Credit Union vs. Credit Karma vs. Account Security: FAIL

You know how you’re supposed to not click on email links these days, even when they’re from “trustworthy” sources, because you might be a spear-phishing target? Well, here’s a true story about how our Credit Union handles the situation.

The backstory: I recently signed up for a service that provides an estimate of my credit score, which it does by asking the usual Big Three credit reporting agencies for my records on, presumably, a monthly basis. I’m not happy with that arrangement, but I wanted to see how well it worked and figured I’d cancel after a month or two. Based on these exchanges with their support staff, it’s time to cancel…

After I received the expected email from them, I discovered that the only way to reach the service was through an embedded link. I try to avoid doing that sort of thing, so I went directly to (what I assumed was) their website and tried to log in. That didn’t work, so I fired off a support message…

From me to CreditKarma:

Having signed up for your service through the Hudson Valley Federal Credit Union, it seems that I cannot sign on directly to your site using the email address and password I provided during the HVFCU signup.

That means the only way to sign on to my account requires clicking on the link provided in your monthly email, which redirects me through the HVFCU website.

Is that correct?

If so, how can I distinguish your email from a well-designed spear phishing attack that requires me to divulge two banking userids and passwords?

Thanks…

Their reply, which neatly avoids answering the questions:

Sorry for the confusion. Your HVFCU Credit Karma account is different from any account you may have created with http://www.CreditKarma.com. To log into your HVFCU Credit Karma account, you’ll first need to log into your online banking account and then log in through there.

But that’s not how it works:

OK, so I must go through the HVFCU website to reach you. That process seems to require cookies set by the redirection included in the email link, because simply signing on to the HVFCU website and clicking the appropriate link does not redirect to your website unless I have already followed the email link.

So, allow me to ask the key questions again:

The only way to sign on to my account requires clicking on the link provided in your monthly email, which redirects me through the HVFCU website.

Is that correct?

If so, how can I distinguish your email from a well-designed spear phishing attack that requires me to divulge two banking userids and passwords?

Please answer those questions, as I need to know how this works.

Thanks…

There’s been no answer after a week, so I think I’ve reached the end of their tech support.

Then I posed much the same question to the Credit Union:

Having recently signed up for the CreditKarma score monitoring service, I’m flabbergasted by the total lack of security awareness.

The only way to access the CreditKarma report is through the link in the monthly email. Clicking that link requires signing in to my HVFCU account, then to the CreditKarma account.

Without that clicking on that link, selecting the “Credit Score” menu item in the HVFCU site does nothing.

Without clicking on that link, the CreditKarma.com website does not recognize my email address.

How, exactly, can I distinguish that monthly email from a well-crafted spear phishing attack that will collect the userid and password for both of my accounts?

Is there an alternate procedure for accessing my CreditKarma account that does not require depending on a lengthy link contained in an email message?

Thanks…

Their reply seems slightly more informative, but note that they ignore the “must click the link” evidence I report and also avoid answering the hard questions:

I regret to hear of the difficulties you are experiencing with Credit Karma. If you would like to access the site directly, you should type: https://hvfcu.creditkarma.com.  The https: indicates that the connection will be secured.  “creditkarma.com” lets you know that you are connecting to Credit Karma’s web site.  hvfcu. is the subdomain created by Credit Karma for HVFCU members. Your account will not work at http://www.creditkarma.com because the subdomain created for HVFCU is separate from their public site.

Additionally, you may also log on to Internet Banking, then click on the “My Credit Score” link near the top right of the page, and you may now log in.  If you chose this option, ensure that all pop up blocker settings are adjusted since you will be required to access a separate web page. Clicking on the link in the monthly emails will direct you to the same place.  We understand that you may not be comfortable clicking on a link or may be using a system or mobile device that doesn’t allow you to view the link, which would make it difficult to determine if a message was legitimate or fraudulent.  In these cases, we recommend that you set a shortcut or favorite for https://hvfcu.creditkarma.com or else sign in to Internet Banking first, then click on the “My Credit Score” link.

So I tried again:

> Your account will not work at http://www.creditkarma.com because the subdomain created for HVFCU is separate from their public site.

Indeed, it doesn’t. When I asked them about that, their reply was, shall we say, unhelpful; they really want me to click on the link and didn’t even mention the HVFCU subdomain. I did tell them that I had an HVFCU account, so they weren’t completely ignorant of the situation.

They have not responded to my question about determining whether an email allegedly from them is a phishing attack, either.

> Additionally, you may also log on to Internet Banking, then click on the “My Credit Score” link near the top right of the page, and you may now log in.

As I reported, that doesn’t work unless you’ve previously clicked on the email link to set whatever tracking cookies they use. I’ve tried it immediately after clearing cookies and cache: it doesn’t work. Clicking on the link to bounce off their website sets everything up properly and then the HVFCU menu item works.

Try that and see how it works for you. I’d like to know whether it’s a peculiarity of Firefox and Chrome.

> We understand that you may not be comfortable clicking on a link

As the HVFCU page on phishing says: “Links within the email take you to a fake website that usually looks authentic because it uses graphics from the institution’s real website.” So, basically, I must regard all clickable links in all emails as suspect.

Given that the URL is total gibberish, with the both the HVFCU and Credit Karma URLs buried within tracking numbers, there’s no possibility of manually extracting and typing the address.

So, as I asked originally, please tell me exactly how I can tell that an email purporting to be from Credit Karma isn’t a very well-done phishing attack?

We both know there’s no way to do so, so why do you and Credit Karma rely on email links for such a vital function? You’re training your customers to click on emailed links, which is a terrible security practice for a bank.

Have you documented the direct sign-on process anywhere your customers can find it? I couldn’t, but maybe I’m not looking in the right place. Why not put those instructions in each email, rather than using clickable links?

Thanks…

Another week has passed, so I suspect they’re not going to answer those questions, either.

Am I the only person who thinks it’s bad practice for a bank to require you to click on emailed links?

  1. #1 by rkward on 2013-01-08 - 08:26

    Certainly not. I generally try to do the exact same thing and not use links within emails as a double verification that I need to “do something”. You have run into the usual tech support wall. They have most likely paid someone else for a package to do all of this for them and have no idea how it works. Bouncing emails back and forth like this will reduce your life expectancy in a hurry. You might consider calling instead but be prepared for similar answers until to happen on the right person. You might also mention you have a technical background and not actually having difficulty following instructions (poor or not). Someone once described these situations as “jerks and clerks”!

    • #2 by Ed on 2013-01-08 - 09:26

      You might consider calling instead but be prepared for similar answers

      The advantage of email is that I have a written record of all the transactions, which can sometimes come in handy when we get to the he-said-she-said stage. Bonus: neither of us must pretend to understand the other’s accent.

      Mentioning a tech background, though, would definitely wedge me into the cateogory of “somebody who thinks he knows what he’s doing”…

      Grrr!

  2. #3 by Red County Pete on 2013-01-08 - 22:03

    When we moved up here, we had the opportunity to set up online banking and passed on it. Besides dialup cruftage, we were cautious after having had to deal with [National Unidentified Bank] when some miscreant drained my checking account. (Got the money back after asking awkward questions to the branch manager. Saying loudly “Why don’t you want me to contact the police?” makes for a fast response…) For similar reasons, we use a private mailbox for correspondence, so bank and CU statements are all paper. (There were a rash of problems at our small town Postal Disservice substation. Some sketchy people had full access to the boxes. We were lucky, others not so. The private mailbox place has a reputation to maintain and does so.)

    About the only link I click is for package tracking, and these don’t have useable information to a thief. I hope.

    • #4 by Ed on 2013-01-09 - 08:03

      asking awkward questions

      Y’know, maybe we’d all be better off if someone, anyone, had asked the entire banking industry some awkward questions in recent years. I certainly haven’t seen any good answers to many obvious questions.

      I keep hoping that the hole won’t appear in my end of the transaction…

  3. #5 by Frans on 2013-01-15 - 12:41

    Bank e-mails over here often top with never to trust any links from e-mails leading to login pages, if any links at all.

    • #6 by Ed on 2013-01-15 - 16:20

      They couldn’t do that with a straight face for these emails…

  4. #7 by Kuba Ober on 2013-05-23 - 15:22

    “Am I the only person who thinks it’s bad practice for a bank to require you to click on emailed links?”

    Not only you are not the only one, but I think the practice should be an IMMEDIATE RED FLAG to switch your bank, or at least drop the particular service. Perhaps there is another credit union whose IT people are a bit less clueless?

    • #8 by Ed on 2013-05-23 - 15:45

      another credit union whose IT people are a bit less clueless?

      The whole Credit Karma thing looks like a legalized phishing expedition: you give them permission to mine your credit history in exchange for a free credit score and other shiny trinkets. They turn around and sell your info to car dealers / banks / lenders, all of whom can set their prices based on what they know you can pay.

      Who could pass up an offer like that?

      I’m glad to be rid of them…