On Sunday 19 June 2005 16:51, Amir Herzberg wrote: > Hi, I noted that Citibank changed their login form at > http://CitiBank.com. It now points you at the site:
I followed the above to this: http://CitiBank.com/us/index.htm then clicked on "* sign on" to get to this: https://web.da-us.citibank.com/ I also tried the "sign on" and it took me to the same place. How did you get to here: > https://cib.ibanking-services.com/cib/login.jsp?FIORG=775&FIFID=125106986&id=1449852460 > > Ignore the parameters... notice the domain, ibanking-services.com! And > whois reveals it belongs to Metavante Corporation... The SSL > certificate also belongs to Metavante (and signed by RSA). > > Well, this site is protected by SSL, but not with the correct ownership > (citibank/citigroup)... I guess I should add it to the Hall of Shame... > Granted, most web users, using current UI, will not notice this at all, > but I think it is clear that the bank should allow careful users (e.g. > using TrustBar or checking manually) to identify that the site belongs > to citibank. Maybe you've been phished ;-) > BTW, citicards.com still works Ok, as well as > http://www.citibank.com/us/index.htm... Yes that looks right! iang -- Advances in Financial Cryptography, Issue 1: https://www.financialcryptography.com/mt/archives/000458.html Daniel Nagy, On Secure Knowledge-Based Authentication Adam Shostack, Avoiding Liability: An Alternative Route to More Secure Products Ian Grigg, Pareto-Secure _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security