My Bank's Security Warning

[Talent312]

About 3AM on Friday, we were awakened by an automated call from our credit union.
-- I had no doubt it was from the credit union and not a potential scam. --
Someone (not us) tried to use the "forgotten password" feature to access our account online.

I tried to call, but no one answered. Instead, a recording told me to call back during normal business hours. Later that day (after being on hold for 20 minutes), the CSR confirmed the alert and advised us to change our log-in ID. But... we had to come into a branch to do it.

IOW, someone could try to emulate me online, but I can't do anything about it until I come in? "Well, we can close your account," the CSR said. "This is quite common. We deal with it all the time."

My thoughts:
1. If they're sending out security calls 24/7, shouldn't they staff the phone 24/7.
2. Yes, our log-in ID was too simple (even simpler than our TUG ID). Way too easy to guess.
So we changed it to...

.

 

[geekette]

Yeah, what are you actually able to do about it at 3 am? It would certainly be nice to put a lock on things in the middle of the night. A crook doesn't need the debit-side ID to do massive damage using it as a credit card.

 

[Panina]

About 3AM on Friday, we were awakened by an automated call from our credit union.

Someone (not us) tried to use the "forgotten password" feature to access our account online. I tried to call the phone # specified in the message, but no one answered. Instead, a recording told me to call back during normal business hours.

Later that day, after being put on hold for 20 minutes, I was advised to change our log-in ID. But... I had to come into a branch to do it. IOW, someone could try to emulate me online, but I can't do anything about it until I pay them a visit? "Well, we could close your account."

My thoughts:
1. If they're making security calls 24/7, they should have someone staff the phone 24/7.
2. They should allow someone to freeze their account w/o closing it (like major CC's do).
3. Our log-in ID was too simple (simpler than our TUG ID), making it too easy to guess.
.

When you finally got someone, which number did you call? Did you use the number in the message again? Did you give out any personal information? Did you verify that is the credit unions phone number? If not in the morning call the credit union using either the phone number on your statement or looking it up.

This all could be legit and If it is this credit unions procedures are not up to the times.

 

[Talent312]

When you finally got someone, which number did you call? Did you use the number in the message again? Did you give out any personal information? Did you verify that is the credit union's phone number?

You are so right to think that an "alert" (even on a cell phone) could easily be a scam.
The phone # was the one I had stored in my cell phone as their contact number.

But the first thing I did was go online to verify that: (1) I still could, (2) $$ was still there, and (3) there was in fact a security alert. Those things were true.

When I finally got through to a CSR, she asked for my name and DOB, and then said she couldn't talk to me 'cuz, even though it was a joint account, the SSN which they had (not offered) was not mine. It was my wife's, so I put her on the phone and she went to the branch with me.
-------------------

This credit unions procedures are not up to the times.

When I got a mortgage from them, the lawyer who closed the transaction described their procedures as "antediluvian."

 

[pedro47]

Be careful. Trace the telephone number. Do no use a cellphone when calling back.
Callled during regular business hours. Called the telephone number on your account. That is listed on your computer. You can find a security telephone number on your account Your spouse have ther security breach.Sign into your desktop computer using Edge. While you are talking to the Security perrson. You should be ask to create and enter a branch new password. Have one ready for the security officer. Your wife and you will. Need to change to your passwords on the accounts with new security questions and answers.

You will not be ask any other personal information or about your social security information.

Be careful and monitor your accounts.

 

[Talent312]

Be careful. Trace the telephone number. Do no use a cellphone when calling back.

Thanks for the caution.
Anyone who gets an "alert" should be cautious and not respond blindly to just any phone #.

As I said... The alert came from (and the number I called) was the number that I previously stored for the credit union, and one which I had previously used. Also, they always put a copy of such alerts (like a misspelled password) online in a secure message section, so I went online and verified it was there. Thus, I had no doubt I was dealing with the credit union.

I suggested to the CSR that: (1) they should staff their phone 24/7 to deal with these issues in real time, and (2) and give customers the option of freezing accounts (like major CC issuers do). In a message tonight, I asked if they were going to try to trace the source of the attempted hack. or if they could give me the IP address from which it came. No response yet on that.

,

 

[pedro47]

Talent312, we had this same security alert with a major mutual fund company. some years ago and those were some of the steps. We had to do and fellow, now they have a security code step, before we can sign into our account. TO everyone , just be carefully online.

 

[bogey21]

But the first thing I did was go online to verify that: (1) I still could, (2) $$ was still there, and (3) there was in fact a security alert. Those things were true.

I'm surprised you couldn't do something online like change your login ID and/or PW or freeze you account...

George

 

[AnnaS]

In the past we have received phone calls with alerts on our credit card. I always call the number in the back of my credit card and not any number anyone leaves on an answering machine.

They are very quick to want to close the account and we have had to do that at least two times when our card was compromised.

My husband is the primary on our credit card/s. When I call, they need to speak to him first. I feel it's kind of silly since they really have no clue who I am putting on the phone. I end up speaking to them with all the information anyway. He does not deal with any of it/finances, etc. I know there are all sort of scammers out there. Better safe than sorry and they must follow rules.

There were many times when I had to call the bank or Social Security for mom - she did not speak English. I used to tell them she did not speak English but understood a few words. Sometimes they would put someone who spoke Italian on the phone - but she did not always understand them. They spoke the "proper" Italian and fast. After handing me the phone so I could communicate with them, I would ask them, "how do you know I am not putting a gun to her head"?

All these measures are to protect us and them. Unfortunately too many scammers out there.

 

[Talent312]

Some financial institutions take security seriously by using Captcha and emailed codes.
Even HGVC's log-in is security conscious... like my evil twin would make bogus bookings.
But it's would be easier to break into my bank account.

The credit union responded to my investigation query with a canned non-response.
I may take my business elsewhere. I will first ask about their security measures.
.

 

[VacationForever]

I like how our money manager folks require a recorded line to do any sort of transfers. We see them regularly so we know each other very well. For instance, with RMD distributions or any sort of money transfers out of the investment accounts, we send them instructions in an email on how we want the distribution, tax withholdings if applicable and which account in which to deposit the funds. After everything is confirmed, we then have a scheduled phone call with the with a client advisor whom we know on a recorded line to confirm all the instructions. One of the fears that everyone should have is to have unauthorized savings withdrawn fraudulently. This additional phone call step protects both the investment house and us.

 

[louisianab]

I have two credit unions and 1 bank. One of the credit unions has a code word, 2 step authentication and is great. The other does not. Once we pay off our mortgage thru the second, I probably will close everything I have with them. My bank also does 2 step. My IT DH suggests that for anything financial, along with completely different passwords (long nonsensical ones) and usernames.

 

[dioxide45]

I would also suggest changing email passwords for the accounts that are tied to that bank/credit union. They may have access to that email account and thus used the password reset hoping that an email would come in to the account that they could use to then gain access to your financial account. Also check to make sure they haven't also turned on some type of forwarding for your email account.

I had this issue with my Yahoo email account. Yahoo has been hacked more times than one can count. If you are using a web based email (Like Yahoo, Google, and many others), they can access your email even if you use something like Outlook or Apple Mail app. They used a compromised email and password to access to my email and drained a MyPoints account. The redemption emails for Amazon gift cards went to that email account that they had access to. A couple months later I started receiving FAILURE DAEMON emails and learned that they had turned on email forwarding in that account. So every email I was receiving ws being forwarded to another email address. For several months! So perhaps if I had decided at one time to do a password reset, chances are that they got that email forwarded to them. To date, I haven't had any loss other than the $50+ in MyPoints that were stolen but it is something you need to check.

Just changing the password on the email doesn't prevent the emails from being forwarded.