Continuing the discussion from Azupay - a New Payment System:
I never answered this but I’ll quote from an information security question and answer community site with experts more knowledgeable about this than me.
You are entering your internet banking credentials into an interface owned by a merchant. The iframe comes from POLi, but there’s no easy way for an end user to verify that, and the parent page would still have the opportunity to mess with the frame.
So you should not enter your credentials on this interface unless you trust:
- POLi not to store or misuse the credentials you are giving them;
- the merchant not to purloin the credentials, through clickjacking or just pointing the frame to some other source (phishing-style);
- any third-party script providers used by the merchant (eg analytics, advertising) not to inject script content that would purloin the credentials;
- the merchant to keep their entire web site safe from all XSS vulnerabilities that might let an attacker purloin the credentials.
- POLi not to have any vulnerabilities where other parties can gain information through including their interface in an iframe and using clickjacking. (This is difficult to fully prevent when your interface must allow iframing.)
POLi are effectively doing a man-in-the-middle attack on your online banking and predictably some banks are upset about that. If you suffer from fraud (whether or not related to use of the POLi service), your bank might be able to argue that you have some liability, for not keeping up your end of the bargain to keep your banking credentials secret from everyone but the bank.
