On Sunday 19 June 2005 16:17, Ian G wrote: > On Sunday 19 June 2005 16:51, Amir Herzberg wrote: > > Hi, I noted that Citibank changed their login form at > > http://CitiBank.com. It now points you at the site: > > > I followed the above to this: > http://CitiBank.com/us/index.htm > then clicked on "* sign on" to get to this: > https://web.da-us.citibank.com/ > > I also tried the "sign on" and it took me to > the same place. > > How did you get to here:
Ha! I think I figured it out ... There are TWO banks, one is CitiBank and the other is CityBank! If you go to CityBank.com you get to the below. If you go to CitiBank.com you get to the above. > > https://cib.ibanking-services.com/cib/login.jsp?FIORG=775&FIFID=125106986&id=1449852460 I guess this is a vestige of US state banking - the CityBank site claims it is a Washington state bank since 1974. They've obviously outsourced their online bank to ibanking-services.com which is Metavante Corp. So it definately looks like a phish, what they should be doing is managing a cert in the name of CityBank for and on behalf of them. Certainly you could create a special category for those companies that outsource their online bank interface to operations that look like phishing attacks. CityBank certainly qualifies for that. I'm not sure CitiBank has done anything wrong, and it seems very hard to blame them if they themselves can't sort out the domain name confusion due to state banking laws in the US of A. Well. All this shows is what we already knew - even people who are supposedly "in the security business" and supposed experts in phishing get confused by the current interface :-) Users are easy meat for phishers then... (Amir, if Trustbar showed this was in fact the wrong place and wrong site, then that's good!) > > Ignore the parameters... notice the domain, ibanking-services.com! And > > whois reveals it belongs to Metavante Corporation... The SSL > > certificate also belongs to Metavante (and signed by RSA). > > > > Well, this site is protected by SSL, but not with the correct ownership > > (citibank/citigroup)... I guess I should add it to the Hall of Shame... > > Granted, most web users, using current UI, will not notice this at all, > > but I think it is clear that the bank should allow careful users (e.g. > > using TrustBar or checking manually) to identify that the site belongs > > to citibank. iang -- Advances in Financial Cryptography, Issue 1: https://www.financialcryptography.com/mt/archives/000458.html Daniel Nagy, On Secure Knowledge-Based Authentication Adam Shostack, Avoiding Liability: An Alternative Route to More Secure Products Ian Grigg, Pareto-Secure _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
