Some CIMBClicks users have reported unauthorised transactions from their bank accounts over the weekend, with repeated transactions made to PayPal accounts. CIMB Bank Berhad (“CIMB”) said in an official statement that its system “remains secure and all customers’ transactions continue to be protected.”
CIMB continues to deny any security breach. The bank implemented Google’s reCAPTCHA service on its online banking portal’s login page over the weekend. It also implemented support for longer passwords, from eight characters to up to 20 characters. Did CIMB encounter breach attempts before this and therefore put reCAPTCHA in place as a counter measure against bots and possible brute force attacks?
Here’s CIMB’s official statement:
CIMB Bank Berhad (“CIMB” or “the Bank”) would like to address recent
social media news on the alleged insecurity of its online banking portal, CIMBClicks.
Please take note that our CIMBClicks system remains secure and all customers’ transactions continue to be protected.
The bank would like to inform that it had, over the weekend, introduced a few additional measures to enhance the security of its CIMBClicks transactions.
Apart from ensuring that the system is now able to accommodate passwords longer than eight (8) characters and up to 20 characters, we have also added the reCaptcha security measure on CIMBClicks to ensure the user is not a bot.
Statement from CIMB
CIMBClicks users, Qazreen Qazz first reported multiple unauthorised transactions made via his CIMB debit card to a PayPal account last Friday, 14 December 2018. He said that there were a total of 28 transactions amounting to close to MYR5,000 made via a single PayPal account. What’s interesting is that he has never registered for a PayPal account before.
He subsequently contact PayPal Malaysia over the phone and PayPal took action to block any floating transactions.
Following that, PayPal said they will be refunding the full amount but it will take around 10-17 working days. PayPal advises that if you file a dispute with PayPal, there is no need to file another dispute with CIMB.
selama ni aku tengok orang kena… well… now its on me la kan…#CIMB… kena kat aku… terduduk… 4k lebih lebur…
Qazreen Qazz wasn’t the only one who fell victim to the online theft. Amiratul Farhana Azizan reported on Facebook that her account was cleared out yesterday. She received seven consecutive SMSes informing her of online transactions made via a PayPal account. Noticing something amiss, she called the bank to block her account immediately.
According to her, she could login to her account using a wrong password.
?????Sotong betulla… ?????CIMB clicks ni uolls… hati2 lah siapa nk gaji Esok Lusa… Masa nk log in tngok…
Mohamad Nazri, over Facebook, also reported losses of close to MYR1,500 from his CIMB account, in under 20 minutes. He subsequently called the bank to block his CIMBClicks account, debit/credit cards and made a police report.
?????? Scam Alert!!! ????????My CMIB* Bank account (Debit Card to be precise) has been unknowingly hacked, and as a…
SoyaCincau discovered a tweet by ZDNet security reporter, Catalin Cimpanu, which alleged that a hacker may have illegally obtained a stash of CIMB customer account details. It is unverified if this is related to the current CIMBClicks issue.
XMPP spam message:
Hacker looking for a cash-out partner to target CIMB Bank (Malaysian bank).
I'll presume he just bought a large stash of card numbers and he needs to monetize them. pic.twitter.com/b0aDatdpbV
— Catalin Cimpanu (on vacation) (@campuscodi) December 11, 2018
Related or not, monetary losses are real. I’ve had several friends reporting unauthorised transactions made from their accounts.
If you’ve been a victim, contact your bank immediately and as a precautionary measure, change your password to a secure password (letters, numbers and special characters).
You can contact CIMB at 03-62047788 or email at [email protected]