Is POLi safe?

Short answer: No.

Long answer: Hell, no.

BNZ (link here) and ASB (link here) have both recently reported that POLi have been spoofing their respective internet banking sites in order to process payments, meaning that banking passwords, any other applicable authentication information, and private banking information have been passing through POLi’s servers when POLi is used.

The banks have warned customers not to use POLi, although BNZ seems to be sending some mixed messages.

Looking at POLi’s terms and conditions there are some major warning signs.  The disclaimer of liability is probably unavoidable (though still not acceptable IMO; see below) but terms like “You will not monitor or alter the execution of POLi™ using tools external to POLi™” are neither.  They want us to trust that their software is safe to use, but they don’t want anyone to check on what it’s actually doing?  Yeah, right.

The POLi client is basically, from what I can gather, a special-purpose web browser.  While that limits exposure to security bugs, it doesn’t eliminate it, so it is also worrying that I can’t find any security bug reports either on major third party sites such as Secunia or on POLi’s own web site.  There should be at least the occasional report that “someone found a bug and we’ve fixed it” and the absence of these suggests that it really hasn’t had enough attention from the white hats.  The alternative is that POLi have figured out a way to write software without bugs; that’s basically the Holy Grail of modern computing, and if they had the secret of perfect software they’d all be fabulously wealthy and retired on private Hawaiian islands by now!

The real killer, though, is POLi’s own response to these claims (PDF).  Most importantly, the part where they deny that “POLi is spoofing/mirroring the ASB website” and claim that, instead, “POLi is providing a pass through service whereby the bank sites are accessed via our secure servers.”

Uh, hello?  Those two sentences mean the exact same thing.

POLi say they aren’t capturing customer’s authentication or other private information.  Well, good for them.  But they could.  Their software allows them to do it.  (It pretty much has to; otherwise there would be no way for the merchant to know they had been paid.)  That means it also allows anyone who manages to hack into their servers to do it.  This article on ZDNet lists some of the companies whose secure systems were breached this year: Symantec, Amazon.com-owned Zappos, Stratfor, Global Payments, LinkedIn, Yahoo – even the Chinese Government, for heaven’s sake.  Are POLi really so arrogant in the light of all this that they think their security is impenetrable?

Well, of course, they probably don’t think that.  They just want us to.

They also offer to let the banks audit the software.  Kind of pointless, really; since the software allows POLi’s servers to spoof the banking sites (oh, sorry, “provide a pass through service”) it has failed any credible audit in advance.  Any audit of the servers themselves would be good only on the day it was performed, at best.

I’m also amused by POLi’s claim on their web site (link here) that “Your confidential information is not disclosed to any third party, including us!” which I can only assume is based on a creative definition of the word “us” which excludes their servers.  True enough, the information probably doesn’t leave their secure servers and is probably deleted as soon as the transaction is complete, but that doesn’t mean that it isn’t being “disclosed” to “us” – not by any reasonable definition of those two words, at any rate.

They also say that “POLi checks the bank website’s SSL certificate and thumbprints to always ensure you are talking directly to your bank.”  So which is it, exactly?  Directly to your bank like the FAQ says or via a pass-through service like the announcement says?  These are mutually exclusive possibilities, so it has to be one or the other, and either way I’m not exactly filled with confidence.

Besides, in practical terms it doesn’t matter how good POLi’s security is.  Yours isn’t [1] because today’s consumer operating systems are still based on old designs which did not have security in mind.  If your computer becomes infected a hacker could easily modify the POLi client to behave maliciously.

Of course, said hacker could also modify your web browser to behave maliciously.  The difference is that if that happens, BNZ, at least, will cover your losses.  It isn’t clear that they will if POLi is involved, and POLi definitely won’t.

Until and unless your bank makes a public statement that they will cover POLi-related losses, don’t use it.  Just don’t.  Uninstall the client if you have it installed.  Ask your merchant to provide an alternative, or, if applicable, choose a different merchant. For example, both Ascent and Mighty Ape NZ [2] accept internet banking payments without needing any special client software, although granted you then have to wait for the payment to go through before they will ship the goods.

A small price to pay, I think.

Harry.

[1] To minimize your risks, make sure you use a standard user account (not an admin account) for your everyday activities, and use a different standard user account for your internet banking (and nothing else).  Better still, get a live DVD (a DVD which you can boot to, containing a simple operating system) and use that for internet banking.  This doesn’t change anything I’ve written here.  Both of these approaches are much better than nothing, but neither is foolproof.

[2] I have no association with either company except as a satisfied customer.

Advertisement

Tags: internet banking