[chrismorgan]

Ugh, this is how POLi Payments works in Australia, used by some businesses here and there and mostly by airlines. To do payments there, you literally give them your internet banking username and password, and they impersonate you to transfer money out of your account into the seller’s account. There are multiple bald-faced lies in their marketing (such as calling it a proxy like Opera Mini, and stating that they do not capture usernames or passwords, which… uh, hello, maybe you don’t store them, but you absolutely capture them).

I learned that this actually was what they were doing three years ago, and promptly complained to them, and was politely ignored (“Security is very important at POLi”… “Although it does not look like your traditional internet banking screen, the POLi interface is just as secure (if not more so)”…).

I’m baffled that the banks haven’t shut POLi down since it’s fundamentally predicated on ToS breaches, this man-in-the-middle attack and training users to do catastrophically stupid things, even including undermining 2FA (“give us your username and password; oh, looks like you have 2FA enabled, give us that token too?”). I complained to my bank (NAB) at the same time, and they said of using POLi Payments that “NAB does not suggest this course of action as this will be a breach of security” and that I should talk to POLi instead, as they “are unable to put a full block on this service as customers can still authorise transactions themselves at their own risk however NAB has advised in the terms and conditions of a breach this may cause”. In other words, they’re just covering their ears and ignoring it. Yet I’m sure they could block POLi without much difficulty if they actually wanted to, since all requests will be coming from POLi servers and are sure to be easily detectable (even their usage pattern would be trivial to detect). So why don’t they want to kill off this security menace?

Perhaps the worst part of it all is that Australia Post purchased POLi Payments some years back, thereby legitimising this abomination that should be terminated with prejudice.

Seriously, how do you end up with such a major player in the payments space being predicated around lies and evasion, terms-of-service violations and security malpractice? (And they even got exempted by ASIC from holding a financial services license.)

Another silly thing about it these days is that half the reason for the MitM attack (rapid confirmation that the transaction has taken place) is no longer needed, because almost all banks in Australia now support rapid transfers and linking email addresses to bank accounts, so they could just say “transfer the money to sales@example.com.au with description 12345” and reconcile it within a minute at least as an alternative to the MitM attack.

[stephen_g]

That's terrible. I've never used it though, as an Australian. The name does sound vaguely familiar though. Are there any businesses that actually require you to use it? I've never seen one.

I usually pay for airlines with my credit card, now they aren't allowed to charge as large fees as they used to. Before that, I'd used BPay instead (which I still use for a lot of bills).

[chrismorgan]

I don’t think I’ve ever seen POLi presented as the only option, but it’s commonly the only fee-free option (BPay isn’t always offered). For myself, as soon as I learned what POLi was (because it asked for my bank username and password) I decided I hate it enough to pay a few extra dollars of credit card fees.

[climb_stealth]

Agreed. The name sounds vaguely familiar but I haven't come across it either. They actually have an interactive demo [0]. It feels super sketchy and wrong being asked for the bank login.

[0] https://www.polipayments.com/Demo