I think being a tester can be an occupational hazard. I spot problems without trying to – I don’t mean to come across as big-headed, it’s simply a statement of fact. I once read a printed book and found the only typo in it, and I wasn’t looking for it – it just leapt out at me!
Anyway, on Friday I happened to be doing some online banking – checking my account balances and noticed something odd. I selected one account, saw the balance, and underneath a Transactions header and the most recent transactions, and all looked ok. I then selected the other account via a drop down link at the top of the page and the balance refreshed correctly, but the transactions didnt. It looked odd and I did a double take, but there it was – the wrong transaction details against my account. So, being a tester, what did I do? I refreshed, tried another browser, and the issue still happened. It didnt matter which account I picked first, as the error was that the second account didn’t have the transactions updated.
There was only one thing for it and that was to phone the bank up and tell them (I will not name them, as I do not believe it is fair to do so here). To their credit, the lady I spoke to went over it a few times and reproduced the issue herself, giving me a reference number, asking me to access my accounts using a different link (which worked, but was a less obvious route to use to get there) and also asking me if there was anything else I had found :o). (There was actually, a minor text wrapping issue relating to a date, but we can leave that to one side).
I was pleased that it had been taken seriously, although this defect should never have been in production in the first place, and I hope that the bank in question check their regression tests thoroughly (I am available to advise in my spare time for a fee!!!).
You may be wondering why I was so bothered, as it doesn’t sound like a major issue, but there have been occasions (too many to be fair) where customers have seen details of other customers account or personal details. I did only see my account transactions, but I do not know enough about the defect to know whether it only relates to my own accounts or whether there is a wider problem which I had not encountered. For me, the fact that it is possible for there to be a security problem is enough to make me wary. It is worthwhile reading Troy Hunt’s blog http://www.troyhunt.com as he has a lot of good common sense advice on security matters. I firmly believe that we all have a duty to protect ourselves as much as we can, and that includes checking our bank details and letting them know if there is a problem. And that extends really to any organisation that contains personal information.
So, the message from this unexpected blog post is – check your online accounts carefully!!
****** Updated 9th Feb 2016 ******
So, a month has passed since I first flagged this issue with the bank – one of the big 4 UK ones I may add – and this hasn’t been fixed.
It may be that this is not a major security problem, and the only other account details displayed are my own, but I don;t actually know this, as the bank haven’t bothered to contact me to give me any updates on this.
Good customer service would be (in my opinion) to have contacted me to tell me what priority the issue actually was, seeing as I took the time to raise this with them.
And there lies the problem. I listened to a webinar this morning about the World Quality Report, and to my surprise, more people are viewing usability above security as an area that they need to focus on in 2016. I am almost speechless! If a site is insecure in ANY way, that is a major usability issue, as I certainly won’t want to use it and neither will anyone else as we will not trust the site with our details. It isn’t rocket science for goodness sake.
Message to businesses – if you find, or are told about a security issue, fix the thing – quickly. Give it a high priority, and have the courtesy to respond to whoever told you.
I think I might try using Twitter to see if a posting there will get a response – watch this space!!