Huge Security Hole in Citibank's Online Account Center
Earlier this evening, I was minding my own business and catching up on things around the Internet when my coComment notifier in Firefox told me there was a fresh helping of comment distraction awaiting me. Not being a huge blog commenter (yet), I quickly dismissed the new comments and went to flag them as read. Right before doing so, something caught my eye. It was the message I had just sent to my credit card company, Citibank, through their online Account Center contact form. Not exactly something that is supposed to show up in coComment, a public record of my missives around the Internet. Quickly, I stopped tracking the conversation in coComment and called Citibank. The gentleman I spoke with politely listened to my frantic explanation and “duly noted this” in whatever kind of notes CSR people take. I then decided to document this security breach and, in the process, explain it to Citibank: 
A screenshot of the message form. Notice the coComment tracking box at the bottom of the form.
I then explained the situation to Citibank, thinking that they’d find this somewhat important. Note the coComment linking to my nickname and also the “20 lines of text maximum” warning above the message form. The “20 lines” is clearly a way to make sure people don’t write a lot b/c Citibank doesn’t want their valuable employee’s time eaten up by ::gasp:: reading important messages from their customers.
After submitting the message to Citibank, I went back and checked coComment. Sure enough, there was the message I had just sent to them in all it’s glory.
Not only were my past two messages on there, but three other Citibank customers who are/were also coComment users were tracked on there as well. At the moment, no extremely confidential customer information has been disclosed. However, that doesn’t mean the possibility exists that someone could put tons of personal information in that message and, unknowingly, have it show up in a public record. There is no visible warning or guideline suggesting what customers should and/or should not include when messaging Citibank. For all intents and purposes, I (and these three other people) were under the impression that everything we did on our Citibank web site was under maximum security. Below is the coComment conversation page, listing all the tracked correspondence of people using coComment and Citibank’s Account Online message center.
While putting this post together, I was happy to see that Citibank dutifully responded to my warning about this breach within the allotted 4 hour time period. Relieved that someone got back to me so quickly, I opened the message and quite frankly, was dumbfounded:
I sincerely hope that Citibank addresses this issue as soon as possible. Not only does this energize my skepticism about the security surrounding online banking, but it will most likely force me to cancel my beloved student Visa card.
