Chat CIMB kena hack?
|
|
 Dec 17 2018, 02:32 PM
|
 
Senior Member
9,795 posts Joined: Jun 2008 From: Rubber Duck Pond  
|
QUOTE(rooney723 @ Dec 17 2018, 02:31 PM) but i checked the code the logic says it will accept the password if its more than 8 characters and if the password is less than 8 characters it will take the first 8 chars, or am i wrong? There's the checking for special characters as well. |
|
|
|
|
|
Dec 17 2018, 02:32 PM
|
Senior Member
2,048 posts Joined: Oct 2004
|
QUOTE(Bonchi @ Dec 17 2018, 02:20 PM) All banks in SG uses a hardware security token... except Citi and Standard chartered that uses mobile app token if im not mistaken. Citi does use the RSA token. Mobile token was introduced recently and both are valid to be used in parallel. |
|
|
Dec 17 2018, 02:32 PM
|
Junior Member
136 posts Joined: Jan 2012
|
QUOTE(timo1003 @ Dec 17 2018, 02:30 PM) Not sure if anyone has shared this in this thread, here's your response from CIMB hek eleh.. nak cover le tew CIMB denies its online banking system was hacked, assures all is secure Malaysian bank CIMB denies security breach after customers say accounts compromised o wai |
|
|
Dec 17 2018, 02:33 PM
|
Senior Member
5,363 posts Joined: Apr 2005 From: กรุงเทพมหานคร BKK 
|
QUOTE(Duckies @ Dec 17 2018, 02:26 PM) Coded at the client side aka website there which by right should be at server side only. Absolute garbage security |
|
|
Dec 17 2018, 02:34 PM
|
Junior Member
291 posts Joined: Sep 2007
|
QUOTE(timo1003 @ Dec 17 2018, 02:30 PM) Not sure if anyone has shared this in this thread, here's your response from CIMB Someone already shared.but i put in front page anyway. CIMB denies its online banking system was hacked, assures all is secure Malaysian bank CIMB denies security breach after customers say accounts compromised |
|
|
Dec 17 2018, 02:36 PM
|
Junior Member
652 posts Joined: Jun 2017
|
QUOTE(vamfire @ Dec 17 2018, 02:24 PM) Dem, I sudah kena... I have transferred all of my funds to another bank once the breech was known.I received SMS on 12/12 that my CIMB Debit Card which I never used to make online purchases at all was charged RM34.48 @ Shopbop.com??? WTH! I straight away called CIMB to block my account immediately & then proceed to replaced the debit card as per CS advice... But that amount still 'earmarked' last I checked my CIMB account balance Is it a good time to go berserk & wire out all my moneh to other accounts maybe? Personal suggestion : it would be better for you to do same. |
|
|
|
|
|
Dec 17 2018, 02:36 PM
|
Senior Member
6,017 posts Joined: Sep 2011
|
QUOTE(peja5081 @ Dec 17 2018, 02:34 PM) Someone already shared.but i put in front page anyway. got this ald? This post has been edited by hightechgadgets8: Dec 17 2018, 02:37 PM Attached File(s) 
181217_Public_FAQ_on_Clicks__Version_Final___1_.pdf ( 229.54k )
Number of downloads: 28 |
|
|
Dec 17 2018, 02:36 PM
Show posts by this member only | IPv6 | Post
#1008
|
Junior Member
273 posts Joined: Feb 2008
|
https://www.cimbclicks.com.my/pdf/201812-Cl...-Public-FAQ.pdf
sorry on mobile .. boleh tolong screenshot and upload |
|
|
Dec 17 2018, 02:36 PM
|
|
Senior Member
9,795 posts Joined: Jun 2008 From: Rubber Duck Pond
|
QUOTE(teehk_tee @ Dec 17 2018, 02:33 PM) Absolute garbage security Intern do mia work ke. Or India aneh do mia work. Where got verification done at client side there geh. Now whole world sees the dumb logic/code. |
|
|
Dec 17 2018, 02:37 PM
|
Junior Member
285 posts Joined: Mar 2010
|
QUOTE(rooney723 @ Dec 17 2018, 02:31 PM) but i checked the code the logic says it will accept the password if its more than 8 characters and if the password is less than 8 characters it will take the first 8 chars, or am i wrong? if got special characters and >= 8 characters, it will pass to server as it iselse it will chop off after 8 characters. topkek betul. that's why your password + any characters behind still can pass |
|
|
Dec 17 2018, 02:37 PM
|
Senior Member
1,107 posts Joined: Jul 2007 From: 192.0.0.1
|
QUOTE(powerlinkers @ Dec 17 2018, 02:36 PM) I have transferred all of my funds to another bank once the breech was known. Transfer first. Think laterPersonal suggestion : it would be better for you to do same. |
|
|
Dec 17 2018, 02:38 PM
|
|
Junior Member
596 posts Joined: Dec 2010
|
QUOTE(Duckies @ Dec 17 2018, 02:32 PM) There's the checking for special characters as well. yup i noe, then that means even the logic of the code is wrong? suppose if the legacy server side only accept max 8 characters then the client side is only suppose to accept 8 chars n below n substring the pass wif > 8 chars |
|
|
Dec 17 2018, 02:38 PM
|
Junior Member
386 posts Joined: Jan 2006 From: between 0 and 1
|
QUOTE(BillySteel @ Dec 17 2018, 02:29 PM) Recaptcha v3 eliminates the need for ticking the box, actually, recaptcha is very important related to server request. It eliminates bots from brute forcing their way to obtain your password from rainbow tables (hash of known passwords --- currently there are about 1billion combinations from all the leaked passwords available publicly). There are other methods too but on the front end this is probably one of the most cost-efficient methods to deal with this. This is bank. BNM doesn't allow your system to send data to 3rd party. If its not bank, this is acceptable. event letsencrypt cert is a bad idea to use. unless cimb can wack bnm regulator and say allow it lol.I was pretty surprised when people were saying it was hacked, recaptcha has been a standard for years in more developed application development. |
|
|
|
|
|
Dec 17 2018, 02:39 PM
|
Senior Member
1,407 posts Joined: Jan 2003 From: /k
|
QUOTE(ntd.nicholas @ Dec 17 2018, 10:26 AM) Change Password: Seems like even with the correct CIMB Clicks ID and password, it still shows fuck, this is true story yo. i just did itInvalid User ID or Password [CLK00619] Update: Guys, to change password: 1. CIMB Clicks ID: <Your existing ID> 2. CIMB Clicks Password: <If your existing password length is > 8, then key in your password until the length of 8> Example, old password is: mypasswod (length of 9 characters). In order to change password successfully, just key in mypasswo This is ridiculous but its true. |
|
|
Dec 17 2018, 02:39 PM
|
|
Newbie
1 posts Joined: Dec 2016
|
QUOTE(scorptim @ Dec 17 2018, 01:59 PM) India IT guys are only good at coding, not at logic. Yes simply blame it on the foreigners. I'm sure there is a mix of both Malaysians and foreigners in their IT team.You give them broad or vague instructions they gonna use the simplest shittiest code to get the job done coz they won’t bother to think “what else might be needed”. If you have a good PM or account manager that can communicate to them exactly what specifications are needed, they can do it. Just don’t expect them to think or figure out anything for you. Project manager mana? Tester only tests based on test scripts provided by the project team and 99% of the time test scripts from project team is BS. CAPTCHA is one of the easiest “security measure” to bypass and this is a billion dollar bank we’re talking about. |
|
|
Dec 17 2018, 02:40 PM
|
|
Senior Member
9,795 posts Joined: Jun 2008 From: Rubber Duck Pond
|
QUOTE(OldSchoolJoke @ Dec 17 2018, 02:37 PM) if got special characters and >= 8 characters, it will pass to server as it is else it will chop off after 8 characters. topkek betul. that's why your password + any characters behind still can pass QUOTE(rooney723 @ Dec 17 2018, 02:38 PM) yup i noe, then that means even the logic of the code is wrong? suppose if the legacy server side only accept max 8 characters then the client side is only suppose to accept 8 chars n below n substring the pass wif > 8 chars Refer to OldSchoolJoke.Because they need to cater for old password format which is without special characters. And also because they need to cater for new password with special characters. Thus this retarded logic. This post has been edited by Duckies: Dec 17 2018, 02:44 PM |
|
|
Dec 17 2018, 02:41 PM
|
|
Junior Member
291 posts Joined: Sep 2007
|
QUOTE(macyhouse @ Dec 17 2018, 02:36 PM) https://www.cimbclicks.com.my/pdf/201812-Cl...-Public-FAQ.pdf Thanks..i put in front pagesorry on mobile .. boleh tolong screenshot and upload |
|
|
Dec 17 2018, 02:42 PM
|
Senior Member
1,116 posts Joined: Dec 2009
|
QUOTE(macyhouse @ Dec 17 2018, 02:36 PM) https://www.cimbclicks.com.my/pdf/201812-Cl...-Public-FAQ.pdf sorry on mobile .. boleh tolong screenshot and upload    |
|
|
Dec 17 2018, 02:42 PM
|
All Stars
10,475 posts Joined: Jan 2003 From: Sarawak
|
QUOTE(OldSchoolJoke @ Dec 17 2018, 02:37 PM) if got special characters and >= 8 characters, it will pass to server as it is topkek system managed by sysadmin with no linux knowledge else it will chop off after 8 characters. topkek betul. that's why your password + any characters behind still can pass  |
|
|
Dec 17 2018, 02:43 PM
|
|
Junior Member
596 posts Joined: Dec 2010
|
QUOTE(Duckies @ Dec 17 2018, 02:40 PM) Refer to OldSchoolJoke. ahh ic, got it got it, before dis i thought their backend can only accept 8 chars MAX regardless of special chars n the logic doesnt make sense to meBecause they need to cater for old password format which is without special characters. Because they need to cater for new password with special characters. Thus this retarded logic. |
| Change to: |  0.0183sec
 1.15
 6 queries
 GZIP Disabled
Time is now: 10th December 2025 - 07:24 AM |
Quote