Juha Saarinen is a tech blogger for nzherald.co.nz.

Juha Saarinen: What's your Internet banking username and password?

20 comments
The Internet is hostile territory and payments conducted over it must be secure - there really isn't any other option. Photo / iStock
The Internet is hostile territory and payments conducted over it must be secure - there really isn't any other option. Photo / iStock

Payments. Everyone wants them to be quick and easy, but secure at the same time, especially for online transactions.

The last thing however is tricky to get right, because being secure on the Internet usually means things won't be quick and easy. Plus, there could be fees for customers and merchants as well, which never fails to annoy people.

Nevertheless, the Internet is hostile territory and payments conducted over it must be secure - there really isn't any other option.

Therefore, I was surprised to get an email from Tim, who tried to pay a parking fee to Auckland Transport, describing what appears to be a rather insecure way of paying it.

Here's the AT checkout screen that Tim saw:


That's the Payment Express Account2Account service that AT uses, and it asks for ASB Internet Banking login credentials. This is similar to POLi, another payments system that asks for your Internet banking details, and which too has been criticised for being insecure.

According to the A2A integration guide the service can get around two-factor authentication as well.

That's where I went "whoa!" because the whole point of the 2FA challenge is that it verifies you with the server you're conducting a transaction with, via a different channel, for additional security in case your password and username have been revealed. It's meant to be totally separate from e.g. a merchant or payments processor.


A2A supports ANZ, ASB, BNZ, Kiwibank, TSB and Westpac but the banks however are pretty cold on the service and would rather their customers didn't use it.

An ASB spokesperson confirmed as much when asked if it's OK or not to put in your banking details into A2A:

Customers that share bank account login and password details are likely to be in breach of their bank's terms and conditions.

"If a customer still chooses to provide their personal login details to anyone there may not be adequate controls and measures in place to help ensure their account is safe from fraudulent activity," the spokesperson explained.

ASB spells out why customers shouldn't use POLi or Account2Account on its website as well.

What about Payment Express then? Will they bail you out in case something happens? Their terms and conditions for Account2Account suggests they won't.


Payment Express says the A2A page hosted by them does not store any customer bank information and that "the same security technologies exposed by the banks are supported by Account2Account".

I'm waiting to hear back from Payment Express with an explanation as to how Account2Account keeps your internet banking logins and account details secure, and how people can use their service without breaching their banks' terms and conditions.

READ MORE:
Juha Saarinen: Only losers in the iPhone backdoor saga
Juha Saarinen: Keeping your phone secure, the Google way

Meanwhile, AT and other organisations would do well to note that using A2A could get customers in trouble with their banks and warn them accordingly.

Payments services like Account2Account and POLi have been around for several years now, with the banks telling customers not to use them. Isn't it time to get some clarification here, and if indeed the services are secure as claimed, there should be some independent verification to that effect?

- NZ Herald

Get the news delivered straight to your inbox

Receive the day’s news, sport and entertainment in our daily email newsletter

SIGN UP NOW
Juha Saarinen is a tech blogger for nzherald.co.nz.

Juha Saarinen is a technology journalist and writer living in Auckland. Apart from contributing to the New Zealand Herald over the years, he has written for the Guardian, Wired, PC World, Computerworld and ITnews Australia, covering networking, hardware, software, enterprise IT as well as the business and social aspects of computing. A firm believer in the principle that trying stuff out makes you understand things better, he spends way too much time wondering why things just don’t work.

Read more by Juha Saarinen

Have your say

1200 characters left

By and large our readers' comments are respectful and courteous. We're sure you'll fit in well.
View commenting guidelines.

Sort by
  • Oldest

© Copyright 2016, NZME. Publishing Limited

Assembled by: (static) on production bpcf04 at 26 Sep 2016 17:41:24 Processing Time: 676ms