Eftpos online plan may have a glitch

Some aspects of how online eftpos would work have yet to be resolved, Paymark chief executive Mark Rushworth says.

A Paymark spokeswoman admitted that under its current business model it was not clear how it could prevent malicious people from flooding someone else's internet banking account with hoax orders for spurious products.

>Share this story on Facebook

However, Rushworth said that would be prevented, and online eftpos, when it was launched, would not have that flaw.

Bank-owned Paymark announced this week that it was adapting its eftpos payment gateway to work online in conjunction with ASB, Bank of New Zealand and TSB, providing an alternative for people who didn't have or didn't want to use a credit or debit card for online purchases.

Rushworth said consumers would not need to have their eftpos cards handy to make internet purchases when the service started next year.

Instead, paying for purchases using online eftpos would be more like using internet banking, he said.

Consumers would preregister for online eftpos using internet banking and would key in their mobile number into a retailer's website when they wanted to pay for a product using online eftpos, rather than entering any card details.

After placing their order, they would get a notification to their phone saying they had a transaction awaiting approval when they next logged on to internet banking.

When they did so, details of the order would be displayed on screen so they could approve it.

"There is no need for that physical eftpos card which in the physical world just links to your bank account," Rushworth said.

"You are cutting out that step and there are no card details going across the network, which makes it secure."

It would not be possible to make a fraudulent purchase using only someone else's mobile number.

However, the Paymark spokeswoman acknowledged that it was not yet clear how it might, for example, stop a feuding neighbour from ordering pornographic DVDs from a website using their neighbour's mobile number so that order was displayed when their victim or their family next logged on to internet banking, or from flooding a public figure's internet banking account with hoax purchases.

Many people's mobile numbers can be found using Google.

The spokeswoman said Paymark had considered the issue, but not in any level of detail.

"We are right at the beginning of the development stage of this product, but we will be working through scenarios such as that during our pilot in November," she said.

One way to eliminate the risks would be to require a password as well as a mobile number when ordering a product using eftpos' payment gateway.

However, that would mean shoppers would have to enter their mobile number and a password at the point of ordering, and then their internet banking username and password to confirm the transaction.

The spokeswoman could not discuss any other alternatives "simply because we have not gone there yet".

"These sorts of journeys and experiences are high on our priority list to work through so we have a product that is secure, that mitigates these sorts of malicious behaviours, but which is also easy to use."

The risk that a family member using a shared bank account might assume a hoax order was genuine and wrongly approve it was mitigated to a degree by the fact that a notification would be sent to the mobile phone associated with each order when it was made, she said.

After the issue was raised, Rushworth said some additional form of authentication, beyond a person's publically available information, would be required to place an order.

ASB technology head Russell Jones said ASB would require some form of two-factor authentication for its customers to place orders on websites that they intended to pay for using the eftpos gateway.

Massey University banking expert David Tripe said online eftpos appeared "a relatively complicated way of doing things" and if online orders could be initiated using only a mobile number, there was a risk of hoax orders.

"One of the things about new technological offerings is that things will end up happening that people hadn't envisaged," he said.

Assuming the issues can be addressed, Paymark hopes online eftpos will become "a default option" for purchases from domestic websites.

Rushworth said he expected more banks would join the initiative in the "next couple of months".

He declined to reveal what the transaction fees for online eftpos might be.

"As we go through a trial in November and bring other banks on board we will be in a position to talk about that," he said. Merchants would be charged a fee to receive payments, as they do now when they accept payment by credit or debit cards, and it would be up to them whether to pass that charge on to consumers, he said.

Online eftpos could support some features not supported by the likes of Mastercard and Visa.

An application programming interface could let consumers have their bank balances displayed within a window in retailers' apps so they could, for example, see whether they had enough money in their cheque account to pay for a flight when perusing Air New Zealand's Grabaseat app, he said.