There has been plenty of publicity lately around people getting fleeced by online scammers, with banks facing demands to reimburse victims and the adoption of a confirmation of payee (CoP) scheme.
In that debate though, it appears there is a fairly high tolerance of risk for customers from government regulators, if the experience of recent scam victim NZ Herald journalist Sasha Borissenko is anything to go by.
Borissenko was unfortunate enough to get phished - or tricked - into revealing her access code and password, while selling a toaster on Facebook Marketplace.
Even though Kiwibank spotted the suspicious activity, Borissenko was robbed to the tune of $12,500 by the scammer who turned out to be not actually interested in the toaster for sale.
Let's be clear: this is a really awful experience to go through. Most people who get cleaned out do not have the additional funds to cover for scam losses, which can be substantial. It literally pays to be extra careful these days, particularly in Wild West areas of the Internet like Facebook Marketplace.
One thing in particular stood out in Borissenko's case. She wrote:
"I received what looked like an official email from NZ Post, which would take me to a POLi-banking portal with a copycat version of Kiwibank online banking."
That's the crux really. The Australia Post owned POLi has been controversial for many years now, with the banks fully disowning it and telling users they're on their own if they enter their Internet banking login credentials into third-party systems.
Here's what Kiwibank says about POLi in their terms and conditions:
Some third-party systems require access to your internet banking – such as POLI which provides online payment options by transferring funds directly between a customer’s internet banking account and a merchant.
The use of third-party services like this invalidates our internet banking guarantee, not just for the affected transaction, but for all subsequent internet banking use too.
Which does seem fair enough. How could Kiwibank, which does not know or operate POLi's systems, take responsibility for transactions going through the latter? ASB and ANZ say similar things to Kiwibank about POLi in their terms and conditions of use.
Nevertheless, if a user who has never heard of POLi before goes to the company's official website, there's Kiwibank's logo along with other banks operating in New Zealand. Anyone could be forgiven for thinking POLi is endorsed and trusted as a payments processor in New Zealand.
There's nothing whatsoever to suggest that POLi had anything to do with the above scam. And their latest technology that uses a virtual machine for the Internet banking access, and which does not capture user credentials, is probably reasonably safe.
However, is it a good idea that trusting users are trained to enter their Internet banking credentials into third-party sites such as POLi, under any circumstances?
As Borissenko's experience suggests, it would appear not.
POLi is now 18 years in existence. It might save on fees for users, some of whom do not use payments cards, but at the same time POLi has copped a huge amount of criticism for its web scraping technology not being secure. This has not stopped big name organisations such as Air New Zealand, NZTA, Spark, Jetstar, and Facebook as well, from using POLi.
How to fix scammers impersonating third-party payments sites is not clear, but there does seem to be a long standing disconnect when it comes to understanding perfectly reasonable human behaviour around trust and payments. One things for sure, victim blaming isn't going to work.
Update Merco Limited owns POLi since October last year, and not Australia Post.
21 Comments
Part of the reason POLi is still used by major companies here, is because the NZ banks have not adopted open banking and the single use credentials that would make it redundant and prevent this. Joe Public wouldn't have to enter their internet banking credentials if the NZ banks enabled single use credentials. The Aussie owned banks do have single use credentials in Australia - they have to over there - why haven't they delivered them here?!?
If the banks don't want the likes of POLi being used, they need to pull their finger out and make it unnecessary and irrelevant.
"POLi has been controversial for many years now, with the banks fully disowning it"...
From polipay.co.nz....
We take security seriously
When your customers pay with POLi the transaction is protected by their bank’s own security. Confidential information is not disclosed to any third party, including POLi.
And ...POLi works seamlessly with all major New Zealand banks.
So the question is why have the banks not sent a cease and desist order to them?
Also pretty easy to block incoming connections from polipay
The above does not stop clever phishing attacks...a passkey or security key enabled site would though.
Once again its the banks telling us NOT to do something...well its about time the banks started DOING something, of course they don't give toss because its not their money.
For the love of god mandate all banks contribute (pro rata) to a $200m fund to reimburse scam victims. If a banks gets its A in to G then it won't need to contribute will it..let's publish the successful scams monthly ...who is the safest bank???.
The only reason I have used POLI in the past has been the exorbitant fees charged to use your credit or debit card to purchase things online, such as flights at Air NZ where a small percentage charge can actually be quite a large dollar amount. There should be a free option available that meets the banks requirements. I think even the debit card attracts fees on Air NZ.
I've noticed this too. Iirc some Auckland Council online payment facilities offer credit card payment with an added fee or dodgy Poli type B2B payments. In that situation, I find or email and request the relevant account number and make the payment directly from my online banking.
Its a nasty trap and imho represents what is referred to as "dark patterns" (e.g. unsubscribing from a service requires multiple hoops and jumps or even having to phone or wait for a call to complete the un-subscription, all optional charge boxes pre-ticked, pop-up splash screens pretending to give you the option to opt out of intrusive data harvesting across the web which either make it very cumbersome to opt out, but allow access to the site in one click by clicking "accept all" or don't even bother providing opt out options - just "Agree and continue").
The govts own Companys Office, when filing annual returns has the payment options of credit card or POLi pay.
Not having a company CC I tried the poli option... got part way in and realised what a very bad idea it was, and backed out, reverting to paying with my own personal credit card ever since.
That was probably more than a decade ago, but it's still offering POLi.
Aside from credit card holder protection (not debit cards - and why you should never use debit cards for major purchases, online purchases or car hire) online payment with credit cards does not require you to hand over online banking login credentials to third parties.
When you pay for a purchase on Amazon you are not giving Amazon access to accounts you operate with online banking.
Of course, there is always a risk that your card details will be used illegally and hence why credit cards have card holder protection.
I raised this with Auckland Council a number of years ago with their third party band to bank convenience payment provider - noting that in my case:
- ASB t&c's prohibited me providing account credentials to any third party and any loss resulting would be at my cost
- Poli t&cs purport to exclude liability for any losses suffered due to use of their system - including their own / staff negligence and iirc deliberate acts and omissions of their staff.
- that promoting such payment facilities to the public, the public were being groomed to provide online banking credentials to third parties in breach of their t&Cs with their banks which could lead to customers handing over banking credentials to criminals.
Auckland Council had no issues whatsoever.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.