One of the reasons users behave insecurely is because we send them conflicting messages. We tell them not to click on links in e-mails, but send them links, anyway. We tell them not to download and install software from untrusted sources, but ask them to install the latest security app to stay safe. And we tell them to make sure the URL looks legitimate in the browser.
Why, then, does Citibank redirect to www.accountonline.com when launching the virtual credit card app from within the www.citibank.com website? Why are they training the user to think this is OK, while at the same time warning them not to fall victim to online scams?
This is just one real-world example of a mistake in security. It’s a bug. It’s a vulnerability. Call it whatever you will, but it contributes to a culture of confusion for end users–users who are not trained security professionals and just want to use information services safely.
We need to send clear and simple messages for security to work well. In this case, the message for Citibank is to keep the user at the www.citibank.com domain throughout the session. Plain and simple security.