We were impressed with Citibank’s full-page ad in Sunday’s New York Times travel section offering 25,000 miles to take a new American Airlines co-branded credit card. As usual, we looked for a link to the Web-based application and were pleased to find a large, reverse-type URL along the bottom of the ad. Unfortunately, Citi did not follow the usual convention for printed landing-page URLs, creating potential problems for applicants.
Typically, offline advertisements use a special filename after the normal domain name, such as <www.yourbank.com/special>. This allows users to go directly to the landing page explaining the special offer (see landing page below).
Instead, Citibank used the unique server name "miles5" as in: <www.miles5.citicards.com>. There are several problems with this approach. First, it’s long and not easily recalled. But the biggest problem is its non-standard format. Internet users do not expect to see an extra period in the middle of a bank's URL. So many users, myself included, may read this as a unique domain name, <miles5citicards.com>.
Normally, that would be okay. But in this case Citibank neglected to register that domain name. An identity thief could easily have registered that domain, and then taken “applications” for days or weeks before anyone caught on, possibly leaving hundreds of applicants vulnerable to identity theft after entering their personal info, including social security number, in the application.
By mid-day on Monday, almost two days after the ad first appeared in print, the domain was still unregistered. We went ahead and registered it to prove the point, and keep it safe.
Implications
The moral of this story: If you live in a glass house, make sure any transparencies are covered. Register your domain name. Citibank, which has spent millions on its anti-identity theft campaign, left itself and its customers vulnerable for the price of an $8.95 domain name. Make sure you register the domain name of any cute URLs you put out there for marketing campaigns. While you are at it, spend $60 and lock it up for 10 years.
Memo to Citibank’s legal team: We have no commerical interest in the domain and will happily transfer it to your ownership. All we ask is reimbursement of our 9 bucks.
—JB
Today, the Federal Financial Institutions Examination Council (FFIEC) issued a 7-page list of questions and answers about its October 12, 2005, bestseller, Authentication in an Internet Banking Environment. 
The main thing you need to know about the new document is what it does NOT say, that the year-end deadline has been extended (see Timing, Q1, p. 4, reprinted below). However, the answer does appear to provide a bit of wiggle room, saying that banks must "implement risk mitigation activities by year-end 2006." I'm sure many creative interpretations of the precise meaning of that phrase will surface. 
