Oops, sorry, my mistake, I typed citybank.com instead of citibank.com...
Amir
p.s. Citybank is a community bank (and yes, _they_ use unprotected
login... but CitiBank is Ok).
Amir Herzberg wrote:
Hi, I noted that Citibank changed their login form at
http://CitiBank.com. It now points you at the site:
https://cib.ibanking-services.com/cib/login.jsp?FIORG=775&FIFID=125106986&id=1449852460
Ignore the parameters... notice the domain, ibanking-services.com! And
whois reveals it belongs to Metavante Corporation... The SSL
certificate also belongs to Metavante (and signed by RSA).
Well, this site is protected by SSL, but not with the correct ownership
(citibank/citigroup)... I guess I should add it to the Hall of Shame...
Granted, most web users, using current UI, will not notice this at all,
but I think it is clear that the bank should allow careful users (e.g.
using TrustBar or checking manually) to identify that the site belongs
to citibank.
BTW, citicards.com still works Ok, as well as
http://www.citibank.com/us/index.htm...
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Unprotected Login Hall Of Shame: http://AmirHerzberg.com/shame.html
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
