CIMB kena hack?

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Kopitiam

Bump Topic Add Reply RSS Feed

90 Pages « < 50 51 52 53 54 > » Bottom

Outline · [ Standard ] · Linear+

Chat CIMB kena hack?

views

billylks	Dec 17 2018, 02:43 PM Show posts by this member only \| Post #1021
Getting Started Junior Member 180 posts Joined: May 2010	QUOTE(Quantum Geist @ Dec 17 2018, 01:41 PM) actually it checks if there are special characters and 8 characters or more; if this is true use the new method if this is false take just the first 8 characters and use the old method From what I see, they have a flag in every account to mark you are using new password. If (flag == yes) { // using new password hash // support more than 8 chars } else { // just take first 8 letters // use old password hash } Before comparing the hash for old password, they have no choice but to get the first 8 chars only since the front end doesn't know whether it is a new password or old password. The algo above is okay actually, just that hackers know they can test using brute force until 8 chars so their test is faster Now, about PayPal link to CIMB account, that is another issue due to TAC implementation (lack of). BTW ayam not the hacker.
Card PM	Report Top Like Quote Reply

Duckies	Dec 17 2018, 02:44 PM Show posts by this member only \| Post #1022
Rubber Ducky Senior Member 9,796 posts Joined: Jun 2008 From: Rubber Duck Pond	QUOTE(rooney723 @ Dec 17 2018, 02:43 PM) ahh ic, got it got it, before dis i thought their backend can only accept 8 chars MAX regardless of special chars n the logic doesnt make sense to me Example if your password is 123456789 without special characters, the stupid logic will take the first 8 characters and log you in. That is why any characters after the first 12345678 does not matter. Example if your password is 123456789!@, then the system still logs you in because it has special characters, so the length can be up to 20 as long as it has special characters.
Card PM	Report Top Like Quote Reply

BillySteel	Dec 17 2018, 02:47 PM Show posts by this member only \| Post #1023
On my way Senior Member 661 posts Joined: Jul 2008 From: Yankee Territory	QUOTE(PleaseEnterYourName @ Dec 17 2018, 03:38 PM) This is bank. BNM doesn't allow your system to send data to 3rd party. If its not bank, this is acceptable. event letsencrypt cert is a bad idea to use. unless cimb can wack bnm regulator and say allow it lol. Not sure what BNM rules are, but not sending data to 3rd party are no longer an option because you do not know which services are sharing data with remote servers. In most cases regulators won't be able to prove there is 3rd party data sharing of sort unless a thorough audit is performed. Even then it is very hard to determine this as it is a major pain point in the security industry. How recaptcha works: "Instead of depending upon the traditional distorted word test, Google’s “reCaptcha” examines cues every user unwittingly provides: IP addresses and cookies provide evidence that the user is the same friendly human Google remembers from elsewhere on the Web. And Shet says even the tiny movements a user’s mouse makes as it hovers and approaches a checkbox can help reveal an automated bot"
Card PM	Report Top Like Quote Reply

Mr. Najib Razak	Dec 17 2018, 02:47 PM Show posts by this member only \| Post #1024
Casual Junior Member 321 posts Joined: Jun 2016	QUOTE(feiraron @ Dec 17 2018, 11:20 AM) I think this has become a bit of a convoluted mess: Lets summarize a bit 1) CIMBClicks used to only allow 8 characters in password 2) Knowing that only allowing 8 characters in password is dumb, CIMB increased it to allow for longer until 20 characters this month 3) This is where i think the bug happen, those who have not changed their password after the change in (2), can login with extra characters 4) those who then change their password, can no longer login with extra characters <---- PROOF that it is not an intended feature 5) Brute Force attack may or may not be related, but timing is interesting. We know got brute force because thats what the recaptcha is for. 6) Some are questioning whether extra characters at the end is security compromise if the attacker would need to know the original password anyway (hence the brute force). BUT read about buffer overflow attack and you would now that it is a point of vulnerability in a system that are suppose to be water tight because it safeguard money. They may or may not be using this vulnerability, nobody knows 7) Those who are attacked (due to weak password/ using the same password as leaked in previous database leak -im looking at you jobstreet-), somehow got their debit card linked to an unknown paypal, and it will then be use to pay somebody (may or may not be third party and unrelated) Thanks for the summary
Card PM	Report Top Like Quote Reply

axn992	Dec 17 2018, 02:48 PM Show posts by this member only \| Post #1025
On my way Senior Member 676 posts Joined: Jan 2008	I noticed there’s also lots of console.log() Inline debugging eh....
Card PM	Report Top Like Quote Reply

rooney723	Dec 17 2018, 02:48 PM Show posts by this member only \| Post #1026
On my way Junior Member 596 posts Joined: Dec 2010	QUOTE(Duckies @ Dec 17 2018, 02:44 PM) Example if your password is 123456789 without special characters, the stupid logic will take the first 8 characters and log you in. That is why any characters after the first 12345678 does not matter. Example if your password is 123456789!@, then the system still logs you in because it has special characters, so the length can be up to 20 as long as it has special characters. yup, that means their backend got 2 types of verification, 1 for legacy 8 chars pass and the other for newer pass wif special chars, they should reject pass >8 chars n no special chars instead of substring
Card PM	Report Top Like Quote Reply

macyhouse	Dec 17 2018, 02:49 PM Show posts by this member only \| IPv6 \| Post #1027
Getting Started Junior Member 273 posts Joined: Feb 2008	Point in question .. does cimb logout or block people after 3 attempt ? Because their website clear state that they do
Card PM	Report Top Like Quote Reply

memphiz_zero88	Dec 17 2018, 02:50 PM Show posts by this member only \| Post #1028
My stars has gone. T_T Staff 2,255 posts Joined: Jul 2008 From: meditating at Mt Emei	QUOTE(macyhouse @ Dec 17 2018, 02:49 PM) Point in question .. does cimb logout or block people after 3 attempt ? Because their website clear state that they do i don't think anyone wanna risk their account just to test that
Card PM	Report Top Like Quote Reply

Duckies	Dec 17 2018, 02:50 PM Show posts by this member only \| Post #1029
Rubber Ducky Senior Member 9,796 posts Joined: Jun 2008 From: Rubber Duck Pond	QUOTE(rooney723 @ Dec 17 2018, 02:48 PM) yup, that means their backend got 2 types of verification, 1 for legacy 8 chars pass and the other for newer pass wif special chars, they should reject pass >8 chars n no special chars instead of substring Yep
Card PM	Report Top Like Quote Reply

PhakFuhZai	Dec 17 2018, 02:54 PM Show posts by this member only \| Post #1030
harimau putih Senior Member 1,587 posts Joined: Apr 2011	QUOTE(OldSchoolJoke @ Dec 17 2018, 01:01 PM) if i read correctly, if password following the new format (have special characters and more or equal to 8 characters) then password will be as it is else if old password format (8 characters), it will only take first 8 characters. any characters behind don't care..kena chopped dun understand if password more >= 8 char, then the first condition wont satisfy if password is <8 char, then it only check up to 8th character no conflicts what
Card PM	Report Top Like Quote Reply

thefryingfox	Dec 17 2018, 02:54 PM Show posts by this member only \| IPv6 \| Post #1031
Lonely Maharajah Senior Member 5,165 posts Joined: Feb 2005	QUOTE(aziratul @ Dec 17 2018, 02:32 PM) hek eleh.. nak cover le tew o wai actually that's the truth... they are not hacked..... but they are being attacked. due. to. vulnerability hack is diff from vulnerability
Card PM	Report Top Like Quote Reply

axn992	Dec 17 2018, 02:55 PM Show posts by this member only \| Post #1032
On my way Senior Member 676 posts Joined: Jan 2008	QUOTE(rooney723 @ Dec 17 2018, 02:48 PM) yup, that means their backend got 2 types of verification, 1 for legacy 8 chars pass and the other for newer pass wif special chars, they should reject pass >8 chars n no special chars instead of substring Or backend should reject passwords <8 with no special chars. Only except password length of 8 or more with special chars. They can force all users to change it and they can delete legacy code.
Card PM	Report Top Like Quote Reply

christ14	Dec 17 2018, 02:57 PM Show posts by this member only \| Post #1033
Regular Senior Member 1,567 posts Joined: Jul 2011 From: Grand Ol' Lady	dayumn son..... dont play2 our money weh
Card PM	Report Top Like Quote Reply

PhakFuhZai	Dec 17 2018, 03:01 PM Show posts by this member only \| Post #1034
harimau putih Senior Member 1,587 posts Joined: Apr 2011	QUOTE(OldSchoolJoke @ Dec 17 2018, 02:37 PM) if got special characters and >= 8 characters, it will pass to server as it is else it will chop off after 8 characters. topkek betul. that's why your password + any characters behind still can pass oh fuck really fucked up
Card PM	Report Top Like Quote Reply

brkli	Dec 17 2018, 03:01 PM Show posts by this member only \| Post #1035
On my way Junior Member 592 posts Joined: Oct 2018	QUOTE(Mummy Shark @ Dec 17 2018, 02:58 PM) I was against calling CAPTCHA a "speed bump". as you said, it is entrenched way to quickly determine humans vs bots. if implemented properly, though not foolproof, it does filter the "less-educated" bots. for "educated" bots, CAPTCHA is not a "speed bump", can solve in fractions of nanoseconds. can you share on the example on how to solve recaptcha(google no captcha recaptcha) in nanosecond? for research/education purpose, i am in IT field. Thanks. This post has been edited by brkli: Dec 17 2018, 03:03 PM
Card PM	Report Top Like Quote Reply

unknown_2	Dec 17 2018, 03:03 PM Show posts by this member only \| Post #1036
On my way Junior Member 572 posts Joined: Mar 2012	QUOTE(Mummy Shark @ Dec 17 2018, 03:00 PM) people are taking shortcut by blaming cimb, which have their own fault. it's paypal that people should be burning, for allowing the fraud to happen. they should support 3D Secure, but they chose not to. not implementing try limit to stop brute force attack is their fault.
Card PM	Report Top Like Quote Reply

brkli	Dec 17 2018, 03:03 PM Show posts by this member only \| Post #1037
On my way Junior Member 592 posts Joined: Oct 2018	QUOTE(Mummy Shark @ Dec 17 2018, 03:03 PM) not my line of work. you google computer vision and image recognition. ooo.. :okay: This post has been edited by brkli: Dec 17 2018, 03:06 PM
Card PM	Report Top Like Quote Reply

PhakFuhZai	Dec 17 2018, 03:03 PM Show posts by this member only \| Post #1038
harimau putih Senior Member 1,587 posts Joined: Apr 2011	QUOTE(axn992 @ Dec 17 2018, 02:55 PM) Or backend should reject passwords <8 with no special chars. Only except password length of 8 or more with special chars. They can force all users to change it and they can delete legacy code. or another way, just implement the cut off date to mandate all users to change into new password format lah via SMS, email, site take over after the deadline, user will have to change their password apa susah, its just the user password and not the legacy Account No. its CIMB that wish to skim on the budgets to spread the news around
Card PM	Report Top Like Quote Reply

Moshpit94	Dec 17 2018, 03:04 PM Show posts by this member only \| Post #1039
Casual Junior Member 371 posts Joined: Feb 2011 From: Earth	QUOTE(PhakFuhZai @ Dec 17 2018, 02:54 PM) dun understand if password more >= 8 char, then the first condition wont satisfy if password is <8 char, then it only check up to 8th character no conflicts what In the userprofile table, there will be a column name 'NewPassword?' as boolean. When login, the web request user information at the DB ie. Moshpit94 > return value newpassword is false/true then from there it will use the value to authenticate using legacy method or old method. Protected sub btnclick (byval sender as object, byval e as eventargs) btnclick.click { Dim username as string = usernamebox.text Dim password as string = passwordbox.text try if username <> string.empty { Dim newpass as boolean = getuserinfo(username).newpassword if newpass == true then { // exec new authentication method }else{ // exec old authentication method } } else { lblerror.text = "Username field cannot be empty" } end sub
Card PM	Report Top Like Quote Reply

scorptim	Dec 17 2018, 03:04 PM Show posts by this member only \| IPv6 \| Post #1040
Enthusiast Senior Member 700 posts Joined: Nov 2009	QUOTE(Mummy Shark @ Dec 17 2018, 03:00 PM) people are taking shortcut by blaming cimb, which have their own fault. it's paypal that people should be burning, for allowing the fraud to happen. they should support 3D Secure, but they chose not to. You’re missing the point here obviously there’s a breach on cimb end otherwise this PayPal fraud would have happened to every other bank. It’s mainly affecting CIMB cards which means there’s a leak from CIMB. You don’t just get to wash your hands and blame it on PayPal. How dafuq did the fraudsters get the CIMB cards info to begin with?
Card PM	Report Top Like Quote Reply

« Next Oldest · Kopitiam · Next Newest »

90 Pages « < 50 51 52 53 54 > » Top

Add Reply Options

Change to:

0.0245sec

0.56

6 queries

GZIP Disabled
Time is now: 13th December 2025 - 05:32 PM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.