Automated EFT startup shows impressive growth

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
I personally would be highly concerned handing my internet banking details over to a 3rd party. The owner of the company previously ran Smokoo, ran into problems locally (gambling laws), then moved it overseas and eventually I think shut it down. Later on they opened a online dating service. Certainly a colourful past to now run a online payment mechanism.
 
Last edited:

Nokkie

Executive Member
Joined
Dec 7, 2005
Messages
9,727
I personally would be highly concerned handing my internet banking details over to a 3rd party. The owner of the company previously ran Smokoo, ran into problems locally (gambling laws), then moved it overseas and eventually I think shut it down. Later on they opened a online dating service. Certainly a colourful past to now run a online payment mechanism.

+1
 

stoymigo

Senior Member
Joined
Dec 11, 2008
Messages
975
I personally would be highly concerned handing my internet banking details over to a 3rd party. The owner of the company previously ran Smokoo, ran into problems locally (gambling laws), then moved it overseas and eventually I think shut it down. Later on they opened a online dating service. Certainly a colourful past to now run a online payment mechanism.

I remember Smokoo, definitely dodgy but can't deny Thomas' drive. Nevertheless thanks for the informative post.
 

skimread

Honorary Master
Joined
Oct 18, 2010
Messages
11,051
I bought a pair of headphones for R250. Got deducted R1180.
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
43,652
I bought a pair of headphones for R250. Got deducted R1180.
When and where?

I personally would be highly concerned handing my internet banking details over to a 3rd party. The owner of the company previously ran Smokoo, ran into problems locally (gambling laws), then moved it overseas and eventually I think shut it down. Later on they opened a online dating service. Certainly a colourful past to now run a online payment mechanism.
As far as I know your not handing anything over.

Your paying them they pay you.

They obviously have a bunch of banks and switches money between them
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
When and where?


As far as I know your not handing anything over.

Your paying them they pay you.

They obviously have a bunch of banks and switches money between them

Perhaps this changed, but afaik your banking credentials were visible to them when they started out.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
49,724
We applied with I-Pay, but thanks to our website being in development they denied our application. Further exploration has provided us with much better gateway solutions, relationship-wise, also keeping EFT in-house. We also tend to keep things centralised…
 

Praemon

Expert Member
Joined
Jan 11, 2007
Messages
1,588
Ahh might be, but now that is not the case.

We use them and so far no issues.

We use payfast as well

Here is a link to the security part

http://instanteft.i-pay.co.za/real-time-eft-security/

They reassured us they don't get the clients details.

How have they changed? I remember when I first looked at it, I found that they acted as a sort of proxy between you and the bank, which means that your banking details were accessible via their servers (even if they don't collect it and just passed it on). I put that in the same bucket as SID, which uses a browser plugin to monitor your payment via internet banking. If either SID or I-Pay are compromised and/or malicious code is inserted or interacts with their code in anyway, your banking details could be exposed.

Is there any example stores using them so we can check out the actual flow now to see if it has changed? Cause I'd be interested to see how they can achieve this without in someway interacting with the customer's sensitive IB data.
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
43,652
How have they changed? I remember when I first looked at it, I found that they acted as a sort of proxy between you and the bank, which means that your banking details were accessible via their servers (even if they don't collect it and just passed it on). I put that in the same bucket as SID, which uses a browser plugin to monitor your payment via internet banking. If either SID or I-Pay are compromised and/or malicious code is inserted or interacts with their code in anyway, your banking details could be exposed.

Is there any example stores using them so we can check out the actual flow now to see if it has changed? Cause I'd be interested to see how they can achieve this without in someway interacting with the customer's sensitive IB data.

PayU is trusted and they are partners now

http://instanteft.i-pay.co.za/our-clients/
 

Praemon

Expert Member
Joined
Jan 11, 2007
Messages
1,588
PayU is trusted and they are partners now

http://instanteft.i-pay.co.za/our-clients/

PayU is trusted, and I happily use them for credit card payments, but I-Pay is still separate here.

Okay, so I tested this out. The first few stores in the article don't actually have I-Pay as a payment option, so not sure why they're mentioned, but presumably "coming soon".

CUM Books are using them though, and I did a test order. I see it's listed as EFT Pro on PayU, which redirected me to I-Pay. There you choose the bank and then you're presented with a custom I-Pay page, and asked to enter your banking credentials:

ipay_fnb_login.jpg

Upon entering some test details, it then does a POST with your credentials to the I-Pay server. This means your banking details does hit their servers. They also note it at the bottom of that page that they act as a proxy. So it seems they haven't changed how they operate, and your banking login details are being exposed to a third-party. I guess this is very similar to how 22seven operate, except with them you can use a read-only profile (where banks support it). Also, I'm not sure whether I-Pay are PCI DSS certified. Technically that's for credit cards, but they should employ the same security scrutiny if they're going to have banking credentials hit their servers.

This kind of setup just puts me off. Other "Instant EFT" services like Payfast at least don't expose your banking details, but they're prone to delays due to slow EFT processing (ie. Standard Bank). Really, the only real way of tackling this is if banks release APIs, although I don't see that happening anytime soon.
 
Last edited:

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
43,652
PayU is trusted, and I happily use them for credit card payments, but I-Pay is still separate here.

Okay, so I tested this out. The first few stores in the article don't actually have I-Pay as a payment option, so not sure why they're mentioned, but presumably "coming soon".

CUM Books are using them though, and I did a test order. I see it's listed as EFT Pro on PayU, which redirected me to I-Pay. There you choose the bank and then you're presented with a custom I-Pay page, and asked to enter your banking credentials:

View attachment 331267

Upon entering some test details, it then does a POST with your credentials to the I-Pay server. This means your banking details does hit their servers. They also note it at the bottom of that page that they act as a proxy. So it seems they haven't changed how they operate, and your banking login details are being exposed to a third-party. I guess this is very similar to how 22seven operate, except with them you can use a read-only profile (where banks support it). Also, I'm not sure whether I-Pay are PCI DSS certified. Technically that's for credit cards, but they should employ the same security scrutiny if they're going to have banking credentials hit their servers.

This kind of setup just puts me off. Other "Instant EFT" services like Payfast at least don't expose your banking details, but they're prone to delays due to slow EFT processing (ie. Standard Bank). Really, the only real way of tackling this is if banks release APIs, although I don't see that happening anytime soon.

This is the only way it can work I'm not concerned, if something happens then you sue.
 

Trib

Active Member
Joined
Sep 10, 2007
Messages
35
.... Also, I'm not sure whether I-Pay are PCI DSS certified. ...

I do not think they will be PCI DSS as that is specifically for protection of card information (they dont touch card data). But to your point, the question is, do they have any form of security accreditation?
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
43,652
I do not think they will be PCI DSS as that is specifically for protection of card information (they dont touch card data). But to your point, the question is, do they have any form of security accreditation?

Doubt PayU would affiliate themselves if they didn't
 

Lazyant

Member
Joined
Oct 14, 2008
Messages
14
I personally would be highly concerned handing my internet banking details over to a 3rd party. The owner of the company previously ran Smokoo, ran into problems locally (gambling laws), then moved it overseas and eventually I think shut it down. Later on they opened a online dating service. Certainly a colourful past to now run a online payment mechanism.

+1

The service definitely acts as a proxy for your banking details; you can confirm this with FNB by checking your IP login history. So you are indeed effectively handing over your internet banking credentials to a third party. It's practically a man in the middle "attack" on your internet banking.

And in terms of "suing", all the banks' internet banking agreements specifically state that if you divulge your internet banking details to a third party, then all bets are off and you're liable, so you would have to go after i-pay if something happened.

I highly doubt that i-pay is PCI DSS compliant as they do not deal in any card data (credit card), so PCI DSS is not applicable. But having some equivalent security certification would be very good to see.

Their operation is very similar to SiD, but is "worse" in that you are actually posting your details off to another server on the net besides your banks'. Not an especially comforting thought...
 

finished

Executive Member
Joined
Jul 21, 2008
Messages
9,157
+1

The service definitely acts as a proxy for your banking details; you can confirm this with FNB by checking your IP login history. So you are indeed effectively handing over your internet banking credentials to a third party. It's practically a man in the middle "attack" on your internet banking.

And in terms of "suing", all the banks' internet banking agreements specifically state that if you divulge your internet banking details to a third party, then all bets are off and you're liable, so you would have to go after i-pay if something happened.

I highly doubt that i-pay is PCI DSS compliant as they do not deal in any card data (credit card), so PCI DSS is not applicable. But having some equivalent security certification would be very good to see.

Their operation is very similar to SiD, but is "worse" in that you are actually posting your details off to another server on the net besides your banks'. Not an especially comforting thought...

+100. We have a hard enough time getting people to check that they are on the correct banking site, with a valid certificate, and now people want them to enter their banking details on another site? ****ing lunacy.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
PayU is trusted, and I happily use them for credit card payments, but I-Pay is still separate here.

Okay, so I tested this out. The first few stores in the article don't actually have I-Pay as a payment option, so not sure why they're mentioned, but presumably "coming soon".

CUM Books are using them though, and I did a test order. I see it's listed as EFT Pro on PayU, which redirected me to I-Pay. There you choose the bank and then you're presented with a custom I-Pay page, and asked to enter your banking credentials:

View attachment 331267

Upon entering some test details, it then does a POST with your credentials to the I-Pay server. This means your banking details does hit their servers. They also note it at the bottom of that page that they act as a proxy. So it seems they haven't changed how they operate, and your banking login details are being exposed to a third-party. I guess this is very similar to how 22seven operate, except with them you can use a read-only profile (where banks support it). Also, I'm not sure whether I-Pay are PCI DSS certified. Technically that's for credit cards, but they should employ the same security scrutiny if they're going to have banking credentials hit their servers.

This kind of setup just puts me off. Other "Instant EFT" services like Payfast at least don't expose your banking details, but they're prone to delays due to slow EFT processing (ie. Standard Bank). Really, the only real way of tackling this is if banks release APIs, although I don't see that happening anytime soon.

Okay, thanks for testing it. It is still the same - as I thought (similar to how SID worked) and the proxy scheme is still in place. Proxying it still allows you a man-in-the-middle-attack (especially server side) and considering how the servers are set up and hosted (I am not saying more, but as I business I would stay very far away from this).

Sites like iPay are open to XSS and CSRF and it will be just a matter of time until a phishing attack happens (similar to one of the large banks last year where they had to recycle 30,000 credit cards).
 
Last edited:
Top