"Interesting. My mortgages have always ended up with a known retail bank and can be paid through their normal websites. Is your mortgage held by some fly-by-night bank?"
I think you misunderstand. Your parent is saying that after logging into his normal bank, he is taken through two or three third party banking providers that have their own domain names and web user interfaces - just to perform some core action related to paying his mortgage.
I have seen this and can give you a few concrete examples:
- Log onto unionbank.com. Mortgage payment is done through "my mortgage portal" which jumps you to unionbank.customercarenet.com.
- Log onto tiaabank.com. You are quickly redirected through the first third party domain which goes by too fast to copy/paste then you are redirected to cibng.ibanking-services.com, where you do your TIAA banking online (!)
USBank bounces you around weirdo domains as well. FWIW, I have never seen wells fargo do this.
This is a phishing nightmare and it is right at the crux of high-consequence interactions (your mortgage, your banking) and barely technically literate users.
> I think you misunderstand. Your parent is saying that after logging into his normal bank, he is taken through two or three third party banking providers that have their own domain names and web user interfaces - just to perform some core action related to paying his mortgage
Actually i think it's slightly different (in my specific example). It looks and feels just like you describe, but i get the impression that it's all the same bank. For some reason the application operates on multiple domains.
My old credit union was the same way. I'd log into `someCU.com` and be forwarded to `secure.CUentry.com` or w/e (i forget the specifics). Both domains were the same CU entity, i imagine, but the pattern we should be telling the "average person" to look for is to always find `foo.com` in the address. If you're not connected to `foo.com` then it's evil. However when sites forward you to likely safe but alternate domains entirely we erode this trust in fixed domain names.
Next time a user clicks on an email to `scamCU.com` and don't think anything of it, since `someCU.com` already has multiple domain names.
But yea, you hit the nail on the head with the root problem. It's gross.
I think I have it. I just haven’t encountered that with my banks. There may be some requests that cross domains, but none of them drop me on a payment page that looks suspect.
I think you misunderstand. Your parent is saying that after logging into his normal bank, he is taken through two or three third party banking providers that have their own domain names and web user interfaces - just to perform some core action related to paying his mortgage.
I have seen this and can give you a few concrete examples:
- Log onto unionbank.com. Mortgage payment is done through "my mortgage portal" which jumps you to unionbank.customercarenet.com.
- Log onto tiaabank.com. You are quickly redirected through the first third party domain which goes by too fast to copy/paste then you are redirected to cibng.ibanking-services.com, where you do your TIAA banking online (!)
USBank bounces you around weirdo domains as well. FWIW, I have never seen wells fargo do this.
This is a phishing nightmare and it is right at the crux of high-consequence interactions (your mortgage, your banking) and barely technically literate users.
It is unbelievable that they do this.