There has been no fraud on Instant EFT since launch in 2014, says Ozow

[Bradley Prior]

There has been no fraud on Instant EFT since launch in 2014, says Ozow

Payments processor Ozow has responded to the recent warning against using Instant EFT to pay for goods and services.

 

[konfab]

However, Ozow CEO Thomas Pays has said that Instant EFT is no less secure than any other payment method.

By design it is less secure because you have to hand over your online banking details to a third party.

 

[Herr der Verboten]

There has been no fraud on Instant EFT since launch in 2014, says Ozow

Payments processor Ozow has responded to the recent warning against using Instant EFT to pay for goods and services.

Let's think about this:

1) iEFT: Hey world ek was nog nooit gekatswkenska nie.
2) World: Hmm... whatever?
3) Sproet en puisie gesig: O Rlly? let's see...

There is always that one who needs to punt their stuff

 

[Crumbl0x]

Nice to see a response from one of them for a change.

By design it is less secure because you have to hand over your online banking details to a third party.

No it's not because you don't and it uses client-side scraping. I can create an equally fallacious statement that typing on a 3rd party digital keyboard or inputting my details into a Chromium-based browser is less secure than paying with cash physically.
I've never had an issue using these services on large e-commerce sites for years and the same caution must be exercised regardless of payment method and site visited. I would love to see a future where the need for these were eliminated for sure though.

 

[konfab]

No it's not because you don't and it uses client-side scraping

You are entering your banking details into a web application written by a third party. They could have a web socket connection in the background to send your details to their server and you would never know about it.

What gets me is that there are perfectly valid forms of internet payment that are far more secure, like SnapScan or Zapper.

Tell you what, next online purchase you make, send me a PM with your bank account details and password and I will make the EFT for you. That is the level of trust you are granting Ozow.

 

[Crumbl0x]

You are entering your banking details into a web application written by a third party. They could have a web socket connection in the background to send your details to their server and you would never know about it.

What gets me is that there are perfectly valid forms of internet payment that are far more secure, like SnapScan or Zapper.

Tell you what, next online purchase you make, send me a PM with your bank account details and password and I will make the EFT for you. That is the level of trust you are granting Ozow.

They currently do not do this, and as I've mentioned before, if they start doing this then we have large entities to blame solely because their use is encouraged and sometimes mandated over other forms of payment where possible (also, get app-based 2FA already, they can do nothing with those details anyway). If someone was bonkers enough to go to a shady site and use their own payment "scalper" without checking the domain and certs, then it's entirely their fault.

As for the other methods, sometimes convenience can go a long way, not everyone wants to take out a specific debit card and associated fees for it simply for shopping (thankfully more banks are starting to roll out their virtual equivalents) and Zapper / SnapScan leaves us at point 0, sharing a lot of your details with a third party and sometimes on an account you don't want.

Don't get me wrong, I'm entirely for the argument in a court of law setting as it appears as entering details to a third party even on an unrelated manner, but so is using a browser on a potentially backdoored device, the loops of blame are endless. People shouldn't be attacking them for providing a useful service with no bad track records (especially if the same people avoid them) but instead look forward to the better alternatives in the future.

 

[RazedInBlack]

This is a tad bit confusing.

Choose item and add to basket
Go to checkout
Choose payment type, ie PayFast/Ozow

You bank is still sending you an OTP so there is still a measure of security, right?

 

[konfab]

They currently do not do this, and as I've mentioned before, if they start doing this then we have large entities to blame solely because their use is encouraged and sometimes mandated over other forms of payment where possible (also, get app-based 2FA already, they can do nothing with those details anyway). If someone was bonkers enough to go to a shady site and use their own payment "scalper" without checking the domain and certs, then it's entirely their fault.

How do you know?
And no, stating that app based 2FA is a remedy to this is not the point, it is an added layer of security incase someone gets your password. You shouldn't be depending on it.

As for the other methods, sometimes convenience can go a long way, not everyone wants to take out a specific debit card and associated fees for it simply for shopping (thankfully more banks are starting to roll out their virtual equivalents) and Zapper / SnapScan leaves us at point 0, sharing a lot of your details with a third party and sometimes on an account you don't want.

Zapper/Snapscan are abstractions of card payment systems. They do not use my online banking details. I can go and setup a virtual card and pay with them and be 100% protected. This is why banks are quite happy to integrate with them.

Don't get me wrong, I'm entirely for the argument in a court of law setting as it appears as entering details to a third party even on an unrelated manner, but so is using a browser on a potentially backdoored device, the loops of blame are endless. People shouldn't be attacking them for providing a useful service with no bad track records (especially if the same people avoid them) but instead look forward to the better alternatives in the future.

How do you know? They literally have the banking details of all their clients.

 

[konfab]

This is a tad bit confusing.

Choose item and add to basket
Go to checkout
Choose payment type, ie PayFast/Ozow

You bank is still sending you an OTP so there is still a measure of security, right?

That is like saying you shouldn't bother wearing a seatbelt because your car has an airbag.

 

[Crumbl0x]

How do you know?
And no, stating that app based 2FA is a remedy to this is not the point, it is an added layer of security incase someone gets your password. You shouldn't be depending on it.



Zapper/Snapscan are abstractions of card payment systems. They do not use my online banking details. I can go and setup a virtual card and pay with them and be 100% protected. This is why banks are quite happy to integrate with them.


How do you know? They literally have the banking details of all their clients.

Fair assertions, I'll explain as best I can.

As far as I know from testing, killing a connection immediately after inputting details kills your session to your respective banks, and this was even more so obvious 5 years ago when the process wasn't hidden under abstraction. I can only anecdotally testify in this case because no body has attempted a login to my or parent's banks during these years unless someone is planning a long con. The first layer of trust would be unwise for Ozow / Payfast to let this information leak or be directly responsible for said breach as there's an entity to blame when this occurs, and I do not use instant EFT on any other service or site because they don't make use of it and instead rely on regular cards or EFT.

Secondly, 2FA is totally justified here as requiring confirmation before and after logging amongst other reasons goes further than just instances of password theft. I don't agree with your point of reliance, it's doing its job as specified regardless of purpose.

Thirdly, apart from direct integrations, I've set up accounts using Zapper and SnapScan services directly before, they need to know a lot about you and you give up your card anyway before using the service, I wouldn't call that trustworthy if they go heads-up, same issue but different utilisation.

Lastly, we've finally received confirmation today that Ozow, at least, has encountered no reports of fraud using their services. There is no reason to lie with something important like this and it makes sense, because as the service works correctly, they don't see your details and only facilitate confirmation processes.

We're arguing the wrong points anyway, because as I've said, many points of contingency and arguments can come up from fraud cases. Back when the first article about this was posted, I had a great talk with other members on how their use would hold up when an incident unrelated to Ozow / Payfast occured since that wouldn't be the barrier break, but rather other elements on a machine that could've leaked details to bad actors.

 

[Crumbl0x]

That is like saying you shouldn't bother wearing a seatbelt because your car has an airbag.

Oh my, I can't even begin to imagine what your analogy is when someone inputs their credit card and secure pin *directly* to a site and have had their phone number skimmed.

 

[Mystic Twilight]

Nice to see a response from one of them for a change.
No it's not because you don't and it uses client-side scraping. I can create an equally fallacious statement that typing on a 3rd party digital keyboard or inputting my details into a Chromium-based browser is less secure than paying with cash physically.
I've never had an issue using these services on large e-commerce sites for years and the same caution must be exercised regardless of payment method and site visited. I would love to see a future where the need for these were eliminated for sure though.

That part is not technically true in the historical sense, before digitally linked smartphone two factor authentication became common, software and hardware key loggers were the prime methods in stealing internet banking details (the actual software attack vector varies between the most commonly seen undetected malware to using custom made browser or plugins that were insecure or nefarious by design), does anyone still remember standard bank implementing an onscreen numpad (that was randomly positioned within a fixed area) you had to click to enter your password so that key loggers couldn't figure out what the corresponding number was that your mouse button clicked on.

I don't know the details of the article (haven't read yet), but if the iEFT function records or is capable of recoding a copy of the internet banking login details in plain text then you're already half compromised. We already know that banks do not accept liability if you gave your banking login details to a 3rd party, its part of their t&c and the various sim swap fraud cases already establish this.

 

[Crumbl0x]

That part is not technically true in the historical sense, before digitally linked smartphone two factor authentication became common, software and hardware key loggers were the prime methods in stealing internet banking details, does anyone still remember standard bank implementing an onscreen numpad (that was randomly positioned within a fix area) you had to click to enter your password so that key loggers couldn't figure out what the corresponding number was that your mouse button clicked on.

I don't know the details of the article, but if the iEFT function records a copy of the internet banking login details then you're already half compromised. We already know that banks do not accept liability if you gave your banking details to a 3rd party, its part of their t&c and the various sim swap fraud cases already establish this.

Very true, and your points further push the idea along, that's why we have the security checks in place. I definitely remember Absa being one of them hehe.

My point was anecdotal btw, I was purely throwing a hypothesis that any form of payment done online cannot match physically paying with cash if you want to present an antithesis in the court of law. I'm glad the security aspect is taken more seriously and enforced as time goes on.

The bank taking no responsibility is true and accepted as well, but thankfully for us, if we know the origin point of how the fraud occured, we have a large entity to blame in contrast to an unknown attacker, even if they use Ozow to acquire said details.

 

[Crumbl0x]

Tell you what, next online purchase you make, send me a PM with your bank account details and password and I will make the EFT for you. That is the level of trust you are granting Ozow.

Oh sorry I didn't catch this paragraph, this is a slippery-slope fallacy because you've completely missed my point. Just like any other form of shopping and payment, there are established levels of trust and fallbacks, Ozow is used widely everyday and backed by large companies, you are an individual with ulterior motives. I could say the exact same thing with logging into your bank with your browser of choice, but instead, give me your details so I'll send POST queries with curl to your bank and return a screenshot of the result, since you clearly trust Apple / Mozilla / Google / Vivaldi / Opera / Thomas Dickey / Microsoft with handling your inputs and keystrokes.

Not that your other points thus far have been inaccurate or bad, but that key chain is very important. I've also had enough of trying to argue points that are leaving me in the dark with unknowns, you've directly inspired me to go write a lengthy email to both Ozow and PayFast about the legal ramifications and processes that can come about, then as soon as possible, on this thread or the next, I will gladly share them.

edit: I've finished reading the Consultation Paper, I'm very glad they addressed the issue head-on with regards to integrity of the companies involved and while deemed on paper less secure, hasn't been shown in practise for now. I'm really looking forward to the open-banking standard and adoption of proper API's for this, but for now I'm going to converse with them directly about incidental proceedings. Thank you everyone.

 

[Thor]

Banks disagree with you.

 

[Herr der Verboten]

Banks disagree with you.

 

[Crumbl0x]

Banks disagree with you.

 

[Totempole]

I use Ozow a lot and haven't had an issue thus far. It's very convenient.

Definitely not as secure as performing the transaction yourself, but you still ultimately have to authorize the transaction from your banking app, so as long as no one has cloned your SIM, you should be fine.