Payments. Everyone wants them to be quick and easy, but secure at the same time, especially for online transactions.

The last thing however is tricky to get right, because being secure on the Internet usually means things won't be quick and easy. Plus, there could be fees for customers and merchants as well, which never fails to annoy people.

Nevertheless, the Internet is hostile territory and payments conducted over it must be secure - there really isn't any other option.

Therefore, I was surprised to get an email from Tim, who tried to pay a parking fee to Auckland Transport, describing what appears to be a rather insecure way of paying it.


Here's the AT checkout screen that Tim saw:

That's the Payment Express Account2Account service that AT uses, and it asks for ASB Internet Banking login credentials. This is similar to POLi, another payments system that asks for your Internet banking details, and which too has been criticised for being insecure.

According to the A2A integration guide the service can get around two-factor authentication as well.

That's where I went "whoa!" because the whole point of the 2FA challenge is that it verifies you with the server you're conducting a transaction with, via a different channel, for additional security in case your password and username have been revealed. It's meant to be totally separate from e.g. a merchant or payments processor.

A2A supports ANZ, ASB, BNZ, Kiwibank, TSB and Westpac but the banks however are pretty cold on the service and would rather their customers didn't use it.

An ASB spokesperson confirmed as much when asked if it's OK or not to put in your banking details into A2A:

Customers that share bank account login and password details are likely to be in breach of their bank's terms and conditions.


"If a customer still chooses to provide their personal login details to anyone there may not be adequate controls and measures in place to help ensure their account is safe from fraudulent activity," the spokesperson explained.

ASB spells out why customers shouldn't use POLi or Account2Account on its website as well.

What about Payment Express then? Will they bail you out in case something happens? Their terms and conditions for Account2Account suggests they won't.

Payment Express says the A2A page hosted by them does not store any customer bank information and that "the same security technologies exposed by the banks are supported by Account2Account".

I'm waiting to hear back from Payment Express with an explanation as to how Account2Account keeps your internet banking logins and account details secure, and how people can use their service without breaching their banks' terms and conditions.

Juha Saarinen: Only losers in the iPhone backdoor saga
Juha Saarinen: Keeping your phone secure, the Google way

Meanwhile, AT and other organisations would do well to note that using A2A could get customers in trouble with their banks and warn them accordingly.

Payments services like Account2Account and POLi have been around for several years now, with the banks telling customers not to use them. Isn't it time to get some clarification here, and if indeed the services are secure as claimed, there should be some independent verification to that effect?