List, In an effort to stop phishing emails, Citibank is including in a plaintext email the full name of the account holder and the last four digits of the ATM card.
Not only are these personal identifiers sent in an insecure communication, such use is not authorized by the person they identify. Therefore, I believe that some points need to be made in regard to right to privacy and security expectations. It's the usual tactic of pushing the liability to the user. The account holder gets the full liability for the "security" procedure used by the bank. A better solution, along the same lines, would have been for Citibank to ask from their account holders when they login for Internet banking, whether they would like to set up a three- or four-character combination to be used in all emails from the bank to the account holder. This combination would not be static, because it could be changed by the user at will, and would not identify the user in any other way. Private, identifying information of customers have been used before by banks for customer login. The account holder's name, the ATM card number, the account number, and the SSN have all been used, and abandoned, for Internet banking login. Why? Because of the increased exposure creating additional risks. Now, with the unilateral disclosure by Citibank of the account holder's name as used in the account and the last four digits of the ATM number, Citibank is back tracking its own advances in user login (when they abandoned those identifiers). Of course, banks consider the ATM card their property, as well as the number they contain. However, the ATM card number is a unique personal identifier and should not be disclosed in a plaintext email without authorization. A much better solution (see above) exists, even using plaintext email -- use a codeword that is agreed beforehand with the user. This would be a win-win solution, with no additional privacy and security risk. Or is email becoming even more insecure, with our private information being more and more disclosed by those who should actually guard it, in the name of security? Cheers, Ed Gerck -- ________________________________________________ I use ZSentry Mail Secure Email https://zsentry.com/R/index.html/[EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]