post

Blog Tracking Services Compromise Online Bank Security?

I’m not a security expert, but this warning at the Citicards site was quite a shock:

Customers using comment or blog tracking services on their computers run the risk that information submitted here could be displayed on those websites. Please disable your comment and blog tracking service before using Citi Cards Message Center.

Is this a real danger? What do you think?

Update (11/19): Several commenters here and on TechCrunch confirm what I thought myself: the warning likely refers to “tracking” products that offer a browser plug-in. In this case I was using FireFox with the BlogRovr plugin turned on. I know coComment offers a plugin, and whoever else does … well, Citibank considers it a security risk. Hm… food for thought. smile_sarcastic

Update #2: Wow, apparently this has been a well-documented problem for at least half a year, so Citi’s solution is to finally put up a warning message. smile_sad

Comments

  1. It could well be a threat vector. Essentially it turns a one way service into a two way

  2. No service I know of could steal data from a banking site, but I’m no more security expert than you, so…

  3. I am guessing Citibank is warning you about the Firefox extensions and other browser modifications that may scan the page looking for actionable objects. A service such as coComment might sniff for comment boxes such as this one looking for an opportunity to send that comment field to its remote web service for storage and indexing.

    Were you running Firefox? The Citibank page could look for certain JS variables present in the DOM and send you a warning. Gmail currently issues tips/warnings for its members with Firebug turned on for example.

  4. I am pretty sure that Niall is right. It is the only thing that makes sense. MyBlogLog and other web-based services would need to be installed on the Citibank site itself for any usage tracking to occur.

    Cheers,
    Todd

  5. Yes, I also thought they were referring to trackers that come with a browser plug-in. In this case I was using FireFox and there is a BlogRovr plugin, which I was testing… and, like Niall points out, coComment has a plugin, too, and who knows whatever else. Not very reassuring… I’m turning BlogRovr off.

  6. Citi does not test for the presence of browser extensions: I just went back and tested it after uninstalling BlogRovr, then again with a vanilla IE7 and saw the same message, so it’s a generic warning.

    This was at citicards.com, trying to send a customer service message, but I suppose the same situations applies to any site that offers message boxes.

Trackbacks

  1. […] Erdos uses both MyBlogLog and BlogRovr and got a rather interesting message whilst trying to log into […]

  2. […] Erdos uses both MyBlogLog and BlogRovr and got a rather interesting message whilst trying to log into […]

%d bloggers like this: