15

A loan company said they needed my logins to my account and got a couple closed and also logged into my id.me and got it locked. Do they need my username and password? He said that he needed another because they couldn’t verify my identity.

gerrit
  • 3,213
  • 2
  • 24
  • 44
Addyson Cain
  • 159
  • 1
  • 3
  • 1
    At the very least, you don't verify someone's identity with login information. You do it by providing actual government issued ID. Are you saying the loan company tried so many failed logins to your account that the logins are under security lockout? Also, I don't know why you are using "an". It is spelled "and". – DKNguyen Sep 27 '23 at 18:27
  • 12
    No loan company could ever need your account logins… check that with your bank.

    What does 'an has got a couple closed an also logged into my id.me an got it locked…' mean, please?

    Again, they do not need your username or password.

    Again, what does 'an said he needed another cause that couldn’t verify my identity' mean? It seems to suggest the scammer asked you to change your login details and share the new ones but is that what you meant?

     – Robbie Goodwin Sep 27 '23 at 20:32
  • 10
    There are legit lenders, mortgage brokers etc in Aus that make these requests. The answer is still to say no, and supply actual needed details through a pdf copy of statements. Ts & Cs from EVERY BANK in the world include 'Do not disclose password/PIN (etc) to anyone'. – mcalex Sep 28 '23 at 08:01
  • @Damian Neither of those two services should ever have access to your plain-text password either. They should only have access to a client-side encrypted blob that is useless without information that only the user itself has. – Voo Sep 28 '23 at 11:27
  • 3
    In the US, loan companies make use of credit reporting services like Equifax, Experian, and TransUnion to verify your suitability. They never need direct access to your financial accounts, although they might ask for a copy of a recent statement. – Barmar Sep 28 '23 at 14:26
  • 2
    @Vilx- Unless they're https://en.wikipedia.org/wiki/Plaid_Inc. who financial institutions partner with for some reason in subversion of the very simple and wise advice you're giving. See also https://security.stackexchange.com/questions/186709/bank-asked-for-a-cross-login/187794#187794 – Bryan Krause Sep 28 '23 at 17:48
  • 6
    Venmo asked me for my bank password when I signed up. Like, actual Venmo, not a scam site designed to look like it. They wanted to verify that the account was legitimate. I said no, and they took my account number instead. Took nearly a week to verify (they claimed the password would be instantaneous), but I'm still glad I did it the slow way. It's absolutely bonkers, but "legitimate" organizations are doing this now. And we should work hard to reject it with all the force of a hurricane. – Silvio Mayolo Sep 29 '23 at 03:25
  • @SilvioMayolo That is crazy, really? That is incredibly bad form. Even if it isn't a scam, it's another vector to attack the password that protects your finances. – Jason Goemaat Sep 29 '23 at 03:44
  • 1
    @BryanKrause In case of Plaid, you're not giving your credentials to a person, but rather a system embedded in your financial institution's webpage. Obviously, it opens an impersonation attack vector where scammers create a fake bank webpage with a fake plaid element and voila - perfect phishing scheme. The financial system in the US is such that there's quite a lot of abuse vectors and scamming opportunities, and the ToS would probably shift the blame onto the account holder because "you shared credentials". – littleadv Sep 29 '23 at 04:30
  • 1
    @SilvioMayolo I believe Venmo uses Plaid, the service I mentioned. – Bryan Krause Sep 29 '23 at 05:01
  • 1
    @JasonGoemaat It is crazy. Why would a company choose to expose themselves to this kind of liability. It's really stupid. – JimmyJames Sep 29 '23 at 20:41
  • Does this answer your question? Someone wants my account details and password to transfer money to me – keshlam Oct 01 '23 at 14:58

1 Answers1

102

No. Anyone who asks for your username and password is very likely a scammer. Access to id.me is especially valuable as it would allow the scammer to essentially steal your whole online identity. Make sure you safeguard it and not share it with anyone.

Whatever passwords you already gave them - make sure to change them ASAP while they still haven't taken over those accounts. It may be too late. In any case, contact the fraud departments of these services to inform them that you've been hacked and to have them lock your accounts.

littleadv
  • 172,884
  • 15
  • 295
  • 479
  • 7
    I feel "very likely a scammer" isn't strong enough. There is literally no situation where anyone would legitimately need to ask for the login credentials for any service. – Criggie Sep 29 '23 at 11:16
  • 7
    Today, in "is this a scam"... the answer is the same as always. Yes. – Mindwin Remember Monica Sep 29 '23 at 15:16
  • 4
    @Criggie I see you haven't seen the alleged not-scam that is Plaid. – chrylis -cautiouslyoptimistic- Sep 29 '23 at 20:52
  • Plaid falls in the same category as giving my stock broker direct access to debit from and credit to my bank account. It's not good, but it's not completely illegitimate, and there are mechanisms to enforce accountability and prevent/fix abuse. There really should be better answers, and there are better answers ... but they would gave higher costs than running it through Plaid so folks have resisted implementing them, feeling the customers wouldn't pay enough more to cover those costs. – keshlam Oct 01 '23 at 04:37