Citibank e-mail looks phishy

Perry E. Metzger perry at
Mon Nov 13 14:01:28 EST 2006

pgut001 at (Peter Gutmann) writes:
> "Cid Carlos" <Carlos.Cid at> writes:
>>Citibank e-mail looks phishy
> I think "Citibank aims at foot and lets loose with both barrels,
> then reloads and shoots a second time" would be a better title.
> This is a really scary example of what Perry once referred to as
> banks actively training users to become future victims of phishing
> attacks.  What's even worse is that Citibank uses such a profusion
> of marketing-driven vaguely bank-related domain names
> (e.g., although this now seems to have been shut
> down) that the email could just as easily have directed users to
> <random bank-sounding name>.com without raising too much suspicion.
> Any half-awake phisher will immediately send out an identical email
> sending people to some other vaguely correct-looking URL and asking
> for the same information.

Chase sends out unintentional parodies of phishing emails to customers
on a near daily basis, some of them with pathetic little notes about
security. They also have a web site that actively trains their
customers to type in their userid and password to an unsecured web
form. The pathetic little lock icon next to the form may fool the
ignorant but will not fool criminals. I have a wonderful letter from
Chase explaining to me that my worries for their security are
groundless -- it was very nicely worded so as not to come out and call
me insane. I should scan it and put it up on the web at some point.

If this sort of utter disregard for customer safety wasn't such a
scary thing, it would be laugh-out-loud funny. As it is, however,
we've got banks where either the marketing people are clearly in a
position of absolute dominance, or where the security people are
totally asleep at the wheel, or both. This does not bode well for the
future of the particular institutions in question. When the security
controls that are visible are so completely broken, one can only
speculate what the ones that one does not see must look like.

Even ignoring the fact that regulators will at some point come down on
such banks like the proverbial ton of bricks, there is the question of
total loss of customer confidence and the possible complete
destruction of shareholder equity in its wake.

I believe that modern banking regulations in the United States
prohibit banks from claiming to be safer than their competitors, but
that is unlikely to save whomever falls to a scandal.  Information now
flows quite freely outside the conventional media and customers are
able to migrate with relative ease from institution to

When this sort of stupidity finally catches up with one of these firms
in the form of a truly major scandal, I can easily see a brand name or
two that took a century to build vanishing in a blink, with the
remaining husk bought up by a competitor at the request of regulators
and the name quickly retired forever. I can predict that last detail
because this sort of event is not new. Sudden collapses of finance
firms have happened in the past because of scandals, though up until
now they haven't been caused by computer security lapses. I think it
is a question of when, not if, we see a major multinational financial
institution fall as a result of treating systems security as though it
were some ignorable commodity like carpet cleaning service, beneath
the notice of management and easily set aside if competing business
demands require it.

When that happens, one can only hope that the individuals responsible,
including executives at the highest levels of such organizations, will
find themselves permanently out of work and/or in prison. Sadly, I
suspect that, blame redistribution being an exceptionally advanced art
in large corporations, at least some of the miscreants will escape
intact and sin against their customers again from other positions of


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list