As a strictly paperless bill payer, I regularly access Citibank's Web site. This morning, after the usual sign-in to the Web site, a very disturbing page followed the login screen, instead of the usual "Summary of Accounts" screen. The page was an online form asking for all kinds of personal information including social security, bank card number and my card's PIN number. The domain information of the loaded page, matched the usual domain information that Citibank uses, and the page looked like an actual Citibank Web page, down to the lock item found on most safe Web sites with VeriSign security.

The clue for me that this page was suspect was not only the prompting for my PIN number, but a couple of text typos were present as well.

Now, the problem for me isn't so much that this threat occurred. It was obvious that some malware was downloaded onto my laptop that allowed this redirection to happen. A scan of my hard drives using a few of the leading desktop security suites confirmed that. While I wasn't able to pinpoint the exact bit of code that caused this threat, the consensus between the desktop security programs was that, my machine had twelve suspect cookies and an adware bot. Once these were all quarantined, Citibank's site loaded as usual without the obnoxious online form.

The problem I have is Citibank's response to this matter. One would think that an exploit such as this, able to be detected by the major consumer desktop security products, would be a known issue by Citibank.

I called their online technical help line. A very polite yet puzzled operator spent an hour verifying if I had a new account, or bank card. I assured the person I did not, and more so, even if I did, why would I be prompted to key in my card's PIN number? This person also placed me on hold for an additional 20 minutes to research the issue I was having. The end result of that research? I would have to hold for second"level support.

I hung the phone up at that point.

Why wouldn't Citibank give their first-tier Help Desk support instructions in determining if one of the oh-so-abundant phishing and security attacks associated with their company name and branding may be affecting a customer? The antivirus software was able to detect this threat and stop it, so this isn't an unknown exploit. In fact, even Citibank's own security FAQs for customers make no mention of this type of threat where a customer may be redirected. They focus on phishing attempts and spoofed sites as a result of phishing. Yet, I had logged onto Citibank's legitimate site and ended up on a page which still looked as if it were a legitimate Citibank URL.

If financial institutions are not going to be vigilant and educate their technical support staff about the most current threats, particularly at the first-level -- which is the customer's initial point for advice -- then it is up to us as customers to maintain extreme vigilance.