Ian G wrote:
Ha! I think I figured it out ...
Well, yes, as you'll see in another note, I also realized this...
There are TWO banks, one is CitiBank and the other is CityBank!
If you go to CityBank.com you get to the below. If you go to CitiBank.com
you get to the above.
Right... My apologies...
...
I guess this is a vestige of US state banking - the CityBank site
claims it is a Washington state bank since 1974. They've obviously
outsourced their online bank to ibanking-services.com which is
Metavante Corp. So it definately looks like a phish, what they
should be doing is managing a cert in the name of CityBank
for and on behalf of them.
I agree.
Certainly you could create a special category for those
companies that outsource their online bank interface to operations
that look like phishing attacks. CityBank certainly qualifies for
that.
I also agree here. Indeed, I really suspected maybe this is a spoofed site.
I'm not sure CitiBank has done anything wrong, and it seems
very hard to blame them if they themselves can't sort out the
domain name confusion due to state banking laws in the US of A.
Again I agree (and apologize to CitiBank...)
Well. All this shows is what we already knew - even people who
are supposedly "in the security business" and supposed experts
in phishing get confused by the current interface :-) Users are
easy meat for phishers then...
Well, I think what it really shows is how the URL mechanism can't be
trusted, since even experianced users may get it wrong (like I did - and
I visit Citibank a lot, to test/demo TrustBar and also as a client, in
fact). I typed in the URL in spite of that rather than used bookmark,
and in fact mistyped...
(Amir, if Trustbar showed this was in fact the wrong place and
wrong site, then that's good!)
I used TrustBar (was testing new version) and was alerted by it
immediately. That's how I've noted the use of wrong owner of domain.
Without TrustBar, I bet I wouldn't have noticed even the wrong domain
(and certainly not if it would have been citybank.com...). It definitely
does the job (TrustBar). And the new version will be also nice to use.
Ignore the parameters... notice the domain, ibanking-services.com! And
whois reveals it belongs to Metavante Corporation... The SSL
certificate also belongs to Metavante (and signed by RSA).
Well, this site is protected by SSL, but not with the correct ownership
(citibank/citigroup)... I guess I should add it to the Hall of Shame...
Granted, most web users, using current UI, will not notice this at all,
but I think it is clear that the bank should allow careful users (e.g.
using TrustBar or checking manually) to identify that the site belongs
to citibank.
iang
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
