CitiBank Update It seems that citibank is still patching up their sites (c2it, accountonline, etc), however, it's clear they are doing a rush job. I don't think they even READ the CERT advisory on how to fix CSS problems because they STILL don't filter all the important characters, thus letting scripting in. In addition, they STILL don't obfuscate your CREDIT CARD NUMBER in the html of some pages. That's just a basic Security 101 tip. If they don't have enough man power to handle their sites, they should really consider hiring Some of the many out of work programmers.