Much has happened since my original post about how I stumbled upon a fairly glaring security issue concerning Citibank’s Account Online and coComment, a popular blog conversation tracker.

Tom has been following most of the action on Open The Dialogue and his posts about this (so far) can be found here, here, here, and here.  Before I go any further, one note of change:  if you haven’t noticed already, I edited the screen shots in my original post to protect the identity and privacy of the other people who unknowingly allowed coComment to track their correspondence to Citibank.

With that said, I’ve been somewhat disappointed in and amazed at how Citibank has handled this issue so far.  I reported this issue to them through multiple avenues (twice over the phone and once electronically) on Friday (3/16) and no response in any form was received until Sunday (and no one communicated directly with me until Monday).  Granted it was the weekend, I’d hope that a company as large as Citibank has people knowledgeable and reachable, monitoring these sort of issues 24/7.  As Tom notes, they were very courteous and attentive to the situation but requested I contact them through him.  I understand the corporate firewalls between customer service and security teams, but why make the effort to identify who I am if that information isn’t going to be used effectively?  Regardless, when a seemingly fool-proof Google search by Citibank - for a way to contact me - failed, it came down to me initiating contact with Citibank (again) to give them the opportunity to assure me this issue is being investigated and that they’re doing everything possible to keep my financial records secure.  Considering the ramifications and things at risk here, I view this lack of communication by Citibank as a complete failure.

Tom and I have been also diligently attempting to procure some sort of official response from Citibank (or their media relations team) and nothing has come yet.  The very helpful Citibank representative we’ve been working with so far has, supposedly, passed this onto people who handle PR for Citibank (internally) but we haven’t heard anything yet.  Tom even tried to contact Ruder Finn (whom we thought/think handle some of Citibank’s business) directly by using the e-mail address provided on their contact page and “no such user exists."  Earlier today, I sent brief note to Citibank inquiring about the aforementioned communication and was greeted by a curt out-of-office reply.

While we’re (and more importantly I, the customer) still waiting to hear something of tangible value from Citibank, coComment issued an official response to this situation on their blog.  They’ve taken a hard line in reminding users to actively use the "Blacklist” feature incorporated in coComment and acknowledged that this issue should not have happened in the first place (something Citibank has not done yet).  As much as I enjoy using coComment and agree with their charge to let people use their tools wherever and however they choose, I hope that they might consider some extended “social responsibility” in regards to this or similar situations.  Relying on their users to recommend and actively blacklist sites with potential risk is sound, but I’m sure it wouldn’t hurt to extend an olive branch to Citibank (and similar sites) by offering to help determine places where coComment shouldn’t be allowed to function.  I, like Tom, am not trying to peg blame on one party or the other.  We’d just like to see the situation handled professionally and responsibly.  Stowe Boyd, on the other hand, is placing blame squarely on coComment.

As of right now, I do not know if Citibank’s Account Online message form still allows coComment’s Firefox extension to function and/or track anything.  Both of the other two financial institutions I do business with online, Wachovia and ING Direct, appropriately don’t allow coComment to function in any of their message forms.  Finally, after coComment took down the thread that contained tracked messages to Citibank, I was asked by Citibank’s Internet security team to try it out again and see if this issue still exists between their Account Online & coComment.  Not only did it seem that my detailed screen shots did not suffice, but I would hope to think that as a paying customer, this should be Citibank’s responsibility.  They shouldn’t be asking someone who reported a security issue to assume that risk again and do their dirty work.  I could speculate about what that means for Citibank, their understanding of the situation, and the people who handle their Internet security - but I won’t.  I’ll only go as far as saying, my confidence with Citibank isn’t very high and, currently, I wouldn’t recommend them in any capacity.