Alliant Credit Union security?

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
Topic Author
aspiringboglehead
Posts: 104
Joined: Sat Sep 03, 2011 9:28 pm

Alliant Credit Union security?

Post by aspiringboglehead »

My Alliant Credit Union account was apparently hacked today, even though I use two-factor authentication with them, had a strong unique password, and never entered the password except on secure devices. I received an SMS message with a two-factor-authentication code despite not having logged in; when I logged in to check what had happened, the site showed a successful login from an Amazon AWS IP address unconnected to me, and telephone support confirmed that that login was successful and was able to access my account.

No transactions were initiated, and I changed my account number and username. I'm just curious if anyone has had any similar experience with Alliant recently. I'm quite savvy with computer security and have never had an online account hacked before. I've been an Alliant customer for ten years and am concerned that they couldn't explain how the login was permitted even though I use two-factor authentication; it suggests a wider problem.
User avatar
CAsage
Posts: 1929
Joined: Sun Mar 27, 2016 6:25 pm

Re: Alliant Credit Union security?

Post by CAsage »

aspiringboglehead wrote: Sat Nov 30, 2019 2:08 am I changed my account number and username.
Did you mean you changed your account username and password - how can you choose (and I'm asking, not quibbling) to change your account number? Would that not mess up every link to every other account or credit payment you have? Yikes! Bad news if someone did hack that, it's what we all fear.
Salvia Clevelandii "Winifred Gilman" my favorite. YMMV; not a professional advisor.
Topic Author
aspiringboglehead
Posts: 104
Joined: Sat Sep 03, 2011 9:28 pm

Re: Alliant Credit Union security?

Post by aspiringboglehead »

CAsage wrote: Sat Nov 30, 2019 2:12 am Did you mean you changed your account username and password - how can you choose (and I'm asking, not quibbling) to change your account number? Would that not mess up every link to every other account or credit payment you have? Yikes! Bad news if someone did hack that, it's what we all fear.
Yes, at their suggestion I will begin using new checks and update all direct deposits, routine ACH withdrawals, etc. That's a minor inconvenience; it's not unmanageable.

I did tell them "everyone who's ever gotten a check from me has my account number," and their reply was that people I give checks to are probably more reputable than the person who hacked my account. (I'm not sure if that's true, but it seems likely.)
User avatar
CAsage
Posts: 1929
Joined: Sun Mar 27, 2016 6:25 pm

Re: Alliant Credit Union security?

Post by CAsage »

So ... good thing no funds were taken or transactions initiated. So .... what did they get exactly? Scary that someone hacked in, but I'd still be worried about what and why. Honestly, this whole two-factor thing was supposed to make it safe, but now ... if someone steal your cell phone they can confirm everything from there! Scary world.
Salvia Clevelandii "Winifred Gilman" my favorite. YMMV; not a professional advisor.
Lastrun
Posts: 342
Joined: Wed May 03, 2017 6:46 pm

Re: Alliant Credit Union security?

Post by Lastrun »

Have you ever given your credentials to an aggregation site? The reason is I had a similar issue with Capital One just last week but my account there has been closed for about a year. Only thing I could think of is was at one time that account was linked to Personal Capital that I also do not use anymore,
Topic Author
aspiringboglehead
Posts: 104
Joined: Sat Sep 03, 2011 9:28 pm

Re: Alliant Credit Union security?

Post by aspiringboglehead »

Lastrun wrote: Sat Nov 30, 2019 5:19 am Have you ever given your credentials to an aggregation site? The reason is I had a similar issue with Capital One just last week but my account there has been closed for about a year. Only thing I could think of is was at one time that account was linked to Personal Capital that I also do not use anymore,
No! I avoid those like the plague. :)
User avatar
CalculatedRisk
Posts: 223
Joined: Tue Sep 11, 2018 8:04 pm

Re: Alliant Credit Union security?

Post by CalculatedRisk »

aspiringboglehead wrote: Sat Nov 30, 2019 2:08 amit suggests a wider problem.
The wider problem may be that you were phished. If you log in using a fake website, the perpetrators can intercept both your login/password and a session cookie that allows them to avoid requiring 2FA.

Did the 2FA text you got include a link? Did you follow that link or type in the website by yourself?
arf30
Posts: 749
Joined: Sat Dec 28, 2013 11:55 am

Re: Alliant Credit Union security?

Post by arf30 »

I've noticed some sites have fake 2FA - TD Bank for example requires a code when logging in through desktop, but not through the mobile website. It's possible Alliant has a similar loophole and all they needed was your username and password.
Topic Author
aspiringboglehead
Posts: 104
Joined: Sat Sep 03, 2011 9:28 pm

Re: Alliant Credit Union security?

Post by aspiringboglehead »

CalculatedRisk wrote: Sat Nov 30, 2019 1:22 pm The wider problem may be that you were phished. If you log in using a fake website, the perpetrators can intercept both your login/password and a session cookie that allows them to avoid requiring 2FA.

Did the 2FA text you got include a link? Did you follow that link or type in the website by yourself?
The 2FA from Alliant is just a numeric code.

I'm quite confident I wasn't phished.
Post Reply