Internet banking security risk?

michaelnz · 2016-03-25 07:20:42 UTC

There is a couple of these services [1, 2] which are going on right under the banks noses. The customer enters their internet banking credentials into the 3rd party website to facilitate an confirmed funds transfer to a merchant.

In both cases these clearly appear to undermine the long touted dictum of banks to their customers - not to share internet banking credentials or enter them in at any website other then the bank’s.

Why is this going on right under the bank’s nose and why aren’t they (In this case the BNZ) doing anything about it? I’m sure they could put a stop to this quite easily if they had the will. In the case of Payment Express, they are a company which partners with banks (incl. BNZ) and receives referrals from them.

I refer to the following in BNZ’s “Internet banking terms and conditions” [3]:

_ 8.5 Protecting your Login Details, NetGuard Device and Fingerprint Login: You are responsible for keeping your Login Details, NetGuard Device and Fingerprint Login secure. You must:_

[…]

© not voluntarily or recklessly disclose your Login Details or details related to your NetGuard Device to any other person (including the police, bank staff or your family);

Has the BNZ given these companies a pass, and if so, can the BNZ confirm a customer will be covered for any losses incurred as a result of using one of these services -or- if this is not the case, why is the bank not bringing pressure to bear (and any other technical, legal and commercial remedies) on these services for blatantly undermining the bank’s policies and public message? [4]

References:

Payment Express: https://www.paymentexpress.com/Products/Ecommerce/account2account
Poli: https://www.polipay.co.nz/
BNZ Internet Banking Terms and Conditions - Security section: https://www.bnz.co.nz/about-us/governance/terms-and-conditions/internet-banking#security
BNZ Online Banking Security: https://www.bnz.co.nz/support/banking/privacy-and-security/online-banking-security

Here’s what you can do to help

NetGuard offers you super secure internet and mobile banking, but here are some simple things you can do to help.

[…]

Never follow links from an email, or a non-BNZ website, asking you to log into our internet or mobile banking services

Nick · 2016-03-30 23:10:53 UTC

@michaelnz This is always an interesting conversation within the bank, and between banks. While taking a hardline and blocking them is one course of action, the short answer is that we have reviewed the services you mention in the past and haven’t seen anything as yet that would force us to take any actions to block them. We do keep a watchful eye on them, as you point out they are operating on the fringes of our T&Cs and the code of banking practice. We also accept that they are services that are actively used so they are providing both our merchant and personal customers with a useful service.

Over and above this, we have our NetGuard service in place to provide protection against compromised login credentials should that occur.

michaelnz · 2016-03-31 04:24:25 UTC

Thanks for your response.

The problem with inaction is it allows certain segments of the general populace to become complacent in ways which seem contrary to the interests of the bank. I work in a Systems Admin role at an ISP and I feel the pain of stupidity from time to time. I was up until 1AM this morning working out the best way to try and stop the percentage of idiots from receiving Cryptolocker through their email accounts.

Speaking frankly on the issue of security, the best security is something under one’s control. When clients start handing over their login credentials - and presumably Net Guard ones as well to authorise the one off payment - this opens up a whole world of undesirable possibilities.

Added to this the cat is now out of the bag. You might trust Direct Payment Solutions (note: for the benefit of anyone reading this who is unfamiliar - they have a credible reputation in the payments industry) but what happens with the next company who jumps on this bandwagon? The precedent has been set and anything you do out of concern about this new company could give rise to breaches of the Commerce Act, etc.

It also seems to be inconsistent with other comparable policies of the bank, like merchant services. My small e-commerce business is presently transistioning it’s online payments to the BNZ. There is a lot of requirements around this and I accept this as part and parcel of the privledge of accepting card not present transactions.

It is evident to me the bank is concerned about issues of data security. To these ends I ask the bank to consider holding true to these principles and applying them consistently.

system · 2016-03-31 05:58:32 UTC

I read through the terms and conditions of Poli. They say that they accept no liability whatsover and if a customer has an issue they need to take up the matter first with their bank.

So as things stand at the moment if something goes wrong its the customers responsibility?

Poli have a privacy policy which is based on Australian law. I also note that AGP who are the company that Poli are an entity under, say that they can transfer personal information to countries outside Australia. It may also store personal data in other countries that its affiliated with.

I have struck this issue also with third tier lenders (payday loan people) who could have head offices anywhere in the world. Also debt collectors that have head offices in Australia hold debt for New Zealanders there.

I struck an issue with a large debt collector whose head office is in Aussie. They advised my data is held in Australia and I asked for details of it. Their privacy policies are substantially different than NZ as well. For them to release the information to me I had to sign a special waiver protecting their employees. I didn’t sign it. Which means I didn’t get the information that the company holds against me.

The same debt collector’s privacy terms state that they can pass information to the Philipines and also to third parties. Thats scary considering collection data that starts with the bank, who is a regulated body in NZ, then gets released to an unregulated and unlicenced collection body in NZ who must comply with NZ privacy laws, but the data being stored in aussie can then be passed to any other third party under Aussie law.

Just “where in world” is our data being stored?
And who is protecting it, and who is responsible when something goes wrong.