Massive security risk - Commsec allows direct access to bank account

[handyandy]

Hi All

Just became aware that my Commsec account now allows direct access to not just my linked bank account but all my bank accounts.

My issue is that my accountant has access to my Commmsec client ID as this was always been save due to the secondary password on the trading access, but now I find that my accountant can actually get directly into the bank accounts and spend as much as he likes.

I had never tried to select the link to one of the bank accounts in the Portfolio window. When I did today this threw me directly into my Com bank view for that bank account with no intermediate password. From here I was then able to access all my bank accounts as I pleased.

Yet when I want to trade shares they request a secondary password so that anyone having access to the normal commsec client ID can't actually do anything except look at the portfolio.

Why on earth wouldn't there be a check for a secondary password before allowing access to my Comm Bank account?

Phoned Commsec who basically said bad luck that the way it is. Further I should change your password on Commsec and then request further restricted access to allow secondary access for the accountant.

Just not good enough as I feel that they have provided a backdoor into my bank accounts.

Your thoughts?

Cheers

 

[Kinnon Bell]

For me it's the same with nab trade. I can view my nab accounts but if I were to transfer money it prompts forbthr secondary password to complete the transaction. No much help I realise,just similar to commsec.

 

[Player]

Hi All

Just became aware that my Commsec account now allows direct access to not just my linked bank account but all my bank accounts.

My issue is that my accountant has access to my Commmsec client ID as this was always been save due to the secondary password on the trading access, but now I find that my accountant can actually get directly into the bank accounts and spend as much as he likes.

I had never tried to select the link to one of the bank accounts in the Portfolio window. When I did today this threw me directly into my Com bank view for that bank account with no intermediate password. From here I was then able to access all my bank accounts as I pleased.

Yet when I want to trade shares they request a secondary password so that anyone having access to the normal commsec client ID can't actually do anything except look at the portfolio.

Why on earth wouldn't there be a check for a secondary password before allowing access to my Comm Bank account?

Phoned Commsec who basically said bad luck that the way it is. Further I should change your password on Commsec and then request further restricted access to allow secondary access for the accountant.

Just not good enough as I feel that they have provided a backdoor into my bank accounts.

Your thoughts?

Cheers

What The Frack

I just also checked HA and it's as you describe.

I use Commsec for one of our family trusts and have E*Trade for our SMSF. With the latter, I can't do anything with ANZ accounts except using the E*Trade cash investment account. If I want to transfer funds from the SMSF cheque account, I have to log into ANZ online banking (with different login procedures) and transact online from there.

The ANZ protocol allows a separate layer of security (like another firewall I guess). I only have two linked accounts thru CBA. The bulk of my biz is with ANZ.

I had never even noticed that Commsec throws you from one view to another without the need to login again until you posted.

 

[Joe D]

The CBA and Commsec linking happened about 10 days ago. I believe it was to allow linking of the Commsec cash management accounts with the CBA accounts.

When I log in thru Commsec and click on the Netbank tab it requires me to input my CBA Netcode (from my security token) before my CBA accounts dispaly.

However, if I am in Netbank I can click into Commsec without any further code or password.

I agree its not the best move, however, if you have this issue you should at the very least request the CBA security token.

 

[geoffw]

I was able to give my bookkeeper read only access to NAB. I could not do this with CBA.

Perhaps it's time to close their access completely, and just forward weekly statements?

 

[Aaron Sice]

this is why you dont use a bank's derivative platform (no, not thoise derivatives) to trade stocks.

you watch, next they'll be able to invoke the "all monies" clause on margin calls.

 

[handyandy]

They are crowing about it like it's a beneficial feature.

From the Commsec site

https://www2.comsec.com.au/Public/ContactUs/FAQs.aspx

"We have worked towards providing you a better online experience which now allows you to access both CommSec and NetBank, regardless of which website you initially log into.

Upon logging into either NetBank or CommSec you can simply switch between the sites by selecting from the tabs in the top- left corner of your screen."

The bottom line is that you need to use a secondary password to execute a trade within Commsec. Don't have a problem with this at all as it means that any Commsec employee can not trade and look like me within my account.

So they saw that trading needed to be more secure hence the secondary pass word.

Yet they now allow unfetterred access to the CBA bank accounts with simply knowing the one level of access, So that level of access is not good enough to actually trade but it's good enough to access your money and make payments to any existing payee you have set up in the CBA system. You can't pay or transfer to new payees as this would entail entering new payees details for which you need an SMS code.

As I have already mentioned - it's crazy.

Cheers

 

[Hooray]

The other thing to be careful of is that your bank account number has changed. So any direct debits and credits will have to be changed as well.

 

[Jake D]

I know very very little about this stuff...

How hard is it to, say, open a e-trade account and sign over the control of your securities to them? (CHESS or something?)

 

[Aaron Sice]

hows abouts you just avoid eTrade?

 

[L and P]

I don't like the new system either. I spent ages earlier in the week sorting out debits / credits to this new account number.

Did you also notice that the new account earns pretty much zero interest. I can't recall the name of the Commsec account I had but it was earning ok interest.
I've since withdrawn all the money I had in there ready for share purchases and will only transfer back when needed.

It's pretty poor security if you ask me that if someone manages to login to your Commsec account they can also access your bank accounts. Very glad CBA is not my primary bank !

 

[Jake D]

hows abouts you just avoid eTrade?

I just used that as an example. Surely separating the platforms can't be a bad idea.

What's wrong with etrade?

 

[MIW]

this is why you dont use a bank's derivative platform (no, not thoise derivatives) to trade stocks.

you watch, next they'll be able to invoke the "all monies" clause on margin calls.

I think I saw something with ING that went along those lines, if there was a default they can access other ING accounts invoking "all monies" clause.
It's happening already I think!

 

[Player]

Out of curiosity, I just logged into NetBank with CBA and the same reciprocal access is allowed from your bank accounts view and with the click of a Commsec button, straight into the Commsec view already logged in even though login details are different.

Shall make a call today and see what I get told. IMO the two platforms should not have immediate access to each other without logging in credentials for each one.

 

[handyandy]

Out of curiosity, I just logged into NetBank with CBA and the same reciprocal access is allowed from your bank accounts view and with the click of a Commsec button, straight into the Commsec view already logged in even though login details are different.

Shall make a call today and see what I get told. IMO the two platforms should not have immediate access to each other without logging in credentials for each one.

Yes found the same thing. Can go from the banking to the trading but to me that's OK as I see the banking as the higher security risk / exposure.

I phoned them yesterday and was informed that they sent out an email advising the situation. Didn't get any further - didn't ask for a supervisor, I will be writing a complaint.

The best they could do was send me a power of attorney form so that my accountant could have a different log on. Looking at the form doesn't seem to cover my situation where I only want my accountant to be able to look at my share positions.

In the opening para on the form

" when you wish to authorise someone else to trade and/or conduct transaction/s on your behalf"

I don't want to authorize anybody to do anything. Period. Only look and certainly not get into my bank account. Particularly when my accountant is already set up as a payee so he could effectively pay himself no further checks or balances.

Let us know how you go.

Cheers

 

[lizzie]

Did you also notice that the new account earns pretty much zero interest. I can't recall the name of the Commsec account I had but it was earning ok interest.

Now that's really annoying ... I had my SMSF monies in the commsec acc, earning high interest, waiting to purchase more shares, as part of the SMSF plan.

The impression they gave was that they were going to combine the two commsec trading accounts into one - ie - your trades came out of the one account but still under the commsec cash management portfolio, rather than changing it all over to Commbank. No mention of losing interest, no mention of removing viewing from the commsec setup.

Not happy

 

[TingTong]

Get a security token and no worries. I have them for all my banks except St George who are still behind. Westpac don't have them either but they make you click a virtual keyboard so keyloggers can't record your details.

 

[handyandy]

Get a security token and no worries. I have them for all my banks except St George who are still behind. Westpac don't have them either but they make you click a virtual keyboard so keyloggers can't record your details.

I appreciate the point you make but that is not the answer I am after. I am quite happy with the SMS code currently used in the Netbank set up. I also assume that the security token will only replace the SMS functionality.

Thus, it doesn't remove the issue of security between the 2 distinct systems with (in my mind) the bank accounts having to have a higher security than the trading account (trading account has 2nd level security).

I have been on to them again this morning and have found out that they sent the wrong authority form and that the correct one does have an option for only viewing the commsec account rather than operating it. The form says nothing about the cross access to Netbank and I certainly wouldn't trust anything the help desk tells you.

Cheers

 

[Player]

Yes found the same thing. Can go from the banking to the trading but to me that's OK as I see the banking as the higher security risk / exposure.

It may well be, however I still would prefer there be no access from one product to another. Whoever needs to add funds to their trading account, should login to NetBank and transfer funds to the CDIA (for example) and those funds will appear in their trading kitty when they separately login to Commsec. Reciprocal or even one way access should not feature IMO.

I phoned them yesterday and was informed that they sent out an email advising the situation. Didn't get any further - didn't ask for a supervisor, I will be writing a complaint.

I wasn't even advised that an email was sent, even though I didn't receive one and I've been thru my spam folders

The best they could do was send me a power of attorney form so that my accountant could have a different log on. Looking at the form doesn't seem to cover my situation where I only want my accountant to be able to look at my share positions.

In the opening para on the form

" when you wish to authorise someone else to trade and/or conduct transaction/s on your behalf"

I don't want to authorize anybody to do anything. Period. Only look and certainly not get into my bank account. Particularly when my accountant is already set up as a payee so he could effectively pay himself no further checks or balances.

Let us know how you go.

Cheers

The short of it is, that I got nowhere. Customer service put me on hold to (allegedly) check with their supervisor and nope this won't change because........"it's more convenient."

I did receive a case number though that my feedback/complaint was noted and shall be passed onto the left hand from the right hand albeit neither hand knows what the other is doing. I was reassured that I was covered in the case of fraudulent and unauthorised access. Ahh, well that's OK then

 

[AndyM]

The short of it is, that I got nowhere. Customer service put me on hold to (allegedly) check with their supervisor and nope this won't change because........"it's more convenient."

I did receive a case number though that my feedback/complaint was noted and shall be passed onto the left hand from the right hand albeit neither hand knows what the other is doing. I was reassured that I was covered in the case of fraudulent and unauthorised access. Ahh, well that's OK then

It's also worth mentioning that relatively often when you call Comsec for support they will ask for your login password. Previously this meant that they could see your account info and your positions but now they can presumably get access to netbank and move around money? I've shifted the majority of mine to IB. So much cheaper.