Citibank is one of the worst banks I've dealt with.
Once, one of their affiliate's employees offered me a Credit Card for free and said "it had no strings attached" and I don't need to do anything to keep it alive. Thought it sounded too good to be true, I bit the bullet and signed up, right on the spot, their affiliate clothing store. Before I was about to submit my documents, it was then I happened to meet a friend by chance and he told me that I would need to purchase a minimum X amount each year mandatorily through the "free" card, failing which I would be levied drastic charges.
Shocked, I asked the affiliate's employee if it was true and he confirmed the same. I politely declined, got my papers from him, and scored the entire application paper off diagonally so that no sane company would accept it as a valid application.
However, the very next day, I get a call from one of Citibank's employees asking me to submit a photograph so that he could forward the application. I was shocked and I asked him how it was even possible to submit a scored out application. Even though I scored off the application, I hadn't scored off my other copies of proof (Driving license, etc). So the rep had cleverly filled out a fresh form just like I would have and even signed where I should have (!) and forwarded the application to the card processing department. I know this because the rep who called told me that the only thing he needed was a passport size photograph and everything else was pucca.
Shocked, I told him that I don't need the card and asked him to stop bugging me. I got routine calls from the same rep for about 3 days and also continuous text messages asking me to submit just the photograph. Heck he would have come to even my house (the address was on the proof I submitted) , he was THAT desperate.
It was then I decided that I would never ever deal with a shady company like Citibank, ever again.
So, I'm not surprised that they are actually so intrusive to even have you unsubscribe from their site. This bank is full of shit.
Its illegal but legal system is so bad that a person who openly swindled 25 billion-dollard in 5 years is going to become a ruler of a province...He will literally buy votes with the money.
Seems yes. These 'credit card' agents employed by the company are generally poor people who are trying to make ends meet (they get some nominal money on every new person signing up for a credit card), and mostly "only" get to too intrusive up to being annoying, but in this case did forgery. The bank might not have anything to do with it though.
Yes, this was in India only. But please don't mistake all of India to be the same, this was a very specific incident and a case concerning a bank with questionable ethics and it's employee, which could likely happen anywhere else in the world.
I was merely asking because this did not align with my experience of Citibank in the US, so I was wondering whether it was a foreign division of Citibank.
FWIW, I'm a Tamil-speaking Indian American. I am aware of the fact that not all of India is the same, but I think the cultural norms do have something to do with this incident.
"You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request"
(My company provides email delivery software and consulting.)
The link posted here redirects to a co.in domain. It's Citibank India. I have sent them a message on facebook, in an attempt to bring this to their attention.
Really? That's wicked. But most of the times I have witnessed such things, the problem is with process and not people. Processes come from top down. Let's all try to bring this to the attention of the top brass.
If this is a legitimate concern and it's not being addressed after some reasonable initial contact, maybe you can get a mountain of retweets going with some unfortunate hash tag about the bank and a link to some reputable source about this issue. For better or worse, Twitter campaigns do seem to be somewhat effective against the PR machines of big businesses, as sooner or later someone important at the business often hears about them and starts damage limitation.
This opens up an interesting phish attack. Spam users with seemingly innocent Citibank marketing emails several times a day until they get fed-up and try to unsubscribe using their credit card.
This is a phishing attack waiting to happen! I never worked at a bank but I'm assuming (maybe I shouldn't) that there are a few people working there that know a thing or two about security. I doubt that any person who claims to be a "security
expert" would have let this go by, but I always seemed to be proven wrong. Take for example TDBank in Canada who has a 80's password policy:
Passwords must:
- be 5 to 8 characters in length
- not contain spaces or special characters (e.g. #, &, @)
Poor customers if TD ever gets their password database stolen.
My bank (NatWest, terrible) told me to never give my information to anyone who calls me and asks for it. Every time they ring they then ask me for my details for 'security purposes'.
Then again, that seems mild now that I've found out they don't keep auditing logs of the changes their employees make to customers' accounts.
There are also lots of cases of online banking being compromised by really basic attacks (such as a CSRF attack that could be used to transfer money to an account of the attacker's choosing).
Banks aren't actually that secure. They merely spend a lot of time engaging in very expensive hand-wavey security theatre to convince us that they are secure - not to mention using expensive laywers and unfair libel law (I am in the UK) to shut up security researchers that find problems. The reason that they are so frequently observed acting contrary to best security practices is because they are not actually particularly good at security.
Financial services generally aren't in the business of security. They're in the business of risk management. Once you understand that distinction, much of what they do makes sense.
Unfortunately, some unhappy conclusions for the customers of these services do logically follow, starting with the fact that if you're not a huge customer, the financial services have little natural incentive to care about the safety of any assets/investments they handle for you. If something very bad happens, you might be an acceptable loss relative to the cost of mitigation, right up to the point of fighting you in court and then losing anyway. You personally might suffer greatly for any losses, and even if it's ultimately put right you might suffer months or years being dragged through the system, but no employee at any financial service is personally going to lose any sleep over your case.
This is why it is necessary to have regulators with teeth in financial industries. Any lapse that could cause significant harm to a customer should also potentially cause significant harm to the financial service. An ongoing pattern of such lapses should cause severe damage to the service's bottom line and eventually it should become an existential threat to the financial service itself, preferably with safeguards to ensure that the management and/or shareholders can't just escape using the technicalities of incorporation. Without this sort of counter-balance, the numbers will always be in favour of trampling on the little guy, and if there's one industry that runs on the numbers more than anything else, it's financial services.
This! Much of what ails common people when they face up to financial institutions in general and banks in particular could be attributed to your observation. I've read substantially over last few years on what's gone wrong with financial institutions and how they should not be autonomous but nothing comes close to the clarity with which you have summarized.
They might be running AS/400 as their backend systems, I recently saw a terminal to one of those in a bank and to my shocking surprise the passwords were not even encrypted on that system.
I imagine that passwords are kept in the same database as transactions so I'm not sure the passwords would be the primary concern in the case of a break in.
I don't think that's a smart move. Let's give them some benefit of doubt and bring this to their attention. I have messaged them on their facebook. Hope this will help.
P.S. I am not a Citibank fan or something. Just trying to deal with this sanely.
Their Facebook is most likely ran by an intern or "social media expert" who couldn't be any more disconnected from their actual website and programming. If their e-mails get banned however, it'll go to a sysadmin who can actually start a conversation to do something.
What about the users who need to get account related email that they signed up for? I understand your disdain for unwanted email, I share it, but why should our opinions have a negative effect on others.
Don't blame the victim. If Citi is sending unwanted e-mails with no good way to unsubscribe then they are sending spam, and the fault lies with them, not with the people who say to themselves, "hey, this is spam, I should report it as such."
To be fair, me labeling something in my email client as junk doesn't signal my intent to harm other people's experience. If it does that, the blame is on the service providers: namely those signaling intent which I did not wish to signal.
The issue other users have are with their own service providers using a system that apparently can be easily gamed or falsified.
Finally, the problem is on Citibank's end, but sending unwanted email with people who have explicitly requested they stop.
If users don't get account related email they signed up for, it's on Citibank's end to solve, as well as the service providers they are using to retrieve their email. They alone are at fault.
I have my bank send me an email saying "you've made a credit card purchase" every time I make a credit card purchase, just as a low-hassle way of keeping an eye on things, but those emails seem to be sent from completely separate systems from the (very occasional) marketing-ish email. The later they seem to contract out.
Certainly nothing that I need comes through email.
I would expect that they are separate systems for Citibank as well.
Email is the only universally-accepted federated notification system.
Emails such as "your card has been used 1000km+ from its last use" or "you just made this >$1000 purchase" are very useful indeed, and should be encouraged to detect fraud.
The problem with that is banks sometimes ask what your last transaction was to prove you are the account holder. Anyone who has access to these email messages will know that information.
I've never seen this with any of the banks with which I've done business. They will tell me what the transactions were and ask me to confirm that they were indeed by me in the case that they're suspicious of fraudulent activity.
My bank knows my public key. They could send me an encrypted email... well, except that ciphersuite in subject is GOST, which is not supported by most MUAs, so they don't. So, unfortunately, the key's only used to authenticate me over a TLS connection for a web-based self-care service.
I closed my citibank account a number of years ago, including my online access. To this day they still send me marketing emails. The only way to unsubscribe is to login to your account and change your preferences. Doesn't seem like there's anything customer service can do about it either. It now is spam and there's no way to unsubscribe, so it gets marked as such.
- Some big vendors (Dell, HP?) don't seem to use unified opt-out lists or they use agencies that don't share unsubscribes
- Unsub pages with complicated unsub process (double-negative questions, button size tricks e.g. 'submit' is small and 'continue' is large)
- Unsub pages requiring input of your email address on a form without the email address pre-populated (so you have to go back and lookup which address received the email)
- 2 stage unsub process, so you think you've submitted but it's really a page saying 'are you sure?' in small text with small submit
A single-click / no interaction unsubscribe is the exception now.
My experience has been the opposite or maybe it's just something unique to Outlook.com
They have a small button you can click to Unsubscribe beneath every marketing email. And they pop up a message saying "We'll ask them to stop. In the meantime we'll automatically move everything from this sender/company to junk."
There are two modes of marketing mail I've seen increase massively over the last year or two (note: completely subjective 'study' based on my own inbox):
1) "Screw your choices" spam - despite figuring out the Mensa-challenge-esque puzzle of which checkboxes to check or uncheck, when signing up for a new account the company opts you in to marketing emails anyway.
2) "Blast from the past" - a I used to use years ago has decided to add every single email address they've ever seen to their mailing list, and I'm suddenly seeing emails from them. To me this looks a lot like the desperate throes of a dying company - I believe Yahoo pulled this at some point this year. Amusing variation: My sole contact with one company was a complaint email, which they did not reply to. Two years later they started sending me marketing emails. No, thank you.
When it comes to unsubscribing there's another trick I've seen on the rise, other than the ones you already listed: An unsubscribe process that takes weeks. The page says something like "You will be unsubscribed within 28 days" and you keep getting spam in the meantime. I believe at least some of Yahoo's services do this, too? There are two main variations for this one: companies that do actually remove you after 28 days, and companies that don't (I assume it's just a distraction tactic and they hope you'll forget).
I particularly like the unsubscribe pages that have broken email validation. Sign up for a service with me+service@gmail.com just fine, but the unsubscribe page won't accept the '+'.
Or the ones that require you to sign in update your spam preferences.
There is a massive love in India for documents. To get any service in private or public sector, you need ID proofs and address proofs. Even to browse internet at a "net cafe", you need to produce ID proof! That's so because authorities can catch (and some side cash) you if you were browsing anything against what they think the law is.
The problem is that there is massive trust deficit. Public too is keen to cheat whenever a loophole exists due to simplified procedures. That invites even harsher regulation and the cycle of submitting 10 documents where 1 would be suffice continues. There are endless certificates and NOCs (no-objection certifcates) required to operate in India: Aadhar citizen number, PAN number, TAN number, Service Tax number, Excise registration, LBT registration, Domicile, 7/12 extracts, 20 year old vouchers for LPG gas cylinders, nationality...and so it goes. Also, there is very little belief about who you are and where you live. So for everything an address proof is required apart from an ID.
Any wonder that there are no ground-level start-up stories from India. All that we can do is morph into HSFC (Human Services for Cheap) model to serve the rich western countries who want to off-load their guilt of wanting modern 'e-slaves' in the post-industrial world but not being able to fund their liabilities.
A few people have mentioned this but if your using a web based email service, then simple mark the email as spam. This will cause an Abuse Feedback Report to be sent to citibank, which should cause their server to automatically unsubscribe you from the email stream.
If your sending bulk email, your not going to be getting delivery unless your process these messages from the large web mail providers.
I am actually surprised that they aren't required by law to have either a 1 click unsubscribe or at the very worst, require you to enter your email address into the form and click a button. This is the way that the us CANSPAM act and the australian spam act work.
In India, if you want to use your credit/debit card online you need to enter a pin/password. Hence it is highly unlikely you can do anything with that info. This however is still scary !
To be ever so slightly more fair to Citibank, this is the page after you've already said you have a relationship with them. This is where you choose: http://www.online.citibank.co.in/customerservice/DND.htm. The other option asks for your email and phone number. Still, poorly designed and surprised it's considered to be in compliance. Phone and email inputs should be enough.
I am not surprised most of the banking websites in India, seems like, designed for IE in 90s. There are pop-ups, options after options, acronyms and more acronyms, and did I mention Verified by Visa thing.
You "fail to see the problem" with a financial institution encouraging insecure handling of CC and acct details? I hope that you don't work for a bank, but somehow I suspect you do.
EDIT: I'll take your deletion as confirmation that you do work for a bank.
I don't think that it's something you know, (the last 4 of your credit card or social security are used for that).
My guess is that they have different email campaigns tied to your bank account, credit card or investment account, etc. This is probably the only way to make sure you don't get any emails from that account.
But they want my Credit Card + Bank Account No + Cellphone no. This is a link that was in the email. My first instinct was that this was a phishing email. Then when the link appeared genuine, I guessed its their way to discourage me from unsubscribing.
"I guessed its their way to discourage me from unsubscribing."
This is likely to be a new internet monetization scheme... Go ahead, mark this as spam, you'll never get another water utility bill again. To save money on your water bill, we send you these marketing messages every day.
You can't be serious, like every major site out there will send you an email link with a "password" unique to that user/email that will one-click opt-out. I believe this is due to US regulation, but it's clearly technically implementable and safe.
I don't understand the issue, from the banks perspective those are basically your username. It's not like they need to trick you into giving them a number they issued you.
EDIT: The only problem I can think of is that it may encourage users to be loose with their info, and therefore be more susceptible to phishing attacks.
The typical customer got to the linked page by clicking a link in an email. After all, the use case is the customer not wanting the damned marketing spam. A financial institution should not be training its customers to enter account details into pages they got emailed to them.
I'm sure some customers would consider themselves sophisticated enough to "know" this is a "real" Citi page, but if they were actually sophisticated they wouldn't touch this with a ten-foot pole.
No worries! My typing speed varies. I'd suggest an additional edit, however. "The only problem" is a big enough problem to vitiate any benefit Citi were attempting to provide here. I suspect this page will disappear as soon as the home office sees it.
It will only disappear if someone actually understands the issue. A post that consists of someone linking to a form probably won't educate them. Every interaction with a bank starts with them asking for this type of info. The real issue is them soliciting it via a link in an email, if that is actually what they are doing.
I'm pretty sure that Citibank International have someone on staff (perhaps a secretary? maybe even a VP...) who would immediately see the problem with this page. It's been some time since I banked online with a "big" bank, but do they routinely ask for one's account number in order to get off spam lists?
That might be interesting indeed, but it does bring up another question. Is this form for other forms of communication as well? Such as postal mail? Is it a way for all customers including those do not have an online account to opt-out of marketing communications? If it is, how else could they implement something like this?
As someone who gets hit by reverse identity theft[1] regularly, I'm convinced that requiring anything other than "proof that the email address is actually yours" makes you scum. If your only point of contact with a customer is an email address that isn't actually theirs, they aren't getting your communications anyway. And with that, I'm off to call a hospital I've never been to because they don't even have an unsubscribe link or any email point of contact at all.
Your edit is correct, but "the only problem" implies (at least to me) that it's not important, while it's kind of like saying "the only problem with getting shot in the head is that your brain gets smashed into a zillion pieces".
Once, one of their affiliate's employees offered me a Credit Card for free and said "it had no strings attached" and I don't need to do anything to keep it alive. Thought it sounded too good to be true, I bit the bullet and signed up, right on the spot, their affiliate clothing store. Before I was about to submit my documents, it was then I happened to meet a friend by chance and he told me that I would need to purchase a minimum X amount each year mandatorily through the "free" card, failing which I would be levied drastic charges.
Shocked, I asked the affiliate's employee if it was true and he confirmed the same. I politely declined, got my papers from him, and scored the entire application paper off diagonally so that no sane company would accept it as a valid application.
However, the very next day, I get a call from one of Citibank's employees asking me to submit a photograph so that he could forward the application. I was shocked and I asked him how it was even possible to submit a scored out application. Even though I scored off the application, I hadn't scored off my other copies of proof (Driving license, etc). So the rep had cleverly filled out a fresh form just like I would have and even signed where I should have (!) and forwarded the application to the card processing department. I know this because the rep who called told me that the only thing he needed was a passport size photograph and everything else was pucca.
Shocked, I told him that I don't need the card and asked him to stop bugging me. I got routine calls from the same rep for about 3 days and also continuous text messages asking me to submit just the photograph. Heck he would have come to even my house (the address was on the proof I submitted) , he was THAT desperate.
It was then I decided that I would never ever deal with a shady company like Citibank, ever again.
So, I'm not surprised that they are actually so intrusive to even have you unsubscribe from their site. This bank is full of shit.