Once, one of their affiliate's employees offered me a Credit Card for free and said "it had no strings attached" and I don't need to do anything to keep it alive. Thought it sounded too good to be true, I bit the bullet and signed up, right on the spot, their affiliate clothing store. Before I was about to submit my documents, it was then I happened to meet a friend by chance and he told me that I would need to purchase a minimum X amount each year mandatorily through the "free" card, failing which I would be levied drastic charges.
Shocked, I asked the affiliate's employee if it was true and he confirmed the same. I politely declined, got my papers from him, and scored the entire application paper off diagonally so that no sane company would accept it as a valid application.
However, the very next day, I get a call from one of Citibank's employees asking me to submit a photograph so that he could forward the application. I was shocked and I asked him how it was even possible to submit a scored out application. Even though I scored off the application, I hadn't scored off my other copies of proof (Driving license, etc). So the rep had cleverly filled out a fresh form just like I would have and even signed where I should have (!) and forwarded the application to the card processing department. I know this because the rep who called told me that the only thing he needed was a passport size photograph and everything else was pucca.
Shocked, I told him that I don't need the card and asked him to stop bugging me. I got routine calls from the same rep for about 3 days and also continuous text messages asking me to submit just the photograph. Heck he would have come to even my house (the address was on the proof I submitted) , he was THAT desperate.
It was then I decided that I would never ever deal with a shady company like Citibank, ever again.
So, I'm not surprised that they are actually so intrusive to even have you unsubscribe from their site. This bank is full of shit.
From: http://www.business.ftc.gov/documents/bus61-can-spam-act-com...
"You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request"
(My company provides email delivery software and consulting.)
[edit for typo]
Passwords must:
- be 5 to 8 characters in length
- not contain spaces or special characters (e.g. #, &, @)
Poor customers if TD ever gets their password database stolen.
Then again, that seems mild now that I've found out they don't keep auditing logs of the changes their employees make to customers' accounts.
There are also lots of cases of online banking being compromised by really basic attacks (such as a CSRF attack that could be used to transfer money to an account of the attacker's choosing).
Banks aren't actually that secure. They merely spend a lot of time engaging in very expensive hand-wavey security theatre to convince us that they are secure - not to mention using expensive laywers and unfair libel law (I am in the UK) to shut up security researchers that find problems. The reason that they are so frequently observed acting contrary to best security practices is because they are not actually particularly good at security.
I imagine that passwords are kept in the same database as transactions so I'm not sure the passwords would be the primary concern in the case of a break in.
There's no reason to keep the bad decisions from decades ago as a part of a modern system, even if it relies on the legacy system.
P.S. I am not a Citibank fan or something. Just trying to deal with this sanely.
- Some big vendors (Dell, HP?) don't seem to use unified opt-out lists or they use agencies that don't share unsubscribes
- Unsub pages with complicated unsub process (double-negative questions, button size tricks e.g. 'submit' is small and 'continue' is large)
- Unsub pages requiring input of your email address on a form without the email address pre-populated (so you have to go back and lookup which address received the email)
- 2 stage unsub process, so you think you've submitted but it's really a page saying 'are you sure?' in small text with small submit
A single-click / no interaction unsubscribe is the exception now.
They have a small button you can click to Unsubscribe beneath every marketing email. And they pop up a message saying "We'll ask them to stop. In the meantime we'll automatically move everything from this sender/company to junk."
Works really well and it's 1 click.
1) "Screw your choices" spam - despite figuring out the Mensa-challenge-esque puzzle of which checkboxes to check or uncheck, when signing up for a new account the company opts you in to marketing emails anyway.
2) "Blast from the past" - a I used to use years ago has decided to add every single email address they've ever seen to their mailing list, and I'm suddenly seeing emails from them. To me this looks a lot like the desperate throes of a dying company - I believe Yahoo pulled this at some point this year. Amusing variation: My sole contact with one company was a complaint email, which they did not reply to. Two years later they started sending me marketing emails. No, thank you.
When it comes to unsubscribing there's another trick I've seen on the rise, other than the ones you already listed: An unsubscribe process that takes weeks. The page says something like "You will be unsubscribed within 28 days" and you keep getting spam in the meantime. I believe at least some of Yahoo's services do this, too? There are two main variations for this one: companies that do actually remove you after 28 days, and companies that don't (I assume it's just a distraction tactic and they hope you'll forget).
Or the ones that require you to sign in update your spam preferences.
Ugh.
The problem is that there is massive trust deficit. Public too is keen to cheat whenever a loophole exists due to simplified procedures. That invites even harsher regulation and the cycle of submitting 10 documents where 1 would be suffice continues. There are endless certificates and NOCs (no-objection certifcates) required to operate in India: Aadhar citizen number, PAN number, TAN number, Service Tax number, Excise registration, LBT registration, Domicile, 7/12 extracts, 20 year old vouchers for LPG gas cylinders, nationality...and so it goes. Also, there is very little belief about who you are and where you live. So for everything an address proof is required apart from an ID.
Any wonder that there are no ground-level start-up stories from India. All that we can do is morph into HSFC (Human Services for Cheap) model to serve the rich western countries who want to off-load their guilt of wanting modern 'e-slaves' in the post-industrial world but not being able to fund their liabilities.
function fun() {
var new_dte= new Date(2005,1,1);
setCookie("Gabbar","#!#0",new_dte);
setCookie("hitsscore",hitsscore+"~",new_dte);
}If your sending bulk email, your not going to be getting delivery unless your process these messages from the large web mail providers.
I am actually surprised that they aren't required by law to have either a 1 click unsubscribe or at the very worst, require you to enter your email address into the form and click a button. This is the way that the us CANSPAM act and the australian spam act work.
EDIT: The only problem I can think of is that it may encourage users to be loose with their info, and therefore be more susceptible to phishing attacks.
I'm sure some customers would consider themselves sophisticated enough to "know" this is a "real" Citi page, but if they were actually sophisticated they wouldn't touch this with a ten-foot pole.