Monday, 29 February 2016

DON'T USE POLi or Account2Account Payment Services they are bad news

These services are for people who do not use a debit or credit card to make a payment. Instead they are transferring funds directly from a bank account to a merchant. The idea of these services is they can make that type of payment as "easy" as a credit or debit card. However they are risky to use, the banks regard them as insecure and would prefer customers do not use them.

These services work by inserting a browser within a browser so that you do a logon into your internet banking in a virtual browser window inside the payment provider's website. Since this requires a secure (HTTPS) connection between you and the bank, the payment provider website must intercept this connection and decrypt the traffic occurring in your supposedly secure and private internet banking session. This is called a "man in the middle" interception and is a system that is used by hackers to steal information from HTTPS logons.

Man in the middle interception of HTTPS traffic is becoming increasingly common in a variety of contexts - not all of them good. The important point is that your supposedly secure and safe internet connection is intercepted somewhere along the way so that it is no longer secure. At the point where it is being transacted between your computer and the payment provider's website, or within the payment provider's website, there is a risk because it is no longer a secure transaction. The payment provider could be storing logon names and passwords, which if obtained by unauthorised parties, could then be used to access your internet banking and steal your money.

The answer is, if you are paying for goods online, don't use an internet banking transfer when a site like this asks you to log into Internet banking in a virtual browser window (where the logon looks like your internet banking logon but is actually within the payment provider's website). Don't provide internet banking credentials anywhere except when logging into the bank's own website. 

Use a debit card or credit card to make all online purchases. Debit cards simply access funds from a nominated account, so they are effectively the same as transferring funds from the account. If your payment website offers to save debit/credit card details against future payments, don't enable the option. You should not have saved any credentials (including debit/credit card numbers) on a third party website which can be insecure.

Although there is also a risk from debit card use, you can limit the amount of funds in the nominated account. This is safer than giving out internet banking credentials, which can be used to gain access to all of your funds,