Open The Dialogue

New research from Nuance Care Solutions brings to light a number of interesting statistics on how social media is playing into consumer attitudes:

• 72 percent say they research a company’s customer service reputation online prior to making a purchase.
• 74 percent are actually basing their decisions on who to do business with based on what they find.
• 59 percent use social media to express their frustrations with their customer service experiences.
• Only 33 percent say they think companies take complaints voiced online seriously, though a couple brands in particular were singled out as doing a good job along these lines.

More than all that, though, is the fact that, as the story says, search has impacted how people expect customer service to react to them. Through search, which often leads to social media like blog posts, communities and forums and other such platforms, people are expecting to get helpful answers immediately and are frustrated with customer service experiences.

This study also identifies the gaping void that exists for companies to pay attention to what’s being said about them online and interact there in order to solve problems. Problems are only problems as long as they remain unsolved, and posts with complaints are going to be updated with positive resolutions, but only if someone’s listening and reacting.

Along these same lines, Leigh Householder has a good post up on monitoring Twitter as a way to identify brand reputation management issues that might be floated there before being turned into full-fledged posts detailing all the problems someone has with a company.

I’ve been trying to keep up with what has been going on with regard to John’s issue late last week with coComment and Citibank, and I wanted to post an update today after reading this post by Pete Spire Lindstrom of Spire Security on his blog, about how John hasn’t “acknowledged” his participation in this situation.

While I will “agree” to correct John in saying that he didn’t mention in his post that he obviously posted the message to Citibank through its online messaging system, he did say to me, on multiple occasions, that he did it by accident the first time, and thought nothing of it until he happened to log in and see that he had coComment updates later on last week. I don’t disagree that John was obviously the “push” to what went on in his situation – as were three other unsuspecting users who just so happened to not blog about it, and potentially don’t know, even now, that this happened with their messages – but that doesn’t hold Citibank (or coComment, or John) harmless. Pete insinuates that someone else wrote John’s post, which most certainly isn’t the case, and I’ll 100% vouch for him as a colleague and friend. Working for a public relations agency, I think that both of us know better than to go off on unfounded attacks on companies when we haven’t at all tried one way or the other to get answers. In addition to calls from his end to Citibank’s technical side, we’ve both corresponded a number of times with the bank’s technical staff, and I’ve gone back and forth with coComment a bit myself. The thing I think that Mr. Lindstrom has chosen to ignore is that we *only* posted this because while a browser-based function such as this is the responsibility of the user, it doesn’t mean that it should be able to do what it does, hence our lack of “blame” on either coComment or Citibank – or ourselves, really. The reason that Citibank was isolated and mentioned, more than anything, was that John tried this at two other financial institutions that he works with, and I tried it with my primary bank. On zero occasions, with those institutions, did this functionality work, based on policies that those sites had set up.

To answer Pete’s last question, blockquoted here:

As I mentioned, if John can demonstrate how Citibank could have somehow protected against this (without a client-side footprint), then I will happy retract this statement, as I am sure he will once he reads this post (I was so careful to get the spelling right ).

I’m not positive that myself – nor John – has enough detailed security knowledge beyond what most of us who’ve developed a Website with any secure needs have, but after spending time on the phone with some of Citibank’s technical team who was on this issue over the weekend, I have a decent gist of understanding this. What I would pose to Mr. Lindstrom, in this case, is that if Citibank isn’t able to “protect against this,” then why is it that Wachovia, Commerce Bank, and ING Direct were all able to do so? Considering the fact that Mr. Lindstrom has obviously read all of John’s post, I’m not sure why he chose to glaze over those facts.

As for the fact that this is a “new toy” for John, it actually isn’t, and this was something that was honestly stumbled upon with no ill intent after using it for some time. The gist here was that no one would have expected that this sort of thing would work, especially considering the “option” for coComment to snag the text wasn’t available in other secure situations. If it were, I believe that we would have heard many many more examples of security concerns regarding it by now, given the number of bloggers who’ve given it a whirl. Now doing some casual searches you will see some items where people have mentioned different types of incidents, but nothing at a bank, as far as I can tell.

As for the PR angle, I hesitate to grasp the misunderstanding that Lindstrom has when he says “but this is completely bizarre to be thinking about PR agencies in the face of a security concern.” Oh, really? Well, considering John went the security route – on his own volition – in addition to us contacting coComment to let them know this was out there, which they promptly deleted before ever thinking about blogging about this, only to get nowhere, which led to the attempts to get in touch with the company’s public relations team just to make them aware of the situation. This is something that, in our jobs, we’re always looking out for, i.e. a blogger noting something about a client in the middle of the night. The calls were more about letting them know that this was feasible – and different – on the Citi site, rather than hostile towards them alone.

So while Pete Lindstrom may be right about the fact that John didn’t say that he did err in not unchecking the box for coComment to do this, he misses the point that the option to use coComment in this situation was so out of the norm for when it is usable that it was passed by not only by John, but other Citibank customers as well. Based on spending a little time perusing Lindstrom’s blog and site this morning, I’m sure that his security credentials are on point, and obviously are well beyond mine – or John’s – will probably ever be. But I think that if he had spent five minutes trying out coComment in similar situations, he would have seen that this isn’t feasible in all secure situations, and that this was an issue that was “shared” by both the user, the software, and the site. I don’t want to be in the position where we’re throwing anyone – or everyone – under the bus here, but I think the fact of the matter here is that there is a problem. Saying that “the user made an error and it’s his fault” makes me want to say that we should say the same thing to people who choose to use Windows systems over Mac systems – because of what we statistically know about security concerns between the two – are at fault. It doesn’t mean that the user is the only person to “blame,” it simply points out that there is an issue that needs to be fixed. If it shouldn’t be pointed out that potentially thousands of coComment users could be doing this – accidentally, or mistakenly, by believing the software would never allow them to do so (sure, it’s blindly, but it happens) – then I’m not sure what we should be raising red flags about. Lindstrom can talk semantics all he wants – it’s his blog, his opinion – but if something like this is feasible to do, then it’s a “security concern” that those involved can talk about.

[update] Just one more thought. While I do believe that there is something different being done on the other banks mentioned above and in previous posts, something that was said on coComment’s official blog about being able to blacklist sites that shouldn’t be able to store comments has got me thinking – is what some of the bank security has built into it on some of those sites only half (or one third, given security policy, third-party extension, and human error possibilities) of the issue, and should we be more concerned about what implications using such a thing has, more than anything? Obviously coComment offers a client-side option where you can make your blog work with the system, but obviously that can’t work in a negative option-fashion. As in, your site is indexed unless you say not to, or someone blacklists you. Thoughts? I’d be really curious as to what security policies for SSL and whatnot disallow something like this logging to function, or not.

[update 2] I’ve updated this post from the original, as Pete’s last name is Lindstrom, not Spire. Thanks for the update in the comments, Pete!

A few minutes ago, I received a response from coComment regarding the ongoing issue with that service indexing submissions to Citibank’s online form when logged into the bank’s systems. Check out what they had to say here, where they are pointing out that you can blacklist any site from storing your information, should you notice this sort of thing being feasible. In this case, the only reason that John had this happen was that he missed unchecking the box to log his note to Citibank, so it was more luck than anything that got us here (though some might disagree).

Again, I’m not going to specifically point fingers one way or another here, but while I am surprised that coComment software had logged this, I think I’m *more* surprised that it was allowed to log it in the first place. Because, as they say, “this shouldn’t happen and site security policy should prevent it.” More on that later. In the meantime, Citi’s security team has been great going back and forth, and we’re working on finding the right person within that company’s internal PR team to hear what they have to say about it.

For the latest followup to this story from late Friday/early Saturday morning, I wanted to note that I did hear back, via email and telephone, from Citibank’s information security group on Sunday. They were very courteous about the situation and wanted to do everything they could to see what the problem was with coComment tracking some of their online messaging. They did offer to speak with John, my colleague, as well (through me, however), but he has not received any direct, official communication from Citibank after his multiple messages through their online system or two telephone calls to their IT or security groups.

Additionally, while coComment (or someone related them) removed the posts shortly after John and I posted about this late Friday night, no one has responded to my request for comment, and Citibank’s security group was looking into who at coComment they could speak with, but I had not heard that they had been successful as of mid-afternoon on Sunday.

In any case, I don’t want to lay blame here officially one group or the other, as it appears there’s some things that Citi’s site could be doing better, from an outsider’s perspective, and I’m guessing there are things that coComment is doing that they might not have originally intended. At the same time, as Chris Thilk and I are speaking this morning (we do talk on the phone, by the way), we both are very surprised that no word has come down from Citi’s PR department or agency, based on the fact that this was indexed more than two days ago as far as Technorati and whatnot. The other great point that Chris makes is that “how are they not reaching out to John directly?” That’s something I’m surprised about, too, considering John blogged it himself and also did directly reach out to his bank – which he is a customer at, not me.

[update 11:45am Eastern] Upon attempting to loop in Ruder Finn, who we’re believing is the agency that would handle this specific piece of business, I’ve failed at the main email address for the firm, found here, on the firm’s contact page. So if you’re looking to email Ruder Finn at the “rfnewyork@ruderfinn.com” email address, don’t bother. There’s “no such user.”

So far, no word from Citibank or coComment on this issue where the commenting service was able to track a theoretically secure page, although coComment has cleared out the thread John and I linked to last night. If you’re still interested in seeing it, the PDF of the offending page is here here or you can see the full rundown of screens over at his blog.

Additionally, he made another attempt last night to speak with Citibank’s Internet Security group, but didn’t get very far with them, although he was able to provide them with the right information. Looking to try and get information from Citigroup media relations today, if possible.