POLi phishing scam

Phishing scams, hijacking of TM accounts, keyloggers and all manner of other nasties. This is the place to report them and get help if you've been hit.
Post Reply
User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

POLi phishing scam

Post by digidog » Tue Dec 18, 2012 11:40 pm

ASB is warning customers against using the POLi website, saying the popular online payment service is spoofing its secure website and the Bank Direct website, which could potentially leak customer information.

The bank said its fraud monitoring operations discovered that when customers wanted to make a payment through a POLi-affiliated website, it was
presented with what appeared to be a genuine ASB FastNet Classic and Bank Direct NetDirect website, and asked to log on.

However, these were POLi's identical spoofs or mirrors of the actual site, which captured the security details and logged on to the site on behalf of the customers to complete the transaction.

"Note that these are not our secure websites and we are unable to audit the security of the POLi service," the bank said in a statement today, adding "we are not associated with, and have never endorsed, POLi".

http://www.stuff.co.nz/business/money/8 ... POLi-spoof"
Apparently Jetstar, Virgin Australia and Flight Centre all use the POLi system. The only time I've come across it is on the NZTA site when registering vehicles online. It's actually a pain in the arse as it doesn't work on Firefox. But POLi don't tell you that until you've downloaded a huge (35Mb?) plugin which then won't run. So you have to dig around to find a copy of Internet Explorer, download the plugin (again!) and finally make payment. The last time I gave up and went to the Post Office instead.

POLi is a very clumsy system that should not be used by our Government agencies.

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Re: POLi phishing scam

Post by digidog » Sun Feb 15, 2015 9:53 pm

The rather awkward POLI system is under scrutiny again.
Internet banking fraud guarantees in jeopardy if customers give login details to third party. ASB technology and innovation manager Russell Jones said the bank did not recommend the use of POLi.

Internet banking customers using a popular online payment system are being warned by banks that they might not be covered if fraud occurs.

POLi, owned by the Australian Government's Australia Post, is offered to customers using the Transport Agency website as well as those of businesses including Air New Zealand and The Warehouse.

It allows users to make one-off direct payments to merchants by logging into their internet banking. It has been around for about eight years.

Kiwibank spokesman Bruce Thompson said by giving internet banking login details to any third party, customers could jeopardise the bank's guarantee to make good any losses from internet banking fraud.

"In relation to a provider such as POLi, we have concerns with the process they follow to complete their payments.

"Fundamentally, their process is to obtain customer information [access numbers and passwords] and make the payment via their own systems.

"This increases the risk to our clients and to Kiwibank as we are unable to ensure that the customer information has been handled with the appropriate level of security.

http://www.nzherald.co.nz/business/news ... d=11402521
With POLi being used by NZTA, The Warehouse, Air New Zealand, AUT, Hutt City Council and others, it's time the financial regulators took a closer look at the security of these types of payments.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest