[dec0dedab0de]

I don't understand the issue, from the banks perspective those are basically your username. It's not like they need to trick you into giving them a number they issued you.

EDIT: The only problem I can think of is that it may encourage users to be loose with their info, and therefore be more susceptible to phishing attacks.

[jessaustin]

The typical customer got to the linked page by clicking a link in an email. After all, the use case is the customer not wanting the damned marketing spam. A financial institution should not be training its customers to enter account details into pages they got emailed to them.

I'm sure some customers would consider themselves sophisticated enough to "know" this is a "real" Citi page, but if they were actually sophisticated they wouldn't touch this with a ten-foot pole.

[dec0dedab0de]

Sorry, my edit must have came in while you were typing this.

[jessaustin]

No worries! My typing speed varies. I'd suggest an additional edit, however. "The only problem" is a big enough problem to vitiate any benefit Citi were attempting to provide here. I suspect this page will disappear as soon as the home office sees it.

[dec0dedab0de]

It will only disappear if someone actually understands the issue. A post that consists of someone linking to a form probably won't educate them. Every interaction with a bank starts with them asking for this type of info. The real issue is them soliciting it via a link in an email, if that is actually what they are doing.

[jessaustin]

I'm pretty sure that Citibank International have someone on staff (perhaps a secretary? maybe even a VP...) who would immediately see the problem with this page. It's been some time since I banked online with a "big" bank, but do they routinely ask for one's account number in order to get off spam lists?

[sp332]

What if a customer put in the wrong email address, and the person getting the marketing emails doesn't have any account number with the bank?

[dec0dedab0de]

That might be interesting indeed, but it does bring up another question. Is this form for other forms of communication as well? Such as postal mail? Is it a way for all customers including those do not have an online account to opt-out of marketing communications? If it is, how else could they implement something like this?

[chilldream]

As someone who gets hit by reverse identity theft[1] regularly, I'm convinced that requiring anything other than "proof that the email address is actually yours" makes you scum. If your only point of contact with a customer is an email address that isn't actually theirs, they aren't getting your communications anyway. And with that, I'm off to call a hospital I've never been to because they don't even have an unsubscribe link or any email point of contact at all.

[1] http://xkcd.com/1279/

[mikeash]

Your edit is correct, but "the only problem" implies (at least to me) that it's not important, while it's kind of like saying "the only problem with getting shot in the head is that your brain gets smashed into a zillion pieces".