Updated July 16th to document further idiocy – see the bottom of this post.
Today provided yet another indication that Citibank (and by extension, MasterCard) have absolutely no clue about online security, and past events have shown that they simply don’t care.
As background, I’m sure you remember all the warnings your bank / credit card company gave you about never giving out information to unknown entities, to always make sure that the name of the bank / credit card company is in the URL, and so forth. It sure would be nice if they’d take their own advice…
Today’s experience was triggered by an order on newegg.com. After clicking on the “confirm order” button, I was told that I might be redirected to my bank’s web site to confirm the order. So far so good – I’ve had experiences in the past where every single Newegg order caused my card to be flagged for fraud. But then I was greeted with a web page claiming to be “MasterCard SecureCode”, but with a URL showing “securesuite.net”, which demanded a bunch of sensitive info, including the last 4 digits of my SSN and my billing Zip Code. What the heck? Looks like an obvious phishing site. I let the page sit there while I contacted Citibank MasterCard. The agent said that it was obviously a fake and that I should never enter any info into an online form like that (a statement I strongly agree with). I clicked the “cancel” button and figured that I’d just place my order somewhere else. However, Newegg told me my order had been placed successfully and subsequently sent me an email letting me know that my credit card had been charged.
I then decided to investigate what this “securesuite.net” site was. There aren’t many useful search engine hits, but there is history going back at least seven years, all of which points out the confusing nature of that site. For example:
- Who the heck is yaron shohat and why does he want my social security number
- Verified by Visa and SecureSuite: Legit or Phish?
- MasterCard SecureCode and securesuite.net
- Verified by Visa (Veriphied Phishing?)
For an actual scholarly paper about this problem, I suggest reading “Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication“.
If you browse to https://www.securesuite.net, you get (as of this writing) a blank page – it doesn’t even return any HTML headers. If by some chance you happen to find https://www.securesuite.net/csi/docs/contact_support.jsp, you’ll find a singularly uninformative page which contains such gems as “Call us at your Financial Institution’s support phone.” To be fair, that may just be a generic page not intended to be shown to users.
The main point is that after telling us to never trust unknown web sites, the banks and credit card companies are sending people to just those sorts of sites. Talk about mixed messages!
Compounding this, if you do get a call from the Citibank Fraud Department, it will show up as “Unavailable” or “Private” in Caller ID. While it’s true that Caller ID is easily faked, I’d be more inclined to answer the phone if it didn’t look like a random telemarketing call. For added security, that automated call could simply say “This is a fraud warning about your Citi MasterCard ending in 1234. Please call the number on the back of your card immediately.”
This is not a new problem – I’ve been reporting Citibank’s own email to their anti-phishing department becase my mail server (correctly) flags it as fraudulent due to forged headers. In particular, they like to send out email with the subject “Important information regarding your statement”. It is actually just a canned solicitation to switch to online billing, not “Important information”. But Citibank doesn’t send it themselves – instead, they use companies called bigfootinteractive.com and epsiloninteractive.com. As I said in my unacknowledged complaints to Citibank, “Imagine you got an email claiming to be from the IRS entitled “Important information about your tax return”, where the email was sent from a Yahoo account through a GMail account to you. Wouldn’t you be suspicious? You’re doing the exact same thing with the mail you send out.”
These companies should require the use of their own domains and SSL certificates rather than apparently-unassociated third parties, or at least correct information when users call them and ask if the third-party site is legitimate.
It’s a sad day when I have to admit that PayPal does a much better job with this sort of thing than Citibank does.
This total disregard for security isn’t just in their online communications, either. Citibank started sending me unsolicited “balance transfer” checks in the mail, despite my having gotten them to stop some years ago. I had to call yet again and have my account flagged to not receive them. I said to the phone rep “Who in this day and age thinks sending blank checks in the mail is a good idea?” and she agreed with me. She apparently gets lots of calls about this.
Update as of July 16th:
As I wrote yesterday, I canceled the “MasterCard SecureCode” window and Newegg apparently processed my order, notifying me that they’d received the order and later that it had been successfully charged to my credit card. That’s where things were at the time I wrote the above post.
Last night I received email from Newegg telling me that my order had shipped and tracking information was available, and that I could expect to receive the order on the 17th. That’s excellent service, considering that I had used the “free 4-5 day shipping” option. I figured everything was all set. Little did I know…
Today at 6:37 PM (note that this is at least 12 hours after my Newegg order shipped – talk about “locking the barn door…”) I get the usual “Unavailable” Caller ID phone call from the Citibank Fraud “Early” Warning Department, telling me that my card has been frozen and asking me to confirm that my Newegg purchase was legitimate (oddly, they had no problem with my Amazon purchase later that same day). I told the agent it was, and explained that I’d received the phony-looking SecureCode page and after contacting the same department she was calling me from, who told me it was bogus and to never provide information on that sort of suspicious page, I clicked “cancel”.
The agent proceeded to tell me how important the SecureCode was. She was unable or unwilling (perhaps due to the “script” they’re required to work from) to understand that her department was the one who told me to never provide that information. We went around in circles for about 10 minutes as I tried to get her to understand that, and also to get the point across that they are the ones who say to never provide information to an untrusted 3rd party.
It’s easy enough to dismiss this as “somebody else’s problem”, but the banks, card companies and merchants are covering the losses they incur due to their own stupidity by charging everybody a little more. So it’s everybody’s problem – I just wish the bank could see that it is a problem entirely of their own making.