Citibank woes

I have always been a fan of one-time use credit card numbers. Certainly, for someone who shops on a number of web sites, they are a nice way to not get “too much” information stolen. It is not that I do not trust proprietors of smaller internet ventures, but… Well, I do not necessarily trust their information transmission and retention policies. Recently, I had just the excuse to the use a one-time number myself. I was buying something on a foreign website, hosted in a country known better for gathering information that securing it. “Perfect”, I thought, “I will be safe with my citibank visa!”
And now we can talk about how companies shoot themselves in the foot when their marketing gets ahead of their capabilities. Citibank, for example, runs a series of hilarious commercials warning of the dangers of Identity Theft. Despite the message saturation; however, it is impossible to find out how to generate one-time numbers for citibank issued credit cards from the site. At least my searches revealed no obvious way of doing so. A number of blog entries alluded to the fact that Citigroup (parent company of Citibank, N.A.) indeed provides a generator, but no links were posted. Luckily, I have friends who are much better at web sleuthing, and soon I had in my hands the link.

Citi.com, Citibank.com, Citicards.com – how many different domains does one company want to provide to its customers? But at least my login will work, right? Nope. Register again. Except there are two problems, one personal, and another technical. Technical problem arises from the fact that I just get a “general error” when trying to register. My personal problem comes from the fact that “register” link takes me to another domain. Is not this exactly what all anti-phishing and identity theft literature talks about avoiding? I spent a while before I found that the URL I am being redirected to is indeed a valid Citigroup URL:

Valid Citibank URLs

Ultimately it was for naught. Only credit cards, not citibank issued debit cards can even register for the citicards.com, presumably, because debit cards linked directly to people’s savings and checking accounts do not actually need protection afforded to credit card holders that are (most of the time) only responsible for the first $50 of fraudulent charges.

But there is a happy ending. Eager to succeed I found an old citibank credit card and successfully registered and obtained the one-time number. It took some time to find on the website – but it was there (citibank website search is truly a useless feature). The web-based generator would now allow me to set an expiration date or a credit limit to the unique number, but at least it generated the number. After 2 or 3 hours of research a trivial transaction was completed to the satisfaction of both parties.

ps. I still cannot find the generator for American Express, although I hear it exists.

This entry was posted in Information Security, Web. Bookmark the permalink.