citibank.com · Domains · Slashdot Mirror

Re:Fewer people need to buy a cert by DamnStupidElf · 2011-09-08 12:59 · Score: 1 · on Moxie Marlinspike's Solution To the SSL CA Problem

If you can trust a CA-signed certificate for https://addons.mozilla.org/ why not one for https://citibank.com/ or https://mail.google.com?

Ultimately, if all the browsers start supporting notaries directly and ship with a list of major trusted notaries this won't be a problem. But bootstrapping a trust network to replace a presumably untrusted PKI while using that same PKI to validate the code you're using to replace it... It's sort of unfounded.

Re:Fundementally broken system by GeckoAddict · 2011-05-01 14:51 · Score: 1 · on Sony: 10 Million Credit Cards May Have Been Exposed

Like this: https://www.citibank.com/us/cards/vanpromo/cmc_pop/index2.htm
or http://www.bankofamerica.com/privacy/index.cfm?template=learn_about_shopsafe
etc...

Re:Fundementally broken system by Jah-Wren+Ryel · 2011-05-01 13:43 · Score: 3, Interesting · on Sony: 10 Million Credit Cards May Have Been Exposed

Such a system already exists. It was developed by an irish company called Orbiscom which was recently bought-out by Mastercard.
It's got different names - disposable credit cards, one-time use credit cards, Controlled Payment Numbers, etc. Bank of America call's theirs ShopSafe, Citibank calls theirs Virtual Account Numbers. I believe PayPal and Discover have their programs too -- all based on Orbiscom's technology.

It works pretty much exactly the way you described - you log into your account, generate a new CC# with a maximum limit and expiration date that you specify. Then the first merchant account that posts a charge to the number becomes the only merchant account that post any more charges to that number. So even if the number does get stolen, it isn't any good to the thieves. Other than those limitations, for all intents and purposes, it is just a regular credit card. Most merchants can't even tell the difference.

I've been using ShopSafe for well over a decade now and have never had a fraudulent charge. The only problems I've had have been when the merchant is sloppy and double-charges with the intent of cancelling the first charge - Parts-express.com is the only merchant that I know which does that for all of their transactions and fixing it was simple enough - I just double the max limit on the CC#.

Re:He got notified? by ZerothAngel · 2011-04-27 19:11 · Score: 1 · on Sony Sued For PlayStation Network Data Breach

Not the AC either, but Citibank offers such a service. I've used it a few times for those random one-off purchases, especially from stores I will probably never do business with again.

Though, it's probably not very useful for subscription-type services or places you do business with regularly. (Unless you really want to generate a new CC number for each order.) I guess the previous poster's suggestion of having a low-limit card would be helpful in that case, something I plan to look into for myself.

Re:Deposits for banks with no ATM in town by QuoteMstr · 2011-04-17 07:27 · Score: 1 · on White House Releases Trusted Internet ID Plan

Most banks let you make deposits by mail.

Look for an option from your credit card company by mysidia · 2010-07-31 18:05 · Score: 5, Informative · on Alternatives To Paypal's Virtual Credit Card Service?

Citibank, Citicard virtual account numbers.

Bank of America ShopSafe

Banks Refunding Fees by RWarrior(fobw) · 2010-04-08 16:28 · Score: 4, Insightful · on Warhammer Online Users Repeatedly Overbilled

I've incurred overdraft fees based on merchant error a number of times, and every bank I have ever had has done everything they can to screw their customers out of as much money as possible. EA expecting banks to refund overdraft fees is like asking EA to ... I don't know ... behave like a company that cares about its customers.

Re:Checks by realsilly · 2010-03-16 05:51 · Score: 1 · on Deposit Checks To Your Bank By Taking a Photo

http://en.wikipedia.org/wiki/Wire_transfer

http://www.bankofamerica.com/deposits/checksave/index.cfm?template=lc_faq_wire

https://www.wellsfargo.com/investing/styles/wt/com_fees/fees

https://online.citibank.com/JRS/portal/template.do?ID=MoneyXfrCompare

This is just to name a few.

Re:Not just pin numbers! by srvivn21 · 2010-02-16 08:12 · Score: 1 · on 'Iceman' Gets 13 Years For 2nd Hacking Offense

Citibank, Bank of America, Discover and Paypal all offer disposable card numbers. American Express used to, but apparently stopped around 2004.

Re:Kinda bad summary by omuls+are+tasty · 2009-11-16 21:47 · Score: 3, Interesting · on SSL Renegotiation Attack Becomes Real

Wrong. Your HTTP headers don't end up on your Twitter "blog" (or whatever it's called), they end up on the attacker's.

And as for banks not having a public messaging feature, is Citibank big enough for you?
https://banking.citibank.com/JoinOurOnlineForum/UserGuide.aspx

But once again, do note that the page where the user's credentials end up doesn't need to be public; it just has to be accessible by the attacker.

Re:Thwarted by properly designed online banking by xtracto · 2009-08-24 00:55 · Score: 1 · on Real-Time Keyloggers

The chance of this actually occurring is highly remote, to say the least. The technique of racing ahead of a potential 2-factor authentication is compelling in theory, but of little practical use

Some food for thought:

After you have successfully installed a Trojan into a victims computer you could:
- Log for a predefined time, the web usage, filtering specific sites of interest (like online banking logon pages)
- Extract time/date patterns of such information to predict the next time the victim will hit the interest page.
- Create a trigger that enables real time logging of the http traffic when the victim is login in. You can use VNC-like screen capturing for real-tiem monitoring.
- Ask the victim for TANs while impersonating the web page.
- Use those TANs along with other obtained information to gain unauthorized access to the victim's account.

Re:Citizens vs. Residents by radish · 2009-04-20 01:54 · Score: 1 · on eReader.com Limits E-book Sales To US Citizens

That simply isn't true in the general sense of "banking relationships", the Patriot Act only requires that the institution confirms your identity and checks you against a blacklist. Many US banks will open checking & savings accounts for non-residents, although getting something like a credit card would be harder (and may be impossible, but I doubt it). I did it myself a few years ago, and I know a number of non-US residents living outside the US with perfectly legal US based accounts. You will need to do some paperwork to prove your identity if you don't already have a relationship with the institution, but a US mailing address/SSN etc is not required.

This site lists some of them, for example Citi who offer savings, checking, brokerage and Amex cards.

Re:Worth it. by Sancho · 2008-08-22 03:42 · Score: 3, Insightful · on Firefox SSL-Certificate Debate Rages On

You're not the average user. Most people on Slashdot aren't the average user.

But what you are saying is that browser should just accept the invalid certificate and submit the data anyway.

I didn't say that anywhere. Please do not put words in my mouth.

What I am saying is that a lot of users don't have an expectation of privacy. They only notice problems. When there aren't warning dialogs popping up, they don't think about security. I'm saying that the entire paradigm is flawed because of this. Instead of SSL being the exception, it should be the rule, and deviation from the rule should be pointed out to the user every single time.

But even then, it probably wouldn't be enough. People have to have their crazy cursors and their dancing baby desktops.

You seem to have written your entire post with the assumption that I was agreeing or disagreeing with any of the posts directly above me. Not everyone automatically shares or rejects the opinions of the posts to which they reply. I simply thought it might spawn interesting discussion to point out that users may fall for MITM if they never even see a lock up in the corner of their browser window.

Want some evidence? People fall for phishing. I work for an ISP which has monitored phishing in the past, and quite simply, people will reply to the e-mails with their passwords and visit the webpages entering in their credentials. Every major phishing event has included people doing this. What makes you think that these same people will suddenly be security-aware when someone is intercepting their connections to mybank.com over port 80?

Take a major banking website:
http://www.citibank.com/us/index.htm
(I found this page by simply typing citibank.com into my browser.)

What happens when you go to that site? You go there, you click on "log me in" or whatever, and then it switches to SSL. Think the user is going to notice if it doesn't switch to SSL? Probably not. So one could MITM this site pretty easily and harvest logins. SSL never even comes into play. All of the "self-signed certs are no worse" or "ca-signed certs are way better" arguments don't even matter, now.

Banks using modern crypto? Hah! by StandardCell · 2008-06-13 02:18 · Score: 3, Interesting · on How To Build a Quantum Eavesdropper

The banking sector is probably one of the slowest in terms of uptake of new crypto technologies. A huge number are still using 3DES or RC4 for symmetric to protect customers transactions. If you don't believe me, check out Citibank's Online Banking with "highly modern" RC4. I've seen 40-bit encryption on current express-pay keytags at a certain coffee chain which is almost trivial to crack with little cost by today's computers. In too many cases, it's the same old HSMs accelerating crypto transactions in servers as were in the last decade.

Granted, 3DES is actually not truly that bad in terms of its 112-bit effective security compared to AES-128 (though it's not the weak point when you use 80-bit effective RSA1024). However, just because ANSI X9 has started including modern technologies like ECC and AES or other technologies like quantum crypto are promising, you can bet that the banking industry will be one of the last groups to take up more modern crypto technology. Heck, even the NSA is mandating Suite B with ECC and AES by 2010 for government security! It's one of the few government agencies to actually act faster than the private sector.

Finally, I wonder if the original poster could show the relevant ANSI X9 aka banking security standard which calls out quantum crypto. I don't think I've seen one, and the banking industry typically lives and dies by X9.

Re:When you are a primary target by Critical+Facilities · 2007-06-20 02:41 · Score: 3, Insightful · on 800 Break-ins at Dept. of Homeland Security

Most other businesses might not even survive the onslaught faced by the DHS and other government sites.
I agree with you that DHS is a "juicier" target than some businesses, I'm willing to bet that the attacks (and the frequency of them) against Bank of America, Citibank, Equifax, etc, are just as bad if not worse.

Re:yeah, but... by Anonymous Coward · 2007-05-08 16:00 · Score: 0 · on IE Devs Criticize Bank Security Vulnerabilities

Ignorance bliss, isn't it?

No, I'm secure in the knowledge of reality.

But show us what field in the cert includes the ip address for the fqdn listed the cn field? It doesn't exist! Again, how do you ensure the ip address the dns server resolved for www.citibank.com is really the ip address CitiBank.

DNS doesn't matter to SSL. At all. Think. Lets say that your spoofed DNS for www.citibank.com reports 2.2.2.2, which is your phishing site. So, I type https://www.citibank.com/ into my browser. What happens? My browser does a nslookup for www.citibank.com, and gets 2.2.2.2 back. Then my browser connects to 2.2.2.2 on port 443, and starts the SSL handshake.

The CN on your self-signed certificate says www.citibank.com, but your self-signed certificate isn't signed by a Certificate Authority that my browser trusts. So my browser pops up a warning, and your evil plan fails.

SSL depends on the CN on the certificate matching what I type into my browser, and the certificate being signed by someone that my browser trusts. DNS is irrelevant. Fake DNS info will not break SSL.

Your spoofed DNS may prevent me from finding the real www.citibank.com, but it doesn't help you break SSL. You could do the same thing without spoofed DNS, since you control the wireless router. By controling the router, you can send the packets anywhere you want, but that won't break SSL.

Re:Don't put it in stocks or stock funds by sickofthisshit · 2006-07-27 02:24 · Score: 1 · on Investing Tips for College Students?

Most student loans are guaranteed or subsidized by government agencies. This is desirable as a public policy because students are usually poor, and generally bad credit risks, so lenders would have to charge high rates, or would not give loans to the most needy students, preferring to lend to trust-fund kids.

Lenders agree to charge lower rates in exchange for the government lowering their risk. The government, in order to reduce *its* risk, and the overall cost of subsidies and guarantees, generally requires that students actually borrow only the money they need for real educational expenses, and not just blowing it on beer.

Likewise, beneficial tax treatment for student loan interest (such as http://www.irs.gov/publications/p970/ch04.html), is generally based on the interest being used for qualified educational expenses.

Even private lenders (such as http://studentloan.citibank.com/slcsite/fr_ccund.a sp?Source=ifaidcl001&ProspectID=C877D440CC734B8F9F 1B3EEBBB369AFD), will use the actual education cost as part of the loan process; this may be a way of measuring their own risk---someone dropping out and blowing the money on beer is presumably a higher credit risk after graduation than someone who is actually paying tuition, etc.

If the original asker had something actually called a "student loan" he almost certainly signed some document certifying that he was borrowing for actual educational expenses. Using it for long-term investment makes such a claim almost certainly fraudulent.

Really? by NerdENerd · 2006-06-22 15:51 · Score: 5, Interesting · on XSS Vulnerabilities Reviewed and Re-Classified

Click on this link for an example against CitiBank
CitiBank Exploit

The BANKS abuse DNS by fuat · 2006-03-30 11:56 · Score: 1 · on Why Phishing Works

A legitimate email from Citibank contains something like 6 distinct domain names and a dozen or more hostnames for all the bits of image, URL, hosts the email traversed, etc. You cannot verify the legitimacy by "understanding DNS".

Here's what I see in my most recent "bank alert" from Citibank (legitimate message telling me of a recent paycheck deposit):

alerts@citibank.com
mail.citigroup.com
imbomr-nj02.nj.ssmb.com
imbaspam-ss02.namdmz.dmzroot.net
altgrn04.citialertgrn.da-us-grn.citicorp.com
http://www.citi.com/domain/images/36wav.gif
http://www.citibank.com/domain/images/citi36.gif

It used to be a lot worse. This has fewer domains that I remember. I recall there was also a citibank.net (I think)
scam when someone registered that it Italy several years ago.

Using one-time MBNA / Citi CCs by jroysdon · 2006-03-19 15:28 · Score: 1 · on Card Processing Software May Store CC Info

I use MBNA's random-generated "Shop Safe" credit card numbers. Citibank has the same thing that they call "Virtual Account Numbers." Essentially they let you set a limit and experation date on a temporary CC number (it is of coursed temporarilly tied back to your real account with them). It works great, and keeps sites that store your account info from screwing you up when they get hacked.

The concept is great for online, but I don't know why a "smart" CC couldn't do the same thing: allow you punch in a limit and download (bluetooth from your phone) a one-time credit card for un-trusted in-person merchants to bill against. You could have to put in your pin or whatever, but it wouldn't transmit across the store's machine, but via your cell phone back only to your bank.

Some sucker wants to double-swipe your card and store your info? It's worthless as the card number is going to expire in a month and is already maxed out (you'd set the limit to the amount of the purchase).

It's not ready for the masses who can't program their VCR's or the time on their microwave, but I've never had any CC fraud with online accounts since I started using MBNA's "Shop Safe" 4 years ago.

(related) Strange phish email. by Stephen+Samuel · 2006-03-11 03:38 · Score: 1 · on PIN Scandal 'Worst Hack Ever'

I got a fish with a wierd bit of code....

identity over a secure connection at:</p> <a id=3D"SPOOF" = href=3D"http://citibusinessonline.da-us.citiban k.com.lawases.com"></a> <div>=20 <table> <caption> <a href=3D"https://citibusinessonline.da-us.citibank. com/cbusol/signon.do?ao=3Df">=20 </a><a = href=3D"https://citibusinessonline.da-us.citiba nk.com/cbusol/signon.do?ao=3Df">=20 <label for=3D"SPOOF"> <u style=3D"cursor: pointer; color: blue"> = https://citibusinessonline.da-us.citibank.com/c busol/signon.do?ao=3Df</u>=20 </label> </a> </caption>

Does Someone recognize this as working on Outlook? It directs me to https://citibusinessonline.da-us.citibank.com/cbus ol/signon.do?ao=f on thunderbird.

but the intended target seems to be citibusinessonline.da-us.citiban k.com.lawases.com

The lawases.com page does some strange javascript -- perhaps it does a javascript keylogger??

(related) Strange phish email. by Stephen+Samuel · 2006-03-11 03:38 · Score: 1 · on PIN Scandal 'Worst Hack Ever'

I got a fish with a wierd bit of code....

identity over a secure connection at:</p> <a id=3D"SPOOF" = href=3D"http://citibusinessonline.da-us.citiban k.com.lawases.com"></a> <div>=20 <table> <caption> <a href=3D"https://citibusinessonline.da-us.citibank. com/cbusol/signon.do?ao=3Df">=20 </a><a = href=3D"https://citibusinessonline.da-us.citiba nk.com/cbusol/signon.do?ao=3Df">=20 <label for=3D"SPOOF"> <u style=3D"cursor: pointer; color: blue"> = https://citibusinessonline.da-us.citibank.com/c busol/signon.do?ao=3Df</u>=20 </label> </a> </caption>

Does Someone recognize this as working on Outlook? It directs me to https://citibusinessonline.da-us.citibank.com/cbus ol/signon.do?ao=f on thunderbird.

but the intended target seems to be citibusinessonline.da-us.citiban k.com.lawases.com

The lawases.com page does some strange javascript -- perhaps it does a javascript keylogger??

Re:procrastinating worked for me... by g2devi · 2005-12-25 11:43 · Score: 3, Insightful · on Good and Bad Procrastination

It's sounds like you're basically using a variation of the old Important/Urgent prioritization:
https://studentloan.citibank.com/s/faaonln/resourc es/first.asp
http://www.brefigroup.co.uk/acrobat/quadrnts.pdf

Basically, a task can either be important and urgent, important but not urgent, urgent but not important, or unimportant and not urgent. Instead of dealing with all tasks as urgent whether they're time wasters or not and running around like a chicken without a head, you're taking the time to sort out what's important and what's not before doing anything. That's not procrastination. That's just good time management.

Ob procrastination quote:
"One of the lessons of history is that nothing is often a good thing to do and always a clever thing to say."
-- Will Durant

Re:Drama queen by rifter · 2005-12-05 09:29 · Score: 1 · on Online Scammers Go Spear-Phishing

what's the relationship btw phishing scam (no software involved) and IE?

IE has a bug that makes it possible to give people links that go to places other than what the IE address bar says they are. This was exploited quite a bit by phishing emails, but Microsoft claimed it was not a serious bug and said they would not fix it. They might have fixed it by now, under pressure, like many other bugs they said they did not care to fix, but that remains to be seen. The fact it was possible to be at one site when the address bar shows something else means there are some serious architectural problems in the interface.

This is seperate from the fact you can embed a link in html email and name the link differently from the place where it goes, like:

http://www.citibank.com

There's not much one an do about that beyond implementing something similar to slashdot's code that shows the domain in a box in the email client. BUt what I am talking about is the bug where you click on the link above and IE *still* says you are at citibank.com (actually to be fair IIRC the link has to do some nasty trick with the @ .. I think it was something like http://www.citibank.com/ ).

Re:Suggestion by Anonymous Coward · 2005-11-22 11:12 · Score: 2, Informative · on Web Browser Developers Work Together on Security

If A and B are true, you have successfully connected to citibank.com over an encrypted channel, end of story.

Not quite. If A and B are true, you have successfully connected to a computer claiming to be citibank's website at citibank.com using a certificate issued by someone to "prove" it. Of course, https://web.da-us.citibank.com/ (the site I get when I hit login) has a certificate issued by VeriSign, and we know how well they verify the identify of people requesting certificates.

Re:WARNING PHISHER!!! by Anonymous Coward · 2005-10-14 05:05 · Score: 0 · on Lloyds TSB Pushing New Online Security Protocol

Citibank does not have an Indian site!
wrong
http://www.citibank.com/india/ and see where it redirects you to

Re:Chase, Citibank & Amex are big problems. by abb3w · 2005-10-06 14:46 · Score: 1 · on Schneier: Make Banks Responsible for Phishers

While Citibank uses citi.com and citibank.com, they put their credit card login on "accountonline.com"...

Of course, were this actually the case, then what this would mean for educated technical users like thee and me is that any time you used Citibank's on-line website, and encounter the login, you ought to call 1-800-555-1212 to verify that Citibank Credit card customer service is still available from 1-800-950-5114, call that in turn, work your way through the phone menu, and politely ask the customer service representative to confirm that the accountonline.com domain is in fact under Citi's direct control.

However, having just checked, Citi.com is an alias for (as the https: certificate shows) the www.citibank.com server. While connecting to either over https: (or to the accountonline.com http: or https:), you are redirected to the http://www.citibank.com/ server; the top sign-on link is based on https://web.da-us.citibank.com/ for no apparent reason (but at least has the right subdomain), and the prominent "Sign on to your accounts" is merely a drop down of account types (such as credit card), redirecting you to a page on https://www.citibank.com/ — someone over there may have been learning from being a bad example. Where'd ya get the "accountonline.com" URL from?

On the other hand, Amex's secure site first coughs and chokes because the server certificate is actually for the akamai.net hosting server, before letting you through for sign in to an encrypted page... with an uncertain recipient. How many of their clients can say "man in the middle", d'ya think?

Of course, worst of the lot is Chase: in addition to your security lock idiocy, their secure server redirects back to the insecure server. Good for performance, really CRAPPY for security. The lock graphic isn't bad... but that should be the ONLY thing there, linking to a https: page with the login/password form. Possibly even one with minimal graphics. It's almost enough to make me apply for a Chase card, just so I can call them and give this as a reason for cancelling service... "I do a fair bit of internet shopping, and you obviously don't pay enough attention to internet security."

Actually, didn't they just snail mail me a card application...?