The eSigner fraud: ssl.com charging my credit card arbitrarily with hundreds of dollars

This post was written by eli on November 4, 2021
Posted Under: crypto,Internet

Background

More than anything, this is a reminder to self why I must use a temporary credit card number when I’ll renew my EV Code Signing certificate I purchased from ssl.com, a few years from writing this (if they’ll still exist by then). I need it for Microsoft’s Attestation signing of drivers for Windows, as detailed on this separate post of mine.

The business of selling certificates to websites have seen better days since Let’s Encrypt began to offer such for free, so in a way I can understand that a company like ssl.com needs to increase its revenues on the higher end of certificates. But it seems like they’ve lost control over the machine that charges money from credit cards. Or maybe they’re struggling for cash with nothing to lose, so it could be that there will be no ssl.com to renew the certificate with. Actually, do credit card companies offer protection from companies that go bankrupt?

The story until things got wrong

Back in May 2021, I purchased a 3-year EV Code Signing certificate from ssl.com, paying 747 USD with my regular credit card. The vetting process went reasonably smooth, and I got the certificate a couple of weeks after issuing the order, which makes sense given the extensive evaluation required.

Along with the congratulation mail from ssl.com, I got an offer to use cloud signing with eSigner.com for free. That’s a web utility, allowing signing a file by dragging it into the browser, and subsequently validating oneself with the mobile phone. It’s indeed more convenient that using the Yubikey USB dongle that is physically sent from ssl.com after purchasing a certificate. So far so good.

Then in July 2021, I got a mail from ssl.com thanking me for participating in public beta of eSigner (I did?) and also asking me to participate in a follow-up survey in exchange for “100 free signatures after the free beta period ends”. And so I did. It was quick and painless.

And then on August 20th 2021, another email thanking me for participating in the eSigner Cloud Signing Beta Project. It also said that “Beginning on September 1, SSL.com will offer eSigner as a paid service available to all Document Signing and EV Code Signing customers. Current Beta participants with low to medium usage will automatically be placed in the Tier 1 group with overage fees waived”.

Frankly speaking, I didn’t read that long. Knowing I had 100 free signatures, I couldn’t care less.

And just to have this clear: There wasn’t a single word in this email about being charged, let alone mentioning a sum.

Who charged me 100 USD?

They didn’t wait long. A couple of weeks after the last email, I saw a 100 USD charge on my credit card by “SSL.COM CLOUD SERVICES HTTPSWWW.SSL”. I wasn’t even sure if this had to do with ssl.com, because the latter used a slightly different name.

Did I agree to this? Of course I didn’t. I didn’t know anything about this until I saw this on my credit card bill. So apparently, they thought it was fine informing me that I was about to join “Tier 1″, and from that I should have figured what that means: A completely ridiculous program, offering 10 eSigner signatures per month, with a monthly price of 100 USD. In other words, pay 100 USD a month for sparing yourself the effort of using the USB dongle. Max 10 times a month.

This is credit card fraud by definition. The only reason I didn’t cancel it through the credit card company was that it requires canceling the credit card altogether. That would mess up recurring payments, so trying to resolve this with sll.com got priority.

No big deal, just click “revoke”

So I dropped them a mail. The response was to read this KB article on how to cancel an eSigner account. I’ll give you the highlight: A click on a link saying “REVOKE”. Given that I had already signed things with this certificate, I wasn’t at all happy clicking on that link. Even though customer support told me this doesn’t revoke the certificate in the usual sense (i.e. invalidates its use retrospectively).

In fact, I would put a beer on that the use of the R-word was made intentionally to scare.

I could also add that the use of the certificate was only for attestation signing, so it was only checked when I submitted the drivers — the drivers themselves were signed by Microsoft, with their signature.

All in all, there should in theory not be any issue even if the certificate was revoked, but I really wasn’t in the mood of pushing my luck on this one.

Besides, given that I happened to have 100 free signings, there’s no justification to ask me to cancel my eSigner account. Don’t get me wrong: It’s not like I’m going to get anywhere close eSigner in the future. I just don’t want to mess things up.

Customer non-support

Another thing the response from ssl.com said was “I have also created a refund request ticket for the billing team to refund the charge. Please stand by for update from the billing team”.

That update failed to arrive. Also, when I pointed out the 100 free signings issue, I got “The refund request is for the 100 dollar charge. If you do not use the 100 signings, you may be subject to another charge next month but the billing team would have to remove the charge. Please let me know if I can be of further assistance”.

A couple of weeks after not getting any update on the refund, I sent a nag mail, and got “This has been escalated to the billing team for investigation. Please stand by for update from the billing team”. And hey, Win from the Billing Department finally responded and told me he would issue a refund and inform me when that was done. And so he did. That is, he informed me about the refund, but I didn’t see it.

And then I was charged again on November 1st, 100 USD again. Why not?

Looking at the billing details for October, it turned out that Win had indeed made a refund: He had effectively canceled the 100 USD charged in October, but not the one in September. So nobody ever stopped the machine charging 100 USD each month. All I got was a refund for the charging in the middle.

All in all, 200 USD nicked from my credit card. And counting.

Bottom line

I mentioned the conclusion above: Always use a temporary credit card for payments abroad, and don’t even trust a company whose core business is trust. In the past, it was possible to cancel a payment made abroad without canceling the credit card, but the rules have changed.

Epilogue

After writing this post, I kept on nagging with a couple of more emails to ssl.com, and somehow the second one caught their attention. Without getting into the details of the email exchange, it was clear that the game had changed. I saw a refund for the remaining 200 USD quite immediately. Plus a credible promise that my credit card won’t be charged again.

So while I still stand behind every word I’ve written above, it more than appears that my specific case was resolved in a good way.

Add a Comment

required, use real name
required, will not be published
optional, your blog address