POLi Payments

Last updated

POLi Payments Pty Ltd
Company type Private company
Industry Online banking
Founded2006;18 years ago (2006)
Headquarters Melbourne, Australia
Products Electronic commerce
Parent Australia Post
Website www.polipayments.com

POLi Payments Pty Ltd (formerly known as Centricom) [1] is an online payments company based in Melbourne, Australia. It is the developer and provider of POLi, an online payment system that is used by merchants and customers in Australia and New Zealand. POLi Payments was acquired by SecurePay Holdings, a fully owned subsidiary of Australia Post, in December 2014. [2]

Contents

POLi enables customers to pay for goods or services directly from a merchant's website without the need for a credit card, but by using a direct connection to the user's internet banking. A benefit is that the merchant receives an instant receipt and that customers do not have to register to use POLi. [3] The service is used in Australia and New Zealand with its largest merchants being Jetstar, Virgin Australia, Air New Zealand, Sportsbet and Sportingbet.

The service has attracted widespread criticism from banks [4] [5] [6] [7] [8] [9] [10] [11] and others. [12] The service has also been implicated in enabling payments that could be used for illegal gambling. [13] [14]

In 2023, Australia Post announced they would close the Australian arm of POLi Payments in September. [15]

History

POLi Version 3 was released in July 2012 and enabled payments on Macs and mobile devices; neither was possible on previous versions. The implementation logs into a user's online banking interface from an automated virtual machine using a user's provided bank credentials, in order to direct debit the purchase amount. [16] [17]

Version 2 is a .NET Framework ClickOnce application. This version is still operational in New Zealand Payments for several banks. This version to was built with security at the expense of user experience, as the process of downloading the .NET ClickOnce application is poor, and requires additional plugins for Firefox [18] and Chrome. [19]

POLi Version 1 was an ActiveX control. This version was used by some, but never gained traction due to security concerns with ActiveX. This version is no longer operational. Greg Day, a security analyst at McAfee stated "Using ActiveX for online payments is the kind of thing that would make me run a mile. [It] is probably the most used route for hackers to get in ... and steal personal information.". [20] [21] Since 2008 the system has been operating on the .NET technology platform. This still gives rise to possible security breaches via downloading untrusted software, and the possible infiltration of malware. [22]

In July 2023, Australia Post announced that the Australian arm of POLi Payments would close down at the end of September that year. [15]

Security concerns

Although POLi Payments stresses that security is a high priority, [23] [24] concerns remain regarding exposing the user's banking credentials to POLi, and liability for fraudulent transactions. [25] [26] [27]

ASB Bank, one of New Zealand's largest banks, has responded to POLi with a release stating that POLi is "spoofing/mirroring" their on-line banking pages and capturing customer information, and "due to the serious security and fraud risks" recommending that their customers not use it. [28] [29] [30] The release also claims that ASB has asked POLi to remove support for ASB customers from their service. POLi responded to the ASB advisory with an announcement, refuting the claims, [31] and apparently reverting the version of the payment system. [28]

ANZ New Zealand, [4] [32] [33] Bank of New Zealand, [5] Kiwibank, [6] Commonwealth Bank, [7] [34] Westpac, [8] [35] Bank of Queensland, [10] Bank Australia [11] [36] and Police Bank [9] are also warning customers against using POLi.

ANZ and Kiwibank have further advised that use of POLi invalidated the bank's online guarantee, potentially making the customer liable for any losses if their online banking account were to be compromised. [6] POLi's terms and conditions note "We are not making any representation that we or POLi™ have the approval or, an affiliation with, or any licence from or agreement with your financial institution to operate or make POLi™ available for use by you." [37]

Unlike payments via credit cards, payments made via POLi cannot be reversed by the bank, nor are users protected under chargeback rules usually associated with major purchases undertaken using Credit or Debit Card payments. As a result, users may experience issues in seeking refunds or reimbursements for services not delivered, such as cancelled air flights or tickets. [38] [39]

Version 1 and 2 that used the ActiveX and .NET platforms have additional security concerns regarding the integrity of this software and compatibility with non-Windows platforms.[ citation needed ]

Related Research Articles

<span class="mw-page-title-main">Debit card</span> Card used for financial transactions, usually without a credit line

A debit card, also known as a check card or bank card, is a payment card that can be used in place of cash to make purchases. The card usually consists of the bank's name, a card number, the cardholder's name, and an expiration date, on either the front or the back. Many of the new cards now have a chip on them, which allows people to use their card by touch (contactless), or by inserting the card and keying in a PIN as with swiping the magnetic stripe. These are similar to a credit card, but unlike a credit card, the money for the purchase must be in the cardholder's bank account at the time of the purchase and is immediately transferred directly from that account to the merchant's account to pay for the purchase.

<span class="mw-page-title-main">EFTPOS</span> Type of electronic payment system

Electronic funds transfer at point of sale is an electronic payment system involving electronic funds transfers based on the use of payment cards, such as debit cards or credit cards, at payment terminals located at points of sale. EFTPOS technology was developed during the 1980s.

<span class="mw-page-title-main">Kiwibank</span> Retail bank in New Zealand

Kiwibank Limited is a New Zealand state-owned bank and financial services provider. As of 2023, they are the fifth-largest bank in New Zealand by assets, and the largest New Zealand-owned bank, with a market share of approximately 9%.

Bank fraud is the use of potentially illegal means to obtain money, assets, or other property owned or held by a financial institution, or to obtain money from depositors by fraudulently posing as a bank or other financial institution. In many instances, bank fraud is a criminal offence.

<span class="mw-page-title-main">ANZ Bank New Zealand</span> Retail bank in New Zealand

ANZ Bank New Zealand Limited is a New Zealand banking and financial services company, which operates as a subsidiary of Australia and New Zealand Banking Group Limited of Australia. ANZ is one of New Zealand's big four banks, and is the largest bank in New Zealand with approximately 30% of market share as of March 2021.

<span class="mw-page-title-main">ASB Bank</span> Bank in New Zealand

ASB Bank Limited, commonly stylised as ASB, is a bank owned by Commonwealth Bank of Australia, operating in New Zealand. It provides a range of financial services including retail, business and rural banking, funds management, as well as insurance through its Sovereign Limited subsidiary, and investment and securities services through its ASB Group Investments and ASB Securities divisions. ASB also operated BankDirect, a branchless banking service that provides service via phone, Internet, EFTPOS and ATMs only.

<span class="mw-page-title-main">Online banking</span> Internet-based financial transactions

Online banking, also known as internet banking, virtual banking, web banking or home banking, is a system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial institution's website or mobile app. Since the early 2000s this has become the most common way that customers access their bank accounts.

<span class="mw-page-title-main">ANZ (bank)</span> Australian multinational bank

The Australia and New Zealand Banking Group Limited (ANZ) is a multinational banking and financial services company headquartered in Melbourne, Victoria, Australia. It is Australia's second-largest bank by assets and fourth-largest bank by market capitalisation.

<span class="mw-page-title-main">Cheque</span> Method of payment

A cheque or check is a document that orders a bank to pay a specific amount of money from a person's account to the person in whose name the cheque has been issued. The person writing the cheque, known as the drawer, has a transaction banking account where the money is held. The drawer writes various details including the monetary amount, date, and a payee on the cheque, and signs it, ordering their bank, known as the drawee, to pay the amount of money stated to the payee.

Amerika Samoa Bank (ASB) was a financial institution established in 1979 in American Samoa and the second-largest bank in the territory with a 44 percent market share. At one point, it had one overseas branch in Honolulu that it opened in 1997 to serve Samoans in Hawaii.

An e-commerce payment system facilitates the acceptance of electronic payment for offline transfer, also known as a subcomponent of electronic data interchange (EDI), e-commerce payment systems have become increasingly popular due to the widespread use of the internet-based shopping and banking.

Chargeback fraud, also known as friendly fraud, cyber shoplifting, or liar-buyer fraud, occurs when a consumer makes an online shopping purchase with their own credit card, and then requests a chargeback from the issuing bank after receiving the purchased goods or services. Once approved, the chargeback cancels the financial transaction, and the consumer receives a refund of the money they spent. Dependent on the payment method used, the merchant can be accountable when a chargeback occurs.

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.

<span class="mw-page-title-main">Post Office Savings Bank (New Zealand)</span> New Zealand bank

Post Office Savings Bank, or very briefly PostBank, was a bank owned by the New Zealand Government as the government's postal savings system. The bank was established in 1867. It became PostBank in 1987 and was disestablished and the branches were rebranded when it was acquired by Australia and New Zealand Banking Group (ANZ) in 1989.

<span class="mw-page-title-main">Mobile banking</span> Service provided by a bank

Mobile banking is a service provided by a bank or other financial institution that allows its customers to conduct financial transactions remotely using a mobile device such as a smartphone or tablet. Unlike the related internet banking it uses software, usually called an app, provided by the financial institution for the purpose. Mobile banking is usually available on a 24-hour basis. Some financial institutions have restrictions on which accounts may be accessed through mobile banking, as well as a limit on the amount that can be transacted. Mobile banking is dependent on the availability of an internet or data connection to the mobile device.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

<span class="mw-page-title-main">BPAY</span>

BPAY,, is an Australian electronic bill payment SaaS company which facilitates payments made through a financial institution's online, mobile or telephone banking facility to organisations which are registered BPAY billers.

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU, but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement, and many contactless card payments do not use a second authentication factor.

Digital identity is used in Australia by residents to validate who they are over digital media, such as over the Internet.

References

  1. "Centricom Pty, Ltd.: Private Company Information - Businessweek". Bloomberg News . Retrieved 26 October 2016.
  2. Bailey, Michael (2015). "Ahmed Fahour's letter to ecommerce startups: Australia Post will accelerate you". Archived from the original on 20 April 2017. Retrieved 27 October 2016.
  3. "Buy - Pay with confidence from your internet banking" . Retrieved 26 October 2016.
  4. 1 2 "Important information for ANZ Internet Banking customers using POLi to make payments online" . Retrieved 19 December 2012.
  5. 1 2 "Important security update for BNZ customers using POLi to make online payments". Archived from the original on 7 March 2013. Retrieved 26 October 2016. "Providing log in details to a third party presents very serious security risks and contradicts both the New Zealand Code of Banking Practice and our terms and conditions."
  6. 1 2 3 Kiwibank Limited. "Twitter: "We advise against using POLiPayments..."" . Retrieved 19 October 2020."We advise against using POLiPayments as it invalidates our internet banking guarantee & is not secure"
  7. 1 2 Michael Lee. "NZ bank claims payment processor is capturing user details". ZDNet . Retrieved 25 February 2014. "The Commonwealth Bank does not have any working agreement with POLi Payments, and, as such, the payment site is not endorsed or supported by the bank. The bank urges customers making online payments to do so via the bank's own NetBank site, which guarantees the customer's security," CBA told ZDNet.
  8. 1 2 John Dunkerley. "Who's got your back when you're banking?" . Retrieved 25 February 2014.
  9. 1 2 "POLi Not Recommended for Payments". Archived from the original on 18 September 2015. Retrieved 26 October 2016.
  10. 1 2 "Pay anyone and multi-payments" . Retrieved 19 October 2020. "We take your Internet Banking security very seriously and, for this reason, we do not support the use of 3rd party applications such as POLi."
  11. 1 2 "Tweet from Bank Australia". Archived from the original on 24 December 2015. Retrieved 20 November 2018. "Unfortunately POLi payments don’t meet our security standards."
  12. "POLi Payments: probably the worst idea for online payments, security-wise". 2015. Retrieved 19 October 2020.
  13. "How Australia Post banks millions from offshore casinos - The New Daily". 14 April 2016. Retrieved 28 October 2016.
  14. "Illegal Australian online casino faces investigation - The New Daily". 17 April 2016. Retrieved 28 October 2016.
  15. 1 2 Weber, Kate (13 July 2023). "Australia Post to close POLi Payments" . Retrieved 4 August 2023.
  16. "Anyone used POLi Payments ?". www.geekzone.co.nz. Retrieved 20 November 2018. Behind the scenes POLi is logging into your banking on a virtual machine hosted in AWS. Because of this, it is also very easy for banks to detect POLi and mark it in their fraud detection systems. From this point you've actually breaking the internet banking terms of conditions with most banks since you handed over your details to a third party.
  17. "PB Tech Black Friday Sale - 16th November". www.geekzone.co.nz. Retrieved 20 November 2018.
  18. "FFClickOnce" . Retrieved 26 October 2016.
  19. "Chrome Web Store - ClickOnce for Google Chrome™". Archived from the original on 30 January 2013. Retrieved 11 June 2013.
  20. Hargrave, Sean (20 March 2008). "Experts cast a wary eye over new online payment systems". The Guardian. Retrieved 26 October 2016.
  21. Symantec - example of a breach of an online payment system ActiveX control
  22. Forum at The Register
    "they are installing an ActiveX control (shudder) whose only purpose is to make payments to arbitrary bank accounts when the user logs into their online banking. There is another name for software that does that. Internet Banking Trojan."
    "What a fantastic way to phish"
    "Not meaning to be paranoid, but how can I be sure that the merchant's website is anymore genuine, and the POLi script anymore trustworthy than the average phishing email?"
    "Not only is this an opportunity to phish people's bank details, you don't get the payment protection of using a credit card either."
    "Score out of 4: 1. MSIE only = fail, 2. Active X = fail, 3. Direct access to my bank acct = fail, 4. No CC protection = fail"
  23. How POLi works "Simple and secure"
  24. Rubens, Paul. "How Bug Bounty Programs Bring Big Savings and Better Security" . Retrieved 28 October 2016.
  25. POLi Terms and Conditions - Disclaimer and Indemnity "We will not be liable to you or any other party for any loss or damage, however caused (including through negligence), that you may directly or indirectly suffer in connection with your use of POLi™, including, without limitation, any loss or damage that arises as a result of your download or use of the third party software referred to above.", and
    "If You believe that there has been an unauthorised or mistaken transaction, You should contact your financial institution and endeavour to address the issue under the terms and conditions applicable to your internet banking facility."
  26. Juha Saarinen, IT News (2012). "Banks concerned over POLi security" . Retrieved 19 October 2020.
  27. George Lekakis, The New Daily (2016). "Banks warn of increased risk of online fraud" . Retrieved 19 October 2020.
  28. 1 2 "Important security information for ASB and Bank Direct customers making online payments using POLi". 2012. Archived from the original on 10 February 2013. Retrieved 26 October 2016. (Note appears on page under date heading of 19 Dec 2012)
  29. ASB Bank (2012). "Important security information - online payments using POLi" . Retrieved 25 February 2014.
  30. ZDNet, Michael Lee (2012). "NZ bank claims payment processor is capturing user details". ZDNet . Retrieved 27 October 2016.
  31. "POLi response to ASB Advisory" (PDF). Retrieved 19 December 2012.
  32. "A 'honeypot' for fraudsters, or a simple way to pay online?". 18 January 2019. Retrieved 19 October 2020." An ANZ staffer responded by saying, "to be super clear" ANZ do not support using Poli Pay and systems that involve logging in through a third party as it goes against the bank's terms and conditions. They also stated that If a customer had used this type of service "we recommend they change their password immediately".
  33. "Buying online during Level 3? Banks warn against popular payment system" . Retrieved 19 October 2020."The banks warn that using POLi can be a breach of their various terms and conditions, posing a serious security and fraud risk."
  34. "Should I make a NetBank payment via POLi?".
  35. Westpac Bank (2015). "Westpac Bank on Twitter" . Retrieved 19 October 2020."POLI is not supported by the bank. If making online pymts, should do so via bank's own site which guarantees customer's security"
  36. "Why am I unable to perform Poli payments using my Bank Australia Account?" . Retrieved 19 October 2020.
  37. "POLi(TM) Terms & Conditions" . Retrieved 27 October 2016.
  38. "POLi - How Transactions Work" (PDF). Archived from the original (PDF) on 23 March 2012. Retrieved 27 October 2016. page 6 (from the Merchant's perspective) "Unlike a credit card, once you receive a payment it can't be reversed by the bank."
  39. Forum at The Register "the price seems to be the loss of any consumer protection"

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.