Please phish our customers, 'k? thx! lol

2006/02/26

Categories: Spam

Citibank sent me something.

I think.

I got an offer advertising my new “ThankYou™” member card. I am, it says, to visit their website, www.thankyounetwork.com. If I sign up there, and put in information about Citi-related credit card accounts, they will give me “points” which I can redeem for rewards. You know, like every other membership program, from airline miles and on.

But there’s an issue here. Who runs this? Why should I enter information about my Citibank card into an account run by… Someone else? And if it’s not someone else, why isn’t it somewhere in citibank.com?

Honestly, I feel that this ought to create liability for Citibank in the event that their customers are successfully tricked into giving out account information. They are actively communicating to their customers “you should enter identifying information about your accounts with us into a form run by some other site”.

Maybe Citi really does run this one, but since there’s not even a hint of a relationship in the name, what’s to stop Phisher Phil from creating a new site, “thankyourewards.com”, and telling people that their existing thankyou accounts are moving, and can they please reenter all that data? … Nothing, that’s what. Citi has opened the door to the notion that account data from them can and should be entered in other web sites.

To make it scarier, the letter implies that, for instance, you can use this new site to apply for other Citi accounts, such as a bank account with them. So, they really want you to enter all sorts of identifying information on someone else’s site. And to just assume that the site in question is legit.

Crazy!

Comments [archived]


From: PlaidMan
Date: 2006-02-27 12:59:23 -0600

I’m amazed that Schwab sends me regular email to let me know that it’s account statement time again. Or more precisely, that they send me email that is indistinguishable from a well-crafted phishing attempt.


With credit cards, the card issuer is responsible for any fraud over $50 on the card. But identity theft costs the banks little or nothing. They would wise up fast if the appropriate incentives were in place.