Which bank gets confused about some fairly trivial technical and security issues on their own helpdesk system?
Last week I was visiting my NetBank (tm) account and thought I might waste some lazy money on stockmarket via the useful CommSec (tm) system. So via Netbank I applied for a CommSec account. As expected when selecting the appropriate link ("Launch Commsec trading account application") this opened a new tab in my original browser session. However the result is of being directed to commsec.com.au (two "m") is an invalid security certificate - the certificate is only valid for comsec.com.au (one "m").
For a bank this is simply unacceptable, even if a
whois reveals they do own both
commsec.com.au; people should have confidence that they are able to provide a the right URL for a simple
< a href redirect.
Being a community-minded person, I thought it a good idea to ring the bank's heldesk about this issue and, following the various automated prompts on the 'phone system, navigated to the CommSec technical helpdesk. Note that this the specific helpdesk for this specific product.
"Hi", I helpfully explain, "I logged into my NetBank and followed the links to establish a CommSec account. However the URL redirect provided me an Invalid SSL certificate, because it directed me to commsec.com.au (with two "m"s) rather than comsec.com.au (with one "m"). You really ought to ensure that the right SSL certificate exists for the right URL."
The technician responded, "What is SSL?".
This was not exactly a good start. So I provide a basic explanation, that SSL Certificates are meant to verify that a particular URL is safely encyrpted, and that the wrong certificate is being used on the commsec.com.au URL. The technician says that he'll have to talk to someone else about it; so I double-check with him the he has all the correct details.
A couple of minutes later he returns. "OK, I want you to start Internet Explorer..."
I had to interrupt: "I'm not using Internet Explorer. It is not installed on this system. I am using Firefox 3.0 on Ubuntu 9.04".
There is a pause for just a couple of seconds and then our technician continues... "Once you have started Internet Explorer, go to Tools then Options."
A longer pause, this time by me. The technician eventually asks "Are you up to that point yet?" Oh yes, there was emphasis on the "yet".
So I repeated: "As explained, I do not have Internet Explorer installed. I am using Firefox on Ubuntu. What you are probably asking is whether I have SSL 3.0 and TLS 1.0 enabled as protocols. The answer to that is 'yes'. However, this has nothing to do with your bank having the wrong security certificate enabled for its domain. Is there somebody else I can talk to who understands this?"
Our helpdesk technican informs me there is another level of support, but they don't take 'phone calls (quelle surprise). So he does give me an email address (two "m"s) and I send off an email with the following content:
I just had a very unhelpful conversation over the 'phone with one of your level one tech staff. I was a little unimpressed that they did not seem to know what SSL was an insisted that I use Internet Explorer to resolve the problem, which I do not have on my desktop machine. Hopefully this correspondence will be more useful.
You have a bad SSL certificate.
I logged into my NetBank account and sought to apply for a CommSec account. Please see the first attachment for the window it generates (see attachment image01.png).
As expected when selecting the appropriate link ("Launch Commsec trading account application") this opens a new tab in my original browser session. However the result is that (see attachment image02.png) commsec.com.au (two "m")is an invalid security certificate - the certificate is only valid for comsec.com.au (one "m")
Now I understand that based on a whois for commsec.com.au and comsec.com.au that both domains are owned by the Commonwealth Bank. However it would probably be a good idea to use the right certificate for the right domains on your a href tags.
Their response was hardly an improvement.
Thank you for your email.
Please type in one 'M' to view our website- www.comsec.com.au, as a double "M" will give a SSL error certificate.
We apologise for any inconvenience caused.
Evidently, I am the sort of 'difficult customer' who will not give up until they get what they actually asked for in the first place.
Yes, that much is obvious. However it was not the issue I have alerted you to.
I was referring to an incorrect hypertext link from within a Netbank session to CommSec.
I would suggest that you fix this. At the moment you are undoubtedly losing potential CommSec customers because of this. It does not look good for a bank to give wrong https directions from within a secure session.
Will you let me know if you intend to fix this?
So having been alerted to issue three times, it finally sinks in and the customer receives an appropriate response.
Thank you for bringing this to our attention.
We will have developers investigating and fixing this issue as soon as possible.
It is, of course, still not fixed.
The good discordia13 pointed this out to me on June 22:
HTTP/1.1 302 Found
Date: Mon, 22 Jun 2009 08:51:34 GMT
Microsoft-IIS/5.0; isn't that ... nine years old? Is it so surprising that "hackers" target the Commonwealth Bank?