headway against IBM's superlative sales people was an endless uphill battle. They seemed to have mesmerized decision makers with prospects of cradle-to-grave system support. Just what lure Microsoft uses to achieve a similar monopoly is interesting to speculate, given that MS's products are well-known to be difficult to use without risk. Sex? Drugs? Rock'n'roll?
PS: Wasn't it an Australian navy ship run by Windows that got a BSOD and floated around rudderless until damaged by grounding? Don't the decision makers of Australia even read their own newspapers?
"Go" because that's what this Poli will do once the phishers have taken it to town.
Cahoot give you a little webcard program. It generates one-shot Visa debit card numbers which expire +1 month. I've rarely had any problems using it, it can even handle refunds. No idea why all banks don't do this.
Lets just NOT GO THERE!
may be stupid but.
Wouldn't a better idea be for banks to set up a system with merchants, to send a transaction request into your account. You then independantly log onto you online bank and see a list of pending transactions and authorise/decline them.
its the same principle but, the bank has validated the retailer to authorise them to send requests, no dodgy activex involved, no phishing as you independantly log in to your own bank. Depending how much detail is in the request, you could see, for example "pay amazon £10 for a copy of flyfishing by J R Hartley" on your online banking site.
This could even be used with current card not present transactions. your credit/debit card request goes through as today, but you then, independantly, log into your online banking site, see a list of pending transactions, and authorise/decline them straight away.
Much more secure than the current authorised by visa system that automatically pops up a window asking for a password, any dodgy site could spoof that and capture it.
Why the fascination for IE? (where's the BOFH when he's needed)
It took customers threatening to leave banks before they took notice that many of their clients preferred not to use IE for security reasons.
No doubt the trial comes out of the pockets of the customers.
Did no one think to ask the IT department first?
It was just a thought away, but bravo Alex for discovering that gem!
Seems like the world and its wife beat me too it. I will not trust anyone to redirect me to my bank website (i barely trust myself having to double check I spelt it correctly before hitting enter). And now on comments it has script running while I log into my bank. erm No Thankyou. When I start internet banking it advises me to close any other browser windows and start a new session.
I think paying by instant transfer could be an option but i'd rather be given say two Id numbers that would checksum each other to enter into my own bank session I started.
I thought many banks were going to there own "secure" browser/software anyway
not quite as Paypal is the run by a bunch of halfwits and where security is a joke (that'll be the ebay influence then)
Google Checkout is worse -
- 1st transaction went through fine & delivered (well known internet retailer)
- 2nd transaction (with the same retailer) "we were unable to verify your identity so have cancelled your order ref xxxxxxxxxxx with xxxxxxxxx.co.uk"
note, not delayed, not referred, CANCELLED you note
needless to say GC have not bothered with replying to my email
stick to direct credit card payment, much safer & in the UK at least you are protected
However trivial it may seem, its the fact that consumers have some level of insurance should they use a credit card. What seems over a life time ago, Visa and Mastercard collaborated to create SET, a standard for Secure Electronic Transactions that used a PKI solution to validate both cardholder and merchant independantly. It bombed in the marketplace because it offered nothing to the consumer who was (and is) already covered against dodgy merchants
It's like the big transit van and the "overstocked" speakers
This happened to me (and a lot of other people) at University a few years ago... you'd be walking somewhere when a scruffyTransit would pull up and a guy would jump out trying to flog a pair of top quality speakers that were "worth 2k" (he'd even show you in a local newspaper) but because it was Friday and it was raining he couldn't restock them in his store or <...insert other random gibberish here...> so I could have them for a great price.
The killer line was "how much can you get out of the cashpoint right now?"
This POLi crap wreaks of the same thing. What frightens me most is that the message about being "safe online" is ever so slowly filtering out to the common masses (e.g., my Mum) but services like this are only going to bugger it all up.
@TrishaD: SET may live again in a different form..
A company in Sweden is working on a global policy concept which introduces the idea of a transaction witness. This sort of requires the re-introduction of cert based transactions, but AFAIK there is no single point of failure called PKI involved.
What is certain is that the current model of eBanking is simply unsafe, and I'd be uncomfortable with what Poli is proposing as it adds another uncontrolled element to an already rickety house of cards. No thank you.
Well, it won't work on my PC - I have ActiveX explicitly disabled. Besides which, I use Firefox for all my browsing.
Restricting you to a dodgy browser on a flaky operating system like Windoze is a pretty good way of eliminating a big chunk of your potential user base straight off, and having an ActiveX control active while you enter all your online banking details frankly horrifies me.
I'll stick to using my debit card until they come up with something more secure that actually works.
I'll stick to my credit cards
At least then I have some protection and wont end up having my bank account plundered leaving me a position where I might not have money to pay bills or buy food while the bank faffs about with an investigation.
Rolled out in Australia
Wow !! I must be asleep - I live and work in Sydney and have never even heard of POLi - must only be on the sites and services I don't use.
These guys actually think anyone with a half a brain will take this solution seriously. it is a half baked, half-arsed solution obviously thought up by a bunch of f*8king half-wits. Using I.E. Active X for a new secure on line transaction system. Seriously ........
Where is the verification of trust?
Its already easy enough to purchase an online "you can trust me" certificate,
whats to stop phishing with POL-i simply mis-using the inputs to the control
and doing a real transfer session using corrupted inputs...
this doesn't change existing security, it only makes it harder for the user to
certify the transaction for themselves
I'll keep to doing transfers without such "feature-esque" want to be secure
wet tissue jobs...
POL-i *maybe* secure, but that is only 1 card in a house, lets see if it is still
standing AFTER it is deployed
Score out of 4
1. MSIE only = fail
2. Active X = fail
3. Direct access to my bank acct = fail
4. No CC protection = fail
This new Poli thingo is only good for the shop-keeper.
I agree Barrie, as a fellow Aussie, i have to say, I've never heard of POL-i either.
I think that ship was British.
I have lived in Australia all my life, and have never come across this.
Further, when I use 'pay anyone', my bank sends a confirmation code to my mobile phone, and I have to enter that to complete the transaction.
that ship story...
"The ship" was the USS Yorktown, the prototype in the US navy's "Smart Ship" program which ended up dead in the water after a sailor typed "bad input" into a dialog box which caused the ship's propulsion system to fail. The ship may or may not have had to be towed back to Norfolk VA, depending on who you want to believe (and it may be that failures on several different occasions are being conflated together here).
(and no, haven't heard of POLi here in Melbourne either...)
ActiveX and Security
Not often you get those two terms mentioned together, unless there's also a negative in the sentence. I'll stick to Firefox, Linux and credit cards.
Phorm will protect you from phishing! (note the previous statement may contain sarcasm)