« Citibank followup #2 | Main | Social media butterflies »

coComment responds to Citibank security issue

A few minutes ago, I received a response from coComment regarding the ongoing issue with that service indexing submissions to Citibank's online form when logged into the bank's systems. Check out what they had to say here, where they are pointing out that you can blacklist any site from storing your information, should you notice this sort of thing being feasible. In this case, the only reason that John had this happen was that he missed unchecking the box to log his note to Citibank, so it was more luck than anything that got us here (though some might disagree).

Again, I'm not going to specifically point fingers one way or another here, but while I am surprised that coComment software had logged this, I think I'm *more* surprised that it was allowed to log it in the first place. Because, as they say, "this shouldn’t happen and site security policy should prevent it." More on that later. In the meantime, Citi's security team has been great going back and forth, and we're working on finding the right person within that company's internal PR team to hear what they have to say about it.

Posted by Tom Biro on March 19, 2007 12:23 PM |

TrackBack

TrackBack URL for this entry:
http://mwwblogs.com/mt-tb.cgi/426

Comments

This is clearly a problem with John Ratcliffe-Lee. He simply didn't understand how coComment operated, yet installed it and ran it anyway.

The question of whether or not Citibank should be using SSL is a separate issue; they couldn't do anything directly to prevent this from happening.

Pete

Posted by: Pete | March 22, 2007 09:28 AM

Pete -

While I respect your opinion on this, I'll also respectfully disagree, based on the fact that at least three other financial institutions - that we tried before notifying coComment of this issue - were not allowing this functionality while on their sites. We tried this. We mentioned it in both of our posts. If Commerce Bank, ING Direct and Wachovia can all do it, how is it that some other bank "couldn't do anything direction to prevent this from happening."

Again, I understand why you would say this and would have thought the same - but after seeing it with my own two eyes, I have to say that this isn't the case.

Additionally, I have posted an update after reading your post, here.

Posted by: Tom Biro | March 22, 2007 10:02 AM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)