Bummer. I’d written a long and funny article about a scam on Citibank customers, but in the process of checking some sources, I turned on security which (long story short) resulted in the loss of the article when I went to save it in MovableType. THAT will teach me to write these things directly using the web interface instead of Zempt!

Nevertheless, this Citibank scam is important enough that I’ll try to reproduce at least the gist of what I’d written before, perhaps without all the editing and extra URLs (some of which I’d have to look up again).

This article should be of interest not just to Citibank customers, but to anyone who receives email communications which appear to be from their banks.

So…

I received an email tonight which presented itself thusly:

Date: Thu, 04 Dec 2003 20:59:43 -0500
From: Citibank
Reply-To: Citibank
To: Webmaster
Subject: Citibank E-mail Verification: webmaster@unspun.us

Dear Citibank Member,

This email was sent by the Citibank server to verify your e-mail
address. You must complete this process by clicking on the link
below and entering in the small window your Citibank ATM/Debit
Card number and PIN that you use on ATM.

This is done for your protection — because some of our members
no longer have access to their email addresses and we must
verify it.

There are just a few problems with this, not the least of which is that I’d never use the address of the “webmaster” for this website to communicate with any financial institution online. In fact, when I communicate with others online, I typically create new addresses specific for them. For example, if I were to want to communicate with Frito-Lay, I might use the address “frito” at Unspun.US; Coca-Cola might get “c-soda” at Unspun.US. This way, I can track which companies re-sell my address. If I get spam from someone who wants to help me enlarge certain body parts and it’s been sent to the “c-soda” address, then I start to wonder about the connection between these guys and Coca-Cola. (Disclaimer: Coca-Cola has never offered to enlarge any of my body parts, although rumor has it that enough of the non-diet version can fatten you up.) Periodically — when I no longer need to communicate with the other party or if I find they’ve sold my address — I’ll delete the customized address. I can do these things because I run my own mail servers (in more than one location) and it’s easy to re-direct these addresses to a centralized box. But by looking to see to whom the email was sent, I can track what’s happening with my personal information better.

Three things confused me about the current email purportedly from Citibank.

1. The header information
2. Why they would use a Finnish broadband connection
3. The URL to which the email directed me and the missed opportunity it represents

The Header Information

Email sent on the Internet typically contains more “header” information in the message than most people see. Your email reader (Outlook, Eudora, Netscape or whatever you use) hides these details from you, unless you know how to look for it. If you know what to look for, however, you can see not only where a message started, but each server it may have traversed on the way to your mailbox. The more complete header information on this particular message looks like this (the lines may wrap in your browser):

Return-Path:
Received: from dsl-lprgw4h9b.dial.inet.fi (dsl-lprgw4h9b.dial.inet.fi
[80.222.215.155])
      by DELETED-TO-MAKE-IT-HARDER-FOR-THOSE-WHO-WOULD-ABUSE-MY-SERVERS (THIS,TOO,DELETED) with SMTP id hB51txZV014229
      for <webmaster@unspun.us>; Thu, 4 Dec 2003 17:56:05 -0800
Received: from citi.com (mail2.ssmb.com [192.193.226.98])
      by dsl-lprgw4h9b.dial.inet.fi (Postfix) with ESMTP id 52B0BF075A
      for <webmaster@unspun.us>; Thu, 04 Dec 2003 20:59:43 -0500
Message-ID: <6.0.0.22.1.20031204205943.b3da853c@citi.com>
X-Sender: spooring@mail2.ssmb.com
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
Reply-To: Citibank
Date: Thu, 04 Dec 2003 20:59:43 -0500
To: Webmaster
From: Citibank
Subject: Citibank E-mail Verification: webmaster@unspun.us

The server listed here as the originator of the message (mail2.ssmb.com [192.193.226.98]) really does belong to Citibank, according to some nifty tools I use from Eye-Net Consulting to check such things. Both the name (mail2.ssmb.com) and the IP address (192.193.226.98) match up; both belong to a legitimate Citibank email server. Taking everything else into consideration, this has to be a forgery, but it was done by a social engineer with enough thought to try to impress those of us who check headers.

The Finnish Connection

But why, one wonders, would Citibank — which so far as I know is a United States company — have one of its computers connect to a broadband connection from a pool of such connections belonging to TeliaSonera, a telecommunications company in the Nordic and Baltic regions with extensive interests in growth markets of Russia, Turkey and Eurasia? Is there something wrong with the email conduits in the United States? Or is Citibank — which has a reputation for being particular about things — just being Finnishy (er, uh, I mean, “finicky”)?

An Opportunity Missed?    The URL To Which I Was Directed

The last thing which confused me is this: If, as I have to assume, this is truly a scam, then why did the address given for me to paste into my browser actually re-direct me to the main page for the real website of Citibank?

Perhaps Citibank is already onto the scam. There is reason to believe this. After all, they do have a web page for reporting frauds. If you go there, you’ll see links already set up for you to report certain ones they already know about. Maybe they contacted TeliaSonera and said, “Hey, look. Here’s what’s happening. Now set your servers so that when people try to get to these bogus addresses, it will re-direct them to our main website.”

If that’s what they did, it would be a Good Thing™, but why stop there? If Citibank really did do this, they might have had the foresight to re-direct us to a page that said something like this:

Here at Citibank, we care about your financial security. That’s why when we discovered this scam, we worked with TeliaSonera to have you re-directed to this web page when you clicked the bogus link.

The page could then go on to educate users — both existing and potential customers — about financial security on the Internet. It could remind you that when you pick a PIN number, the bank doesn’t (to my knowledge, anyway) know what it is. When you go to the bank, or choose one via telephone or the Internet, you typically enter the number yourself; you don’t tell it to anyone. That’s the point of it being a PIN: It’s a Personal Identification Number and doesn’t perform its function well if someone else knows it.

Citibank could use the page to provide Internet denizens with information about safe banking, both on- and off-line, or they could use their already-existing page about how to detect fraudulent email (Click here, then click the link titled “How do I recognize a Spoof e-mail?” in the upper-right-hand corner of the page). They would be providing a service to every member of the Internet and banking communities. And they could position themselves as a pro-active bank working to protect your assets.

Alas, another opportunity lost. Of course, I could be wrong. Maybe Citibank didn’t have this URL redirected. Maybe it’s not even a scam. Maybe Citibank really has changed all the rules about security — maybe Personal Identification Numbers (PINs) aren’t personal anymore. Maybe they need Finnish-Nordic-Baltic-Russian-Eurasian broadband connections to help collect this information.

Still, there’s one more problem that leads me to believe this is some kind of scam: I don’t have an account with Citibank.