Followup on coComment / Citibank issue
I've been trying to keep up with what has been going on with regard to John's issue late last week with coComment and Citibank, and I wanted to post an update today after reading this post by Pete Spire Lindstrom of Spire Security on his blog, about how John hasn't "acknowledged" his participation in this situation.
While I will "agree" to correct John in saying that he didn't mention in his post that he obviously posted the message to Citibank through its online messaging system, he did say to me, on multiple occasions, that he did it by accident the first time, and thought nothing of it until he happened to log in and see that he had coComment updates later on last week. I don't disagree that John was obviously the "push" to what went on in his situation - as were three other unsuspecting users who just so happened to not blog about it, and potentially don't know, even now, that this happened with their messages - but that doesn't hold Citibank (or coComment, or John) harmless. Pete insinuates that someone else wrote John's post, which most certainly isn't the case, and I'll 100% vouch for him as a colleague and friend. Working for a public relations agency, I think that both of us know better than to go off on unfounded attacks on companies when we haven't at all tried one way or the other to get answers. In addition to calls from his end to Citibank's technical side, we've both corresponded a number of times with the bank's technical staff, and I've gone back and forth with coComment a bit myself. The thing I think that Mr. Lindstrom has chosen to ignore is that we *only* posted this because while a browser-based function such as this is the responsibility of the user, it doesn't mean that it should be able to do what it does, hence our lack of "blame" on either coComment or Citibank - or ourselves, really. The reason that Citibank was isolated and mentioned, more than anything, was that John tried this at two other financial institutions that he works with, and I tried it with my primary bank. On zero occasions, with those institutions, did this functionality work, based on policies that those sites had set up.
To answer Pete's last question, blockquoted here:
As I mentioned, if John can demonstrate how Citibank could have somehow protected against this (without a client-side footprint), then I will happy retract this statement, as I am sure he will once he reads this post (I was so careful to get the spelling right ;-)).
I'm not positive that myself - nor John - has enough detailed security knowledge beyond what most of us who've developed a Website with any secure needs have, but after spending time on the phone with some of Citibank's technical team who was on this issue over the weekend, I have a decent gist of understanding this. What I would pose to Mr. Lindstrom, in this case, is that if Citibank isn't able to "protect against this," then why is it that Wachovia, Commerce Bank, and ING Direct were all able to do so? Considering the fact that Mr. Lindstrom has obviously read all of John's post, I'm not sure why he chose to glaze over those facts.
As for the fact that this is a "new toy" for John, it actually isn't, and this was something that was honestly stumbled upon with no ill intent after using it for some time. The gist here was that no one would have expected that this sort of thing would work, especially considering the "option" for coComment to snag the text wasn't available in other secure situations. If it were, I believe that we would have heard many many more examples of security concerns regarding it by now, given the number of bloggers who've given it a whirl. Now doing some casual searches you will see some items where people have mentioned different types of incidents, but nothing at a bank, as far as I can tell.
As for the PR angle, I hesitate to grasp the misunderstanding that Lindstrom has when he says "but this is completely bizarre to be thinking about PR agencies in the face of a security concern." Oh, really? Well, considering John went the security route - on his own volition - in addition to us contacting coComment to let them know this was out there, which they promptly deleted before ever thinking about blogging about this, only to get nowhere, which led to the attempts to get in touch with the company's public relations team just to make them aware of the situation. This is something that, in our jobs, we're always looking out for, i.e. a blogger noting something about a client in the middle of the night. The calls were more about letting them know that this was feasible - and different - on the Citi site, rather than hostile towards them alone.
So while Pete Lindstrom may be right about the fact that John didn't say that he did err in not unchecking the box for coComment to do this, he misses the point that the option to use coComment in this situation was so out of the norm for when it is usable that it was passed by not only by John, but other Citibank customers as well. Based on spending a little time perusing Lindstrom's blog and site this morning, I'm sure that his security credentials are on point, and obviously are well beyond mine - or John's - will probably ever be. But I think that if he had spent five minutes trying out coComment in similar situations, he would have seen that this isn't feasible in all secure situations, and that this was an issue that was "shared" by both the user, the software, and the site. I don't want to be in the position where we're throwing anyone - or everyone - under the bus here, but I think the fact of the matter here is that there is a problem. Saying that "the user made an error and it's his fault" makes me want to say that we should say the same thing to people who choose to use Windows systems over Mac systems - because of what we statistically know about security concerns between the two - are at fault. It doesn't mean that the user is the only person to "blame," it simply points out that there is an issue that needs to be fixed. If it shouldn't be pointed out that potentially thousands of coComment users could be doing this - accidentally, or mistakenly, by believing the software would never allow them to do so (sure, it's blindly, but it happens) - then I'm not sure what we should be raising red flags about. Lindstrom can talk semantics all he wants - it's his blog, his opinion - but if something like this is feasible to do, then it's a "security concern" that those involved can talk about.
[update] Just one more thought. While I do believe that there is something different being done on the other banks mentioned above and in previous posts, something that was said on coComment's official blog about being able to blacklist sites that shouldn't be able to store comments has got me thinking - is what some of the bank security has built into it on some of those sites only half (or one third, given security policy, third-party extension, and human error possibilities) of the issue, and should we be more concerned about what implications using such a thing has, more than anything? Obviously coComment offers a client-side option where you can make your blog work with the system, but obviously that can't work in a negative option-fashion. As in, your site is indexed unless you say not to, or someone blacklists you. Thoughts? I'd be really curious as to what security policies for SSL and whatnot disallow something like this logging to function, or not.
[update 2] I've updated this post from the original, as Pete's last name is Lindstrom, not Spire. Thanks for the update in the comments, Pete!
Comments
Hi. Some thoughts:
1) Pete Lindstrom, not Pete Spire. I probably don't spell that out on my blog.
2) I am not nefariously insinuating anything regarding who wrote a blog entry, just trying to be clear that this is unclear: I believe this post - http://journal.ratcliffe-lee.com/post/226111 - refers to John in the third party and since I am making strong comments about it, thought I should place appropriate context.
3) Are you suggesting that "huge hole in Citibank" is a lack of blame on your/John's part?
4)an individual's decision whether or not to use cocomment is his decision and nobody else's.
5) I wouldn't use coComment for specifically this reason. It is an "authorized" leakage tool. John allowed it to do what it was designed to do.
6) The PR angle is less bizarre with the context that you are PR, but it is still bizarre. You don't contact PR if you want a security problem fixed; you do it when you want public notice of how great you are and how dumb they were - neither of which is the case here.
7) We talk about security concerns like this all the time, and constantly evaluate configuration options of tools and weigh the pros and cons. It is important to understand who has the power to reduce the risk in play - in this case, that is definitely the user, slightly coComment, and almost zero for Citibank (as far as I can tell so far). And yet John says "huge hole in Citibank".
Bottom line: if you are not protecting yourself, don't expect your bank to, especially when they aren't even in the control flow of the communications.
Pete
Posted by: Pete | March 22, 2007 12:43 PM
Thanks for your comment, Pete - responses inline with yours.
1) Thanks for the correction, noted and adjusted in my post. No name on your blog, so my bad.
2) Gotcha. But yes, John wrote it.
3) Well, that's John's title, not mine. Mine was "Insecure messaging at Citibank?" Again, Citibank was named specifically because other banks didn't have this problem in the same type of situation. Nor does my Gmail, work Webmail, other mail systems, among other places. Again, doesn't make it 100% bulletproof, just a point about this particular situation. I'm not suggesting that there's a lack of blame on John's part in this situation. There's also a "blame" on the others that had this happen. Again, I think part of the issue with anything that is set up to run and do what coComment does is that probably 90% of the persons using it don't *really* get what it does. It's logging what you type, more or less, except you've "opted-in" to doing so. I'm merely pointing out that Citibank isn't innocent in this particular case, based on the fact that others in their industry have protected themselves - maybe not directly - from what coComment allows you to do.
4) Never said otherwise.
5) Agreed. It is "authorized" leaking. Again, point here was that I would argue - whether it's "right" or not that people use something like this to track messaging - that it's a security issue that we exposed in the USAGE OF THE SOFTWARE ON ONE BANKING WEBSITE, not everywhere that supposedly secure messaging was feasible.
6) That's great that it's "less bizarre" that you feel that way. If this were about ego, I would have done what other PR bloggers do, and called all my journo friends at banking and tech trades. Again, while you appear to have read that we contacted tech support about this - at coComment AND Citibank (the latter via phone, twice, and over email from John and myself) WELL before posting anything - we didn't go to them first at all. It wasn't how we were trying to get whatever this problem was "solved." We didn't go to the PR people to point out the fact that this was happening at the first line of defense for the company. I went to the PR department, frankly, to let them know that this was out there, not to "get a quote" or whatever for my blog. Call it courtesy from working in the industry, and I would hope that others would do the same. You might want to suggest it was "nefarious" or pointing out that they were dumb. The fact of the matter is that there was the possibility - whether John posted on his blog or not - that this would have gotten out there, given the fact that other users have had this same problem, and didn't know it, obviously, as information was out there since last November.
Thanks for clarifying that I'm not great and that they're not dumb. It's good to see that you can grasp the fact that I can blog about something that I believe is an issue, give my perspective and have it be all about ego. Sorry, but that's not the case. If you want to say that, then say it about 99% of the blog entries that are out there, and I would argue that there are just as much of those type of things on your blog that you write about security topics that I could turn that argument on you about.
The specific reason that we were curious about Citibank's non response - when we know that John made the mistake, which he acknowledged (at least to me, and I get why you want that mentioned on his blog) - and the fact that when he did call their tech support, the first person he spoke with blew him off when John was talking about OTHER customers' information on the Web, and took no care of any of it, and the security person he spoke with the second time did minimally more, and accused him of hacking Citibank's site, before even contemplating what the situation was. John wasn't accusational or defensive to them when he contacted them, he was pointing out what the issue was and that this was something he found out when he made a mistake on his computer.
So to clarify your "how great you are" point, you're off base. I contacted PR to let them know that this was the case, so that they would have plenty of time to address should there be anything that happened in a public venue, irrelevant of our blogging it - something that we did BEFORE this was ever posted on John's blog or mine.
7) Understood that you're critical of John having the major "fault" here, but I'm not sure why you feel there is nothing that Citibank could do, when it's been stated multiple times that other banks that he and I are customers at do not have the same problem. If that's the case, then doesn't that pretty much point to the fact that there is *something* that could be done on their end? If you want to argue with John's title, I will not disagree with you at all on that. If you want to say that there's nothing that other banking institutions can do in this situation, I think we're going to have to think twice about that.
As for your bottom line, again, points taken and I don't disagree. I think that there are tons of "security" issues we hear about that are 100% user problem, error, or whatever. At the same time, that doesn't mean that, especially when there's proof otherwise at other places that something doesn't "have to be" the way it is that everyone is wrong.
Honestly, if I'm going to say anything, it'd be to not use coComment at all if you don't know about the ramifications of what it can do. I know that is what you'd say, and have, and I know exactly why. I've used it because it's part of my job to be aware of what kinds of technologies and tools are out there, especially in the "Web 2.0" timeframe we're working in, but I don't use it on a day-to-day basis because I don't feel the need.
The last point is why I added my first update here. I think there are a lot of different ways that this can, should, or could have been handled. In my opinion, the proper venues - irrelevant of PR - were gone through in advance, and the only decision you might want to argue with here is the choice to post a blog entry on it or not. If we're going to do anything else to improve this, it'd end up being something like what has been suggested elsewhere (blacklist everyone, which wouldn't work, for instance), or that when persons are utilizing coComment in the first place, primarily the browser extension, is that they somehow or other have to be made fully aware of what they are using, which coComment would obviously see as hazardous to adoption, but they would get credit for playing.
Unfortunately, this is what happens in our "rush to use" marketplace right now. Who reads manuals (well, on the whole) or truly pays attention to software they're installing? Unfortunately, not enough people.
I'd say your bottom line points out that everyone needs to be responsible for their own security online, which is spot on. At the same time, I think that for many people, the "security" people believe they have when they are "logged in" to a site they believe is safe for them to communicate personal information, they should make sure they're thinking twice, and crossing all their t's and dotting all the i's.
Posted by: Tom Biro | March 22, 2007 01:15 PM