Security with CommSec

[Samson 9]

How secure are transactions with CommSec?

The Login Page is secure:
https://www.comsec... and it shows the padlock in the status bar.

After Login it changes to:
http://www.comsec... and the padlock is gone.

Does this mean that all buy/sell transaction are traveling around unencrypted from my browser to CommSec from then on?

Not very secure from a computer cafe or a public open WiFi Hotspot.
Is this o.k? Are other online brokers similar?

With ANZ and AMP online banking the whole session from login to log off is encrypted - https:// and the padlock is in the status bar.

Sam

 

[So_Cynical]

Are u using Firefox or Explorer?

Do u have a firewall other than the MS one?

 

[Craigomatic]

I noticed the same thing, only the login page appeared to be secure.

After a bit more investigation, I realised they are using a series of frames for each page and that the inner frames where buying/selling/viewing portfolio/cash management/etc were all secure (using EV).

I contacted them about this quite a while ago, sent screenshots, but they didn't seem too interested in improving things.

So in short, nothing to worry about

 

[tcoates]

If you were to open the buy/sell page at commsec into a new window (with firefox, (somewhere in the buy form itself) just right click to get to the popup menu, click This Frame, and then click Open in New Window) and you will see that it uses https.

Don't think that you have much to worry about?!?

Tim

 

[Samson 9]

Thank you for your replies.

Right clicking the order form and checking "This Frame/View Page Info":

Addresss:https://orders.comsec.com.au Refer...o find out that it secure. Thanks again Sam

 

[metric]

Online share trader CommSec vulnerable to hackers

Online share trader CommSec vulnerable to hackers
By Nick Higginbottom and Stephen McMahon
Herald Sun
April 28, 2009 12:01am

CommSec online trader vulnerable to hackers
Customers urged to change passwords
Hackers could trade but not withdraw money

SECURITY at the nation's biggest online trader has been exposed as wide open to attack by computer hackers.

Security flaws at CommSec potentially endangered accounts containing billions of dollars of mum-and-dad investors' money.

After a Herald Sun investigation, CommSec's 1.7 million customers have been strongly urged to change their passwords.

Had any hackers entered the system they would have been able to access the personal details of CommSec's customer accounts and trade in other people's share portfolios.

This would potentially have allowed them to manipulate the share market to their advantage.

But hackers would not have been able to withdraw money.

The glitch was discovered by a Melbourne computer programmer, who said even a teenage computer buff with basic cyber skills could break into customers' accounts.

"John" stumbled upon and highlighted the weak link in CommSec's online accounts when he became a customer.


Westpac online uses Letters and Numbers- but only takes a 5-digit code. Not what I'd call secure !

(Read More)

SA_Penguin of Adelaide He said the online accounts used only a basic numeric password, rather than the secure and more common combination of alphabet and numeric characters.

John said he was amazed the nation's biggest online trader was so vulnerable to cyber attacks and had called CommSec to notify them.

After he made two attempts to explain the dire situation, the Sydney-based company dismissed his calls.

John then contacted the Herald Sun in an attempt to have the issue addressed and online security upgraded.

"They should follow up on anything related to a security complaint from anyone - customer or not - they should aggressively pursue that and management should be notified. It's obvious this (story) is the first management knew about any complaint."

After a month-long investigation by the Herald Sun, in which two independent computer programmers have confirmed the alarming security flaw, CommSec has been forced to upgrade its online security.

The Herald Sun withheld publication until the breach had been fixed.

Commonwealth Bank's executive general manager of business and private banking Matt Comyn said the nation's biggest online trader took every credible threat it was notified of seriously.

CommSec notified other banks and financial institutions of the potential threat.

"When CommSec became aware of the threat you reported, it implemented a range of measures to further protect and strengthen its clients," he told the Herald Sun yesterday.

He said CommSec would reinstate clients to their original position at no cost to them should they be the victim of fraud or crime.

 

[jono1887]

so thats why they've been putting up all those new ads about increased security...

 

[jono1887]

Apparently they've also placed a maximum on the number of failed logins to 3 now... which is incredibly annoying for my mum who keeps making mistakes when trying to log in has had to call up for a password reset 3 times in the last week!! they shouldve put a time delay after a number of set attempts rather than having to call up every time!