Kind of an interesting query in and of itself, huh?

As a paying customer of Citibank, my perspective is slightly different than yours, a security pundit. Regardless of what I’m doing on my computer and how I’m doing it, isn’t constructing a secure environment somewhat about anticipation and preparation? Are you telling me if you were a developer for Citibank, and you knew about coComment, the way it functioned, and that the possibility exists some of Citibank’s customers might use it (not just me by the way, this happened to 3 other people that I know about), wouldn’t you consider that scenario in your design decisions? If your answer is no, then I’d be quite surprised.

I’m not asking Citibank to detect anything. Frankly, I don’t want them to detect anything. I find it hard to believe that you don’t think this is something that should be preventing from the outset. If Wachovia and ING Direct can do it, why not Citibank?

I’ve thought more than twice about all the software running on my client and coComment has weighed in on how I can use such software (theirs) properly as well. As a Citibank customer, what’s disturbing to me is why their message forms even allowed a coComment extension to initialize when the page was loaded and they have failed to address this in any means other than an open-ended response from someone on their security team.

Sorry, but you appear to still be missing the point. Citibank’s design decisions impact how you/your software operate, but the control still remains on your end. There is no way Citibank can detect software on your desktop barring some sort of agent donwload themselves.

It is still not quite clear to me that the problem here was that Citibank wasn’t using SSL (which, btw, is really smoke and mirrors to begin with).

Huge hole in John Ratcliffe-Lee’s browser. It’s your fault, not theirs. Think twice about all the software you have running on your client.

Thanks for your thoughts on this. I think I’ve fully acknowledged, and anyone else reading the back and forth about this issue realizes, that none of this would of happened without my involvement. I have no plans to retract any statements I’ve made about this issue and will not make any calls to anyone else to do so either. Everyone is allowed their opinion.

With that said, I’d like to make clear that I fully understand how and why coComment (as well as their Mozilla Firefox extension) function as they do and this situation would not have come to light if I had initially un-checked the tracking box. As I mentioned over on Stowe’s post, this was a simple user error caused by haste and something that can happen to anyone.

You’re exactly right about Citibank not being in the “communication stream.” There should be no involvement whatsoever by a third party in the “communication stream” when I’m on my bank’s web site. My issue is why Citibank even allowed coComment to function in the first place (which has been disseminated by the fact that they don’t use SSL).

Since I’m sure you’ve read my colleague Tom’s post(s) and comments over on OTD, I won’t go much further. My thoughts on this are essentially in-line with his and he’s addressed any questions you’ve had with the same perspective I would’ve.

Thanks again for your time and attention to this, and for helping spread the word about being proactive with your security online.

Very best,

John

As to your update 2 – that’s a very good point to make sure is clear. You’re right – user is always (at least theoretically, unless some third party ends up being in control) in control of what s/he is doing, browser-wise.

I asked Citi’s tech folks about this on the phone over the weekend, and didn’t get any answers, and hadn’t heard back about this specifically.

Again, while I think it can be testy at times from my POV and yours, we appreciate your candid comments, makes for great discussion.

Appreciate your time.

Best,

Tom

I’ve been trying to keep up with what has been going on with regard to John’s issue late last week with coComment and Citibank, and I wanted to post an update today after reading this post by Pete Spire of…