There has been plenty of publicity lately around people getting fleeced by online scammers, with banks facing demands to reimburse victims and the adoption of a confirmation of payee (CoP) scheme.
In that debate though, it appears there is a fairly high tolerance of risk for customers from government regulators, if the experience of recent scam victim NZ Herald journalist Sasha Borissenko is anything to go by.
Borissenko was unfortunate enough to get phished – or tricked – into revealing her access code and password, while selling a toaster on Facebook Marketplace.
Even though Kiwibank spotted the suspicious activity, Borissenko was robbed to the tune of $12,500 by the scammer who turned out to be not actually interested in the toaster for sale.
Let’s be clear: this is a really awful experience to go through. Most people who get cleaned out do not have the additional funds to cover for scam losses, which can be substantial. It literally pays to be extra careful these days, particularly in Wild West areas of the Internet like Facebook Marketplace.
One thing in particular stood out in Borissenko’s case. She wrote:
“I received what looked like an official email from NZ Post, which would take me to a POLi-banking portal with a copycat version of Kiwibank online banking.”
That’s the crux really. The Australia Post owned POLi has been controversial for many years now, with the banks fully disowning it and telling users they’re on their own if they enter their Internet banking login credentials into third-party systems.
Here’s what Kiwibank says about POLi in their terms and conditions:
Some third-party systems require access to your internet banking – such as POLI which provides online payment options by transferring funds directly between a customer’s internet banking account and a merchant.
The use of third-party services like this invalidates our internet banking guarantee, not just for the affected transaction, but for all subsequent internet banking use too.
Which does seem fair enough. How could Kiwibank, which does not know or operate POLi’s systems, take responsibility for transactions going through them? ASB and ANZ say similar things to Kiwibank about POLi in their terms and conditions of use.
Nevertheless, if a user who has never heard of POLi before goes to the company’s official website, there’s Kiwibank’s logo along with other banks operating in New Zealand. Anyone could be forgiven for thinking POLi is endorsed and trusted as a payments processor in New Zealand.
There’s nothing whatsoever to suggest that POLi had anything to do with the above scam. And the latest technology that uses a virtual machine for the Internet banking access, and which does not capture user credentials, is probably reasonably safe.
However, is it a good idea that trusting users are trained to enter their Internet banking credentials into third-party sites such as POLi, under any circumstances?
As Borissenko’s experience suggests, it would appear not.
POLi is now 18 years in existence. It might save on fees for users, some of whom do not use payments cards, but at the same time POLi has copped a huge amount of criticism for its web scraping technology not being secure. This has not stopped big name organisations such as Air New Zealand, NZTA, Spark, Jetstar, and Facebook as well, from using POLi.
How to fix scammers impersonating third-party payments sites is not clear, but there does seem to be a long standing disconnect when it comes to understanding perfectly reasonable human behaviour around trust and payments. One things for sure, victim blaming isn’t going to work.
Tyler Fields is your internet guru, delving into the latest trends, developments, and issues shaping the online world. With a focus on internet culture, cybersecurity, and emerging technologies, Tyler keeps readers informed about the dynamic landscape of the internet and its impact on our digital lives.
