Sorry about the inflammatory title, but I felt compelled to copy John Ratcliffe-Lee’s headline in his post "Huge Security Hole in Citibank’s Account Center" which he used twice. I will, of course, retract the statement if it turns out I am wrong – just like I assume John will… except he doesn’t appear to be ready to acknowledge his part in this.
Basically, John sounds the alarm about Citibank when he finds a comment he made to Citibank on his cocomment page. Cocomment, as far as I can tell, uses a browser-based extension to copy POSTs from anything the user POSTs to and sends the copy to the cocomment page. If that is true, then Citibank is not in the communication stream.
A few posts later, and as far as I can tell, John still hasn’t realized his part in all of this:
In any case, I don’t want to lay blame here officially one group or the other, as it appears there’s some things that Citi’s site could be doing better, from an outsider’s perspective, and I’m guessing there are things that coComment is doing that they might not have originally intended.
He has caught on that there is a cocomment setting that he should have set to block the comment from going to his cocomment page, but still doesn’t realize that it is HIS fault. And then:
we both are very surprised that no word has come down from Citi’s PR department or agency, based on the fact that this was indexed more than two days ago as far as Technorati and whatnot.
I can’t tell who actually made this post on John’s behalf – if it was John or not… but this is completely bizarre to be thinking about PR agencies in the face of a security concern.
More than anything, this is a user error – John Ratcliffe-Lee did not recognize the leakage possibilities in the new toy he was trying out. (Okay, I guess cocomment is slightly responsible for not realizing that its users would be this naive).
As I mentioned, if John can demonstrate how Citibank could have somehow protected against this (without a client-side footprint), then I will happy retract this statement, as I am sure he will once he reads this post (I was so careful to get the spelling right 
).
Update: He’s still at it. Here’s a choice quote:
I could speculate about what that means for Citibank, their understanding of the situation, and the people who handle their Internet security – but I won’t.
Update 2: It appears that coComment by default doesn’t aggregate SSL comments, so Citibank must not use SSL. That is an interesting but separate question from Citibank’s ability to explicitly protect against this; the user and his coComment software are in complete control.
Followup on coComment / Citibank issue
I’ve been trying to keep up with what has been going on with regard to John’s issue late last week with coComment and Citibank, and I wanted to post an update today after reading this post by Pete Spire of…
Pete -
As to your update 2 – that’s a very good point to make sure is clear. You’re right – user is always (at least theoretically, unless some third party ends up being in control) in control of what s/he is doing, browser-wise.
I asked Citi’s tech folks about this on the phone over the weekend, and didn’t get any answers, and hadn’t heard back about this specifically.
Again, while I think it can be testy at times from my POV and yours, we appreciate your candid comments, makes for great discussion.
Appreciate your time.
Best,
Tom
Pete,
Thanks for your thoughts on this. I think I’ve fully acknowledged, and anyone else reading the back and forth about this issue realizes, that none of this would of happened without my involvement. I have no plans to retract any statements I’ve made about this issue and will not make any calls to anyone else to do so either. Everyone is allowed their opinion.
With that said, I’d like to make clear that I fully understand how and why coComment (as well as their Mozilla Firefox extension) function as they do and this situation would not have come to light if I had initially un-checked the tracking box. As I mentioned over on Stowe’s post, this was a simple user error caused by haste and something that can happen to anyone.
You’re exactly right about Citibank not being in the “communication stream.” There should be no involvement whatsoever by a third party in the “communication stream” when I’m on my bank’s web site. My issue is why Citibank even allowed coComment to function in the first place (which has been disseminated by the fact that they don’t use SSL).
Since I’m sure you’ve read my colleague Tom’s post(s) and comments over on OTD, I won’t go much further. My thoughts on this are essentially in-line with his and he’s addressed any questions you’ve had with the same perspective I would’ve.
Thanks again for your time and attention to this, and for helping spread the word about being proactive with your security online.
Very best,
John
@John -
Sorry, but you appear to still be missing the point. Citibank’s design decisions impact how you/your software operate, but the control still remains on your end. There is no way Citibank can detect software on your desktop barring some sort of agent donwload themselves.
It is still not quite clear to me that the problem here was that Citibank wasn’t using SSL (which, btw, is really smoke and mirrors to begin with).
Huge hole in John Ratcliffe-Lee’s browser. It’s your fault, not theirs. Think twice about all the software you have running on your client.
On the contrary, no point has been missed. From my perspective, you’re still trying to hammer home an opinion that has been discussed already and fleshed out. Of course the way I used coComment created this situation (and at no point have I denied that), why the need to keep addressing it?
As a paying customer of Citibank, my perspective is slightly different than yours, a security pundit. Regardless of what I’m doing on my computer and how I’m doing it, isn’t constructing a secure environment somewhat about anticipation and preparation? Are you telling me if you were a developer for Citibank, and you knew about coComment, the way it functioned, and that the possibility exists some of Citibank’s customers might use it (not just me by the way, this happened to 3 other people that I know about), wouldn’t you consider that scenario in your design decisions? If your answer is no, then I’d be quite surprised.
I’m not asking Citibank to detect anything. Frankly, I don’t want them to detect anything. I find it hard to believe that you don’t think this is something that should be preventing from the outset. If Wachovia and ING Direct can do it, why not Citibank?
I’ve thought more than twice about all the software running on my client and coComment has weighed in on how I can use such software (theirs) properly as well. As a Citibank customer, what’s disturbing to me is why their message forms even allowed a coComment extension to initialize when the page was loaded and they have failed to address this in any means other than an open-ended response from someone on their security team.
This post is on the first results page for the query “(Citi OR CitiBank) AND (Love OR Like OR Best OR Good OR Great OR Adore OR Wonderful OR Convenient)” in BlogPulse, as I noted when I looked at some recent stats.
Kind of an interesting query in and of itself, huh?