The Dangers of Instant EFT

The world’s best secret method for user profiling and credit score generation.

Payment providers like PayFast and Ozow/iPay provide an easy way to automatically perform EFT payments on behalf of the customer. Rather than laboriously creating a beneficiary and making an EFT with the correct reference numbers, these services perform the actions on your behalf, given that you are happy to give them your internet banking username and password.

The South African Reserve Bank recently issued a warning about these services, but most articles I have read don’t go into much detail about the security risks or how the services work.

How Instant EFT works

The Instant EFT provider uses an automated process exactly equivalent to giving a shopkeeper your banking details and letting them pay themselves from their laptop. While this happens, your 2FA device (cellphone) will require your confirmation for each of the steps provided, which you agree to. This process is as follows:

  1. The user selects their bank
  2. The user enters their bank account number and password
  3. Provider launches a virtual browser (e.g. Puppeteer)
  4. Virtual browser navigates to selected bank’s internet banking login
  5. Virtual browser enters provided username and password
  6. User authorises login from their phone

Their services now have access to your bank account. The next step is to add themselves as a beneficiary and send the right amount of money with the correct statement description:

  1. Create beneficiary if it doesn’t already exist
  2. User authorises beneficiary creation on phone
  3. Create EFT payment
  4. User authorises EFT payment

The virtual browser is closed and the provider navigates you back to your order confirmation screen.

From the 10 actions required here, the user has only had to perform 5, each of which were the fastest actions in the process of making an EFT payment. The user also cannot make an error. This is huge for improving user experience.

Why isn’t this safe?

Although you had to authorise the login, confirm the creation of the beneficiary and allow the payment from your phone, the bank only requires confirmation on certain actions (those which will lose you money – such as creating beneficiaries and sending money).

All reading actions are accessible after login. This means the remote provider has access to at least the following information:

  1. Your bank account number and PIN. You gave it to them.
  2. Personal details:
    1. Name, marital status, phone numbers, street address, nationality, date of birth, ID number
    2. Tax information
  3. How much money you have
  4. Your debit orders and recurring payments
  5. Interest earned, certification of interest
  6. Transaction history (180 days)
    1. Posting date, description, money in/out and balance
    2. Type of purchase (e.g. online)
  7. List of cards
    1. Card number, cardholder, type (e.g. debit)

You would never in a million years give that to anyone who asked. And though the payment providers claim they won’t view this information, how do you know they don’t? The information is transferred over HTTPS, which means the information has been loaded on their system somewhere.

Whether they properly secure their channels, log this data or dispose of it isn’t entirely known. I’m not claiming that PayFast or Ozow/iPay do read this data, but there’s absolutely no way you or anyone else could ever tell.

With this information, it would be easy to build a profile on customers:

And then exploit this information to make more money from you or potentially allow scammers to use this information to phish more information from you.

Whether the services claim to be secure or not, and even though the systems might use the best encryption standards known to man or use ephemeral or volatile storage, there is no way I would ever recommend using one of these services so long as internet banking allows personal information to be shown without explicit consent from the user.

It is the banks’ responsibility to build APIs that allow online shops to integrate with a fast, secure, reliable and user-friendly payment method that doesn’t leak personal information. Until then, these services will thrive, because giving out credit card information on a site you don’t know is a terrible idea and EFT sucks.