Some CIMBClicks users have reported unauthorised transactions from their bank accounts over the weekend, with repeated transactions made to PayPal accounts. CIMB Bank Berhad (“CIMB”) said in an official statement that its system “remains secure and all customers’ transactions continue to be protected.”
CIMB continues to deny any security breach. The bank implemented Google’s reCAPTCHA service on its online banking portal’s login page over the weekend. It also implemented support for longer passwords, from eight characters to up to 20 characters. Did CIMB encounter breach attempts before this and therefore put reCAPTCHA in place as a counter measure against bots and possible brute force attacks?
Here’s CIMB’s official statement:
CIMB Bank Berhad (“CIMB” or “the Bank”) would like to address recent
social media news on the alleged insecurity of its online banking portal, CIMBClicks.
Please take note that our CIMBClicks system remains secure and all customers’ transactions continue to be protected.
The bank would like to inform that it had, over the weekend, introduced a few additional measures to enhance the security of its CIMBClicks transactions.
Apart from ensuring that the system is now able to accommodate passwords longer than eight (8) characters and up to 20 characters, we have also added the reCaptcha security measure on CIMBClicks to ensure the user is not a bot.
Statement from CIMB
CIMBClicks users, Qazreen Qazz first reported multiple unauthorised transactions made via his CIMB debit card to a PayPal account last Friday, 14 December 2018. He said that there were a total of 28 transactions amounting to close to MYR5,000 made via a single PayPal account. What’s interesting is that he has never registered for a PayPal account before.
He subsequently contact PayPal Malaysia over the phone and PayPal took action to block any floating transactions.
Following that, PayPal said they will be refunding the full amount but it will take around 10-17 working days. PayPal advises that if you file a dispute with PayPal, there is no need to file another dispute with CIMB.
Qazreen Qazz wasn’t the only one who fell victim to the online theft. Amiratul Farhana Azizan reported on Facebook that her account was cleared out yesterday. She received seven consecutive SMSes informing her of online transactions made via a PayPal account. Noticing something amiss, she called the bank to block her account immediately.
According to her, she could login to her account using a wrong password.
Mohamad Nazri, over Facebook, also reported losses of close to MYR1,500 from his CIMB account, in under 20 minutes. He subsequently called the bank to block his CIMBClicks account, debit/credit cards and made a police report.
SoyaCincau discovered a tweet by ZDNet security reporter, Catalin Cimpanu, which alleged that a hacker may have illegally obtained a stash of CIMB customer account details. It is unverified if this is related to the current CIMBClicks issue.
Related or not, monetary losses are real. I’ve had several friends reporting unauthorised transactions made from their accounts.
If you’ve been a victim, contact your bank immediately and as a precautionary measure, change your password to a secure password (letters, numbers and special characters).
You can contact CIMB at 03-62047788 or email at firstname.lastname@example.org.
- Galaxy Buds Pro: Samsung’s best true wireless buds yet
- Samsung Galaxy S21 Ultra: Saving the best for last
- Samsung Galaxy S21 and S21+: Familiar and a little better
- The relationship between you and your favourite devices
- YES Kasi Up Prepaid: From MYR15/month with 10GB, 30-day validity