Citibank India wants credit card, bank account numbers to stop marketing emails

Citibank is one of the worst banks I've dealt with.

Once, one of their affiliate's employees offered me a Credit Card for free and said "it had no strings attached" and I don't need to do anything to keep it alive. Thought it sounded too good to be true, I bit the bullet and signed up, right on the spot, their affiliate clothing store. Before I was about to submit my documents, it was then I happened to meet a friend by chance and he told me that I would need to purchase a minimum X amount each year mandatorily through the "free" card, failing which I would be levied drastic charges.

Shocked, I asked the affiliate's employee if it was true and he confirmed the same. I politely declined, got my papers from him, and scored the entire application paper off diagonally so that no sane company would accept it as a valid application.

However, the very next day, I get a call from one of Citibank's employees asking me to submit a photograph so that he could forward the application. I was shocked and I asked him how it was even possible to submit a scored out application. Even though I scored off the application, I hadn't scored off my other copies of proof (Driving license, etc). So the rep had cleverly filled out a fresh form just like I would have and even signed where I should have (!) and forwarded the application to the card processing department. I know this because the rep who called told me that the only thing he needed was a passport size photograph and everything else was pucca.

Shocked, I told him that I don't need the card and asked him to stop bugging me. I got routine calls from the same rep for about 3 days and also continuous text messages asking me to submit just the photograph. Heck he would have come to even my house (the address was on the proof I submitted) , he was THAT desperate.

It was then I decided that I would never ever deal with a shady company like Citibank, ever again.

So, I'm not surprised that they are actually so intrusive to even have you unsubscribe from their site. This bank is full of shit.

This is illegal in the United States under the CAN-SPAM law

From: http://www.business.ftc.gov/documents/bus61-can-spam-act-com...

"You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request"

(My company provides email delivery software and consulting.)

[edit for typo]

This opens up an interesting phish attack. Spam users with seemingly innocent Citibank marketing emails several times a day until they get fed-up and try to unsubscribe using their credit card.

This is a phishing attack waiting to happen! I never worked at a bank but I'm assuming (maybe I shouldn't) that there are a few people working there that know a thing or two about security. I doubt that any person who claims to be a "security expert" would have let this go by, but I always seemed to be proven wrong. Take for example TDBank in Canada who has a 80's password policy:

Passwords must:

- be 5 to 8 characters in length

- not contain spaces or special characters (e.g. #, &, @)

Poor customers if TD ever gets their password database stolen.

How about you mark their marketing emails as spam and let them deal with the consequences of that?

Getting increasingly harder to unsubscribe.

- Some big vendors (Dell, HP?) don't seem to use unified opt-out lists or they use agencies that don't share unsubscribes

- Unsub pages with complicated unsub process (double-negative questions, button size tricks e.g. 'submit' is small and 'continue' is large)

- Unsub pages requiring input of your email address on a form without the email address pre-populated (so you have to go back and lookup which address received the email)

- 2 stage unsub process, so you think you've submitted but it's really a page saying 'are you sure?' in small text with small submit

A single-click / no interaction unsubscribe is the exception now.

There is a massive love in India for documents. To get any service in private or public sector, you need ID proofs and address proofs. Even to browse internet at a "net cafe", you need to produce ID proof! That's so because authorities can catch (and some side cash) you if you were browsing anything against what they think the law is.

The problem is that there is massive trust deficit. Public too is keen to cheat whenever a loophole exists due to simplified procedures. That invites even harsher regulation and the cycle of submitting 10 documents where 1 would be suffice continues. There are endless certificates and NOCs (no-objection certifcates) required to operate in India: Aadhar citizen number, PAN number, TAN number, Service Tax number, Excise registration, LBT registration, Domicile, 7/12 extracts, 20 year old vouchers for LPG gas cylinders, nationality...and so it goes. Also, there is very little belief about who you are and where you live. So for everything an address proof is required apart from an ID.

Any wonder that there are no ground-level start-up stories from India. All that we can do is morph into HSFC (Human Services for Cheap) model to serve the rich western countries who want to off-load their guilt of wanting modern 'e-slaves' in the post-industrial world but not being able to fund their liabilities.

I liked this JS function one of the JS files in that page, specially the name of the cookie "Gabbar":

  function fun() {
    var new_dte= new Date(2005,1,1);
    setCookie("Gabbar","#!#0",new_dte);
    setCookie("hitsscore",hitsscore+"~",new_dte);
  }

A few people have mentioned this but if your using a web based email service, then simple mark the email as spam. This will cause an Abuse Feedback Report to be sent to citibank, which should cause their server to automatically unsubscribe you from the email stream.

If your sending bulk email, your not going to be getting delivery unless your process these messages from the large web mail providers.

I am actually surprised that they aren't required by law to have either a 1 click unsubscribe or at the very worst, require you to enter your email address into the form and click a button. This is the way that the us CANSPAM act and the australian spam act work.

In India, if you want to use your credit/debit card online you need to enter a pin/password. Hence it is highly unlikely you can do anything with that info. This however is still scary !

To be ever so slightly more fair to Citibank, this is the page after you've already said you have a relationship with them. This is where you choose: http://www.online.citibank.co.in/customerservice/DND.htm. The other option asks for your email and phone number. Still, poorly designed and surprised it's considered to be in compliance. Phone and email inputs should be enough.

This is surprising given that the bank IVR and reps keep saying that the bank will never ask you for your personal information.

This forms opens up when you select existing customers. Upon clicking not existing customers, it asks only email and phone.

I am not surprised most of the banking websites in India, seems like, designed for IE in 90s. There are pop-ups, options after options, acronyms and more acronyms, and did I mention Verified by Visa thing.

Looks like a UI bug, credit card number is mandatory only if you want relationship dropdown value as credit card.

Anything is possible in Indian market.

What did RBI said?

I don't understand the issue, from the banks perspective those are basically your username. It's not like they need to trick you into giving them a number they issued you.

EDIT: The only problem I can think of is that it may encourage users to be loose with their info, and therefore be more susceptible to phishing attacks.