
Citibank India wants credit card, bank account numbers to stop marketing emails - manas2004
https://www.online.citibank.co.in/customerservice/dnd-yes-relationship.htm?site=PORTAL&creative=NGX&section=CSDNDYBNR&agencyCode=XER&campaignCode=&productCode=&eOfferCode=CSDNDYBNR
======
slowdown
Citibank is one of the worst banks I've dealt with.

Once, one of their affiliate's employees offered me a Credit Card for free and
said "it had no strings attached" and I don't need to do anything to keep it
alive. Thought it sounded too good to be true, I bit the bullet and signed up,
right on the spot, their affiliate clothing store. Before I was about to
submit my documents, it was then I happened to meet a friend by chance and he
told me that I would need to purchase a minimum X amount each year mandatorily
through the "free" card, failing which I would be levied drastic charges.

Shocked, I asked the affiliate's employee if it was true and he confirmed the
same. I politely declined, got my papers from him, and scored the entire
application paper off diagonally so that no sane company would accept it as a
valid application.

However, the very next day, I get a call from one of Citibank's employees
asking me to submit a photograph so that he could forward the application. I
was shocked and I asked him how it was even possible to submit a scored out
application. Even though I scored off the application, I hadn't scored off my
other copies of proof (Driving license, etc). So the rep had cleverly filled
out a fresh form just like I would have and even signed where I should have
(!) and forwarded the application to the card processing department. I know
this because the rep who called told me that the only thing he needed was a
passport size photograph and everything else was pucca.

Shocked, I told him that I don't need the card and asked him to stop bugging
me. I got routine calls from the same rep for about 3 days and also continuous
text messages asking me to submit just the photograph. Heck he would have come
to even my house (the address was on the proof I submitted) , he was THAT
desperate.

It was then I decided that I would never ever deal with a shady company like
Citibank, ever again.

So, I'm not surprised that they are actually so intrusive to even have you
unsubscribe from their site. This bank is full of shit.

~~~
jey
Which country was this in? India?

~~~
piyush_soni
Seems yes. These 'credit card' agents employed by the company are generally
poor people who are trying to make ends meet (they get some nominal money on
every new person signing up for a credit card), and mostly "only" get to too
intrusive up to being annoying, but in this case did forgery. The bank might
not have anything to do with it though.

~~~
slowdown
The person bugging me was actually the Citibank employee, not the affiliate
store staff, thus has a lot to do with Citibank.

------
davideous
This is illegal in the United States under the CAN-SPAM law

From: [http://www.business.ftc.gov/documents/bus61-can-spam-act-
com...](http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance-
guide-business)

"You can’t charge a fee, require the recipient to give you any personally
identifying information beyond an email address, or make the recipient take
any step other than sending a reply email or visiting a single page on an
Internet website as a condition for honoring an opt-out request"

(My company provides email delivery software and consulting.)

[edit for typo]

~~~
sidcool
The link posted here redirects to a co.in domain. It's Citibank India. I have
sent them a message on facebook, in an attempt to bring this to their
attention.

~~~
manas2004
OP here. I sent them a tweet, and they replied with a link to a complaint form
that - guess what - required me to enter my account number :)

~~~
sidcool
Really? That's wicked. But most of the times I have witnessed such things, the
problem is with process and not people. Processes come from top down. Let's
all try to bring this to the attention of the top brass.

------
columbo
This opens up an interesting phish attack. Spam users with seemingly innocent
Citibank marketing emails several times a day until they get fed-up and try to
unsubscribe using their credit card.

------
wrath
This is a phishing attack waiting to happen! I never worked at a bank but I'm
assuming (maybe I shouldn't) that there are a few people working there that
know a thing or two about security. I doubt that any person who claims to be a
"security expert" would have let this go by, but I always seemed to be proven
wrong. Take for example TDBank in Canada who has a 80's password policy:

Passwords must:

\- be 5 to 8 characters in length

\- not contain spaces or special characters (e.g. #, &, @)

Poor customers if TD ever gets their password database stolen.

~~~
nodata
Or the classic bank telephones _you_ and asks to verify your identity by
answering your secret questions and answers. _facepalm_

~~~
ZoFreX
My bank (NatWest, terrible) told me to never give my information to anyone who
calls me and asks for it. Every time they ring they then ask me for my details
for 'security purposes'.

Then again, that seems mild now that I've found out they don't keep auditing
logs of the changes their employees make to customers' accounts.

There are also lots of cases of online banking being compromised by really
basic attacks (such as a CSRF attack that could be used to transfer money to
an account of the attacker's choosing).

Banks aren't actually that secure. They merely spend a lot of time engaging in
very expensive hand-wavey security theatre to convince us that they are secure
- not to mention using expensive laywers and unfair libel law (I am in the UK)
to shut up security researchers that find problems. The reason that they are
so frequently observed acting contrary to best security practices is because
they are not actually particularly good at security.

~~~
Silhouette
_Banks aren 't actually that secure._

Financial services generally aren't in the business of security. They're in
the business of risk management. Once you understand that distinction, much of
what they do makes sense.

Unfortunately, some unhappy conclusions for the customers of these services do
logically follow, starting with the fact that if you're not a huge customer,
the financial services have little natural incentive to care about the safety
of any assets/investments they handle for you. If something very bad happens,
you might be an acceptable loss relative to the cost of mitigation, right up
to the point of fighting you in court and then losing anyway. You personally
might suffer greatly for any losses, and even if it's ultimately put right you
might suffer months or years being dragged through the system, but no employee
at any financial service is personally going to lose any sleep over your case.

This is why it is necessary to have regulators with teeth in financial
industries. Any lapse that could cause significant harm to a customer should
also potentially cause significant harm to the financial service. An ongoing
pattern of such lapses should cause severe damage to the service's bottom line
and eventually it should become an existential threat to the financial service
itself, preferably with safeguards to ensure that the management and/or
shareholders can't just escape using the technicalities of incorporation.
Without this sort of counter-balance, the numbers will always be in favour of
trampling on the little guy, and if there's one industry that runs on the
numbers more than anything else, it's financial services.

~~~
vishnugupta
This! Much of what ails common people when they face up to financial
institutions in general and banks in particular could be attributed to your
observation. I've read substantially over last few years on what's gone wrong
with financial institutions and how they should _not_ be autonomous but
nothing comes close to the clarity with which you have summarized.

------
raverbashing
How about you mark their marketing emails as spam and let them deal with the
consequences of that?

~~~
wavefunction
This. Poison their IP blocks in the SPAM RBL so they get the message.

~~~
sidcool
I don't think that's a smart move. Let's give them some benefit of doubt and
bring this to their attention. I have messaged them on their facebook. Hope
this will help.

P.S. I am not a Citibank fan or something. Just trying to deal with this
sanely.

~~~
Crito
What is the downside for the end users that makes this not a smart move?

~~~
dxgray
What about the users who need to get account related email that they signed up
for? I understand your disdain for unwanted email, I share it, but why should
our opinions have a negative effect on others.

~~~
raverbashing
Banks should send ZERO emails, period. It's not secure for that.

I do sometimes get emails from them but they're "useless" (usually a simple
notification)

Several banks have their own message box inside of Internet Banking.

~~~
sneak
Email is the only universally-accepted federated notification system.

Emails such as "your card has been used 1000km+ from its last use" or "you
just made this >$1000 purchase" are very useful indeed, and should be
encouraged to detect fraud.

~~~
MichaelApproved
The problem with that is banks sometimes ask what your last transaction was to
prove you are the account holder. Anyone who has access to these email
messages will know that information.

~~~
drcoopster
I've never seen this with any of the banks with which I've done business. They
will tell me what the transactions were and ask me to confirm that they were
indeed by me in the case that they're suspicious of fraudulent activity.

------
mtkd
Getting increasingly harder to unsubscribe.

\- Some big vendors (Dell, HP?) don't seem to use unified opt-out lists or
they use agencies that don't share unsubscribes

\- Unsub pages with complicated unsub process (double-negative questions,
button size tricks e.g. 'submit' is small and 'continue' is large)

\- Unsub pages requiring input of your email address on a form without the
email address pre-populated (so you have to go back and lookup which address
received the email)

\- 2 stage unsub process, so you think you've submitted but it's really a page
saying 'are you sure?' in small text with small submit

A single-click / no interaction unsubscribe is the exception now.

~~~
sergiotapia
My experience has been the opposite or maybe it's just something unique to
Outlook.com

They have a small button you can click to Unsubscribe beneath every marketing
email. And they pop up a message saying "We'll ask them to stop. In the
meantime we'll automatically move everything from this sender/company to
junk."

Works really well and it's 1 click.

------
coofluence
There is a massive love in India for documents. To get any service in private
or public sector, you need ID proofs and address proofs. Even to browse
internet at a "net cafe", you need to produce ID proof! That's so because
authorities can catch (and some side cash) you if you were browsing anything
against what they think the law is.

The problem is that there is massive trust deficit. Public too is keen to
cheat whenever a loophole exists due to simplified procedures. That invites
even harsher regulation and the cycle of submitting 10 documents where 1 would
be suffice continues. There are endless certificates and NOCs (no-objection
certifcates) required to operate in India: Aadhar citizen number, PAN number,
TAN number, Service Tax number, Excise registration, LBT registration,
Domicile, 7/12 extracts, 20 year old vouchers for LPG gas cylinders,
nationality...and so it goes. Also, there is very little belief about who you
are and where you live. So for everything an address proof is required apart
from an ID.

Any wonder that there are no ground-level start-up stories from India. All
that we can do is morph into HSFC (Human Services for Cheap) model to serve
the rich western countries who want to off-load their guilt of wanting modern
'e-slaves' in the post-industrial world but not being able to fund their
liabilities.

------
arnabc
I liked this JS function one of the JS files in that page, specially the name
of the cookie "Gabbar":

    
    
      function fun() {
        var new_dte= new Date(2005,1,1);
        setCookie("Gabbar","#!#0",new_dte);
        setCookie("hitsscore",hitsscore+"~",new_dte);
      }

~~~
deepakkapoor
Haha. Maybe Jai and Viru methods are doing server side processing :)

------
jlawer
A few people have mentioned this but if your using a web based email service,
then simple mark the email as spam. This will cause an Abuse Feedback Report
to be sent to citibank, which should cause their server to automatically
unsubscribe you from the email stream.

If your sending bulk email, your not going to be getting delivery unless your
process these messages from the large web mail providers.

I am actually surprised that they aren't required by law to have either a 1
click unsubscribe or at the very worst, require you to enter your email
address into the form and click a button. This is the way that the us CANSPAM
act and the australian spam act work.

------
anilshanbhag
In India, if you want to use your credit/debit card online you need to enter a
pin/password. Hence it is highly unlikely you can do anything with that info.
This however is still scary !

------
chaz
To be ever so slightly more fair to Citibank, this is the page after you've
already said you have a relationship with them. This is where you choose:
[http://www.online.citibank.co.in/customerservice/DND.htm](http://www.online.citibank.co.in/customerservice/DND.htm).
The other option asks for your email and phone number. Still, poorly designed
and surprised it's considered to be in compliance. Phone and email inputs
should be enough.

~~~
manas2004
The unsubscribe link in the marketing email took me to this page directly. The
marketing email was targeted to existing customers.

~~~
chaz
Even worse, then, that this page was shown when they already know who you are.

------
coloncapitald
This is surprising given that the bank IVR and reps keep saying that the bank
will never ask you for your personal information.

------
paragarora
This forms opens up when you select existing customers. Upon clicking not
existing customers, it asks only email and phone.

------
donniezazen
I am not surprised most of the banking websites in India, seems like, designed
for IE in 90s. There are pop-ups, options after options, acronyms and more
acronyms, and did I mention Verified by Visa thing.

------
chinmay-raval
Looks like a UI bug, credit card number is mandatory only if you want
relationship dropdown value as credit card.

------
arunc
Anything is possible in Indian market.

------
FlyingCocoon
What did RBI said?

------
dec0dedab0de
I don't understand the issue, from the banks perspective those are basically
your username. It's not like they need to trick you into giving them a number
they issued you.

EDIT: The only problem I can think of is that it may encourage users to be
loose with their info, and therefore be more susceptible to phishing attacks.

~~~
jessaustin
The typical customer got to the linked page by clicking a link in an email.
After all, the use case is the customer not wanting the damned marketing spam.
A financial institution should not be training its customers to enter account
details into pages they got emailed to them.

I'm sure some customers would consider themselves sophisticated enough to
"know" this is a "real" Citi page, but if they were actually sophisticated
they wouldn't touch this with a ten-foot pole.

~~~
dec0dedab0de
Sorry, my edit must have came in while you were typing this.

~~~
jessaustin
No worries! My typing speed varies. I'd suggest an additional edit, however.
"The only problem" is a big enough problem to vitiate any benefit Citi were
attempting to provide here. I suspect this page will disappear as soon as the
home office sees it.

~~~
dec0dedab0de
It will only disappear if someone actually understands the issue. A post that
consists of someone linking to a form probably won't educate them. Every
interaction with a bank starts with them asking for this type of info. The
real issue is them soliciting it via a link in an email, if that is actually
what they are doing.

~~~
jessaustin
I'm pretty sure that Citibank International have someone on staff (perhaps a
secretary? maybe even a VP...) who would immediately see the problem with this
page. It's been some time since I banked online with a "big" bank, but do they
routinely ask for one's account number in order to get off spam lists?

