Aardvark Daily
Right of Reply
Copyright © 1999 to Bruce Simpson
Click here to suffer from exposure
Date: Oct 28, 1998
From: Patrick O'Brien
For : Right Of Reply (for publication)
Subj: Domainz Credit Card Facility

In responce [sic] to your article, let me begin by acknowledging the three issues that you raised.

  1. The URL contained a hard coded IP address, causing the system to flash a security "warning" message upon entry to "https" mode.

  2. Once the secure transaction had successfully completed, you found the confirmation message misleading as the amount field was re-presented minus its decimal point.

  3. There was a broken link on the navigation button returning "home"
Before we drop down into detail, let me also stress that at no time was the integrity of the secure transaction compromised.


Issue 1

The secure site and BNZ Buy-line facility is provided though our ISP, who as part of their security precautions during the testing stages, hardcoded the URL with an IP number.

The message you received was a warning, alerting you on entry to the secure site, that the URL did not contain the correct "domain name" held in the site certificate.

We've tested the site extensively but did not see this particular warning. There are no issues with the site, it is correctly configured and has a fourth level domain name "secure.dnz.net.nz".

It is possible that the very first time our ISP used this page, they got the message. However, as a result, the URL/IP information could have been cached. As we accessed the system locally this could have been the reason why we would never see it as part of our test program.

As I understand it, factors such as: local caching of the IP address, the specific site "domain name", the local hosting of the web site and being connected to the same service provider can combine in ways that result in a browser not flashing this warning.

I am also told that some versions of browsers, or some settings within browsers, are more likely to suppress/display this warning message.

There has been only one significant change to the site since its go-live. The day before your transaction (Tuesday 20) we moved the hosting of the domain name "dnz.net.nz" to Actrix. As best we can determine, this should not have had any impact as the site "secure.dnz.net.nz" was always hosted at Actrix.

Clearly the hardcoded IP address should have been removed earlier, but that could only be done by the ISP given their links to Buy-Line.

I've spoken with our ISP about this. They acknowledged the issue and have subsequently removed the hard coded IP address to substitute the correct URL.

Issue 2

The BNZ buy-line requires a financial amount without a decimal point and initially, this is what our input screen requested. Initial feedback told us that this may be misleading.

(Note banks are not consistent in their treatment of this issue. For instance, the BNZ voice system requires that amounts are entered as two separate numbers, dollars and cents. WestpacTrust on the other hand system requires that last 2 digits are cents).

In line with feedback, we made cosmetic changes to the input screens to require input of the decimal point. This is stripped off prior to shipping to the BNZ Buy-line. Once a secure transaction has taken place, Buy-line sends back a message to Domainz.

This message confirms the transaction, presenting the amount *without* the decimal point for Domainz processes to handle. The BNZ message is then re-packaged to the web site for presentation to the customer.

The system worked exactly as tested.

However, I can see how re-presenting the amount without the decimal point leads to confusion, so we've implemented changes to insert a decimal point in the confirmation message. Note that a number of other customers are using the facility, and to-date, no other customer has raised this as an issue of concern.

Issue 3

Yes, there was a broken link, most likely inadvertently created whilst hand coding to remove "Front Page" characters.

This has been corrected. ISSUE MANAGEMENT

Regarding how the situation was handled once you made the enquiry.

When you phoned, you are correct that we could not immediately confirm your transaction, and that we indicated that customer service staff would investigate and get get back to you shortly.

There is precisely what I'd expect, nothing wrong here.

You raised a question about a secure payment transaction. There is no way that Customer Enquiry staff would have, or will have for that matter, immediate and direct access to that sensitive information.

We investigated and promptly followed up as per our committment.

Meanwhile the web designer from our service provider was made aware of the issue. I also spoke with Senior management of the service provider so that we could speedily assess the risks and impact of the points that you raised.

We very quickly determined that the issues were presentational in nature, and posed no risk to the integrity of the transaction, or the process.

There was a positive decision *not* to take the system off-line, it had nothing to do with the location of staff as you infer.


Yes, there were some issues related to the form, These I've acknowledged, explained and resolved.

No, there were no issues with the integrity of the transaction, it was processed in a secure manner.

Yes, there was extensive testing of this facility over a considerable period of time. There is no way that we would allow ourselves to bring it to market if we were not comfortable with its ability to manage the credit transaction securely.

No, there was not "total lack of testing".

It is my job to fully accept responsibility for issues that arise with the credit card facility, or any other facility that Domainz provides, and that I do.

I also take responsibility to deal with them in a professional, timely and responsible manner. I've done that too.

BTW, it is good to see the Weekly out again, although I'd prefer not to provide the incentive next time ;-)

My regards,


Do you want to link to this page?

Back to Aardvark Weekly...