Credit Karma will deny logging in via AirVPN

[NoiselessOwl 26]

Greetings, I searched the forum about this and surprised no one bring this up. I am not sure if you are familiar with Credit Karma (creditkarma.com), they are a free credit monitoring for USA citizens.
 

I stumbled an issue when I attempted to log in my Credit Karma account and always get an error “Oops, something went wrong while trying to perform your request. Try again later. We appreciate your feedback”. I never had an issue with logging via AirVPN before, the last time I did it was more than 6 months ago. I assumed it was the addons and the browsers (Firefox and Brave) and they are showing the same results. I contacted their member support via email and reported an issue with it. They responded that they discovered that I am logging in by a different device (not sure why they are seeing it as a different device since it the same device I been using). I suspected it was something to do with AirVPN. I deactivated AirVPN and attempt to log in, it went through just fine. I emailed back to their support and asked them about using VPN to log in my account is causing the issue.
 

They respond “After our security updates, you may not be able to access your Credit Karma account your account using a VPN. Because using VPN blocks the users IP address. Credit Karma requires access to the IP address to help prevent fraudulent access”. So, it is not the unrecognized device, it is the IP address that they detected is different. I tried again and logged in without VPN, then enable VPN while I am on my account. I would assume they would record the new IP address then log out. I relogged and it is blocked with the same errors. I went back in my account again without VPN and found that they have 2FA through SMS only. Yes, I know that using 2FA SMS is a bad security but that is the only option they have. I enabled 2FA and confirmed the code that they texted to me. In their security setting, it said “When you log in from any device that we don't recognize, we'll text you a code to verify that it's really you. This helps ensure that you're the only person who can access your Credit Karma account, even if someone else knows your password”.  Perfect, since it would detect something that they are not familiar with and they would prompt for 2FA with VPN active. You are thinking the same thing, right?
 

*Cue Dwight Schrute’s voice* FALSE! It blocked me from logging in my account even with 2FA enabled. I tried with different AirVPN servers; they still block the attempt to log in. Apparently, they block all attempt of logging in when they detect AirVPN server’s IP address regardless the IP address is changed. It sucks that I can’t log in my account with VPN enabled. My bank (one of the largest banking institutions in USA) saw a different IP address (via AirVPN server) and prompted MFA code and then it went through just fine.
 

Credit Karma will block all attempt to log in when I am using AirVPN, even with 2FA enabled.

EDIT: SHOOT! I forgot to add the server that I used. I don't remember what servers I used before. This first occurred last month, I remember it is Canada servers (I believe Pisces, Telescopium and Titawin. I am usually connected to those server when I use Canada option) I tried again today which I prompted the post. Today, it is Chalawan and Bootes.

Edited ... by NoiselessOwl
Forgot to add the server information

[OpenSourcerer 1359]

12 minutes ago, NoiselessOwl said:

Yes, I know that using 2FA SMS is a bad security but that is the only option they have.

It's better than no 2FA at all. Besides, the effort put into exploiting the weaknesses of SMS verification are less rewarding for catching 2FA codes than mTANs for example. With 2FA you only get access to some accounts. With an mTAN you can "earn" some money instead. Of course, both require the attacker to already have access to an account, so the attention should be turned towards good passwords or, if supported, even better, some black magic like FIDO2.

Which servers show this exactly?

[NoiselessOwl 26]

1 minute ago, giganerd said:

Which servers show this exactly?

I ninja'ed edited my original post to add the server information when I realized I forgot to add the servers name before you replied my post.

Here my edited comment from my original post about the servers that I used in those. "SHOOT! I forgot to add the server that I used. I don't remember what servers I used before. This first occurred last month, I remember it is Canada servers (I believe Pisces, Telescopium and Titawin. I am usually connected to those server when I use Canada option) I tried again today which I prompted the post. Today, it is Chalawan and Bootes."

To be clear, Credit Karma are working fine with AirVPN. It is not blocked at all when browsing their site. It just that it will thwart any attempts to log in after giving my credentials while using VPN. It seem the log-in part is the problem.

[go558a83nk 352]

It's quite normal that a company like  Credit Karma wants to block VPN IPs.  They're trying to protect identity so it would behoove you to show them your real location so that if somebody were to try to hack your account from another location they'd more quickly realize it's not you.

And really, it makes no sense to hide your IP from them when they know everything else about you necessarily. 

[NoiselessOwl 26]

I perfectly understand what they are doing. to be clear, I don't only use VPN for accessing Credit Karma, I use VPN for other things. If I want to access Credit Karma, then I have to turn it off and look around to see what I want to see then turn it back on. It is just inconvenience and disruptive of my daily workflows.

It just that their security is taken to the extreme because my bank and other sensitive sites I used only care that I passed their MFA and then they know it is me. Majority of them are Authy and few here and there is email and SMS. I work from home and this is part of my daily thing to do.

[abercorn 0]

Hello NoiselessOwl. Only to tell you that I had exactly the same problem. I believe the reason behind it is that I opened the Noodle (now Karma) account in a country different than the country I am in now. Basically Karma allows you the entry only from the country you have opened the account.
Yesterday I tried to log-in and I had your same error message. Previously it had worked fine.   
I checked for any DNS leak and WebRTC leak, but apparently everything was all right. Changed the bowser (Chrome, Firefox, Edge and Explorer), but no change.
Today I checked all the servers available and after several trials I finally managed to log in.
I believe that there is a blacklist of servers and that I finally managed to use the one which is not in the list.
I think that protections are becoming more sophisticated and also that in the event of any doubt about the origin of the request, the Karma server does not take risks and refuses the entry.
This is simply my experience and maybe my solution to the problem can help you. I understand very well your frustration of not been able to enter your legitimate account because of a dubious security feature.