lol what?

I think there's 2 different issue but both seems to "happened" at the same time...

A) cimb card & CVV data breach
this related to the news of hacker managed to get card data and looking for partner to monetize..so they use card data to perform direct card transactions on PayPal merchants (direct transactions doesn't require PayPal account to be created nor require CimbClicks login) - PayPal call this DCC transactions (non PayPal account transactions made to PayPal merchants)..noticed the transactions were made to "digital wallet" merchants like gambling, game etc where they can store certain value before monetizing it later..


B) cimb password issue
panic customers affected by "A" login to CimbClicks to check their account. Some managed to login, some stuck due to new password policy..due to too much traffic surge, cimb thought it's abuse/hack so introduced captcha..at the same time, some users noticed they can login even with wrong password which reveals cimb security flaw

This post has been edited by penew: Dec 18 2018, 02:24 PM

Ya. They protek bank bankrupt.
Duit hilang is to bank..
Need find pulis report cimb steal money.

Cimb educating people on the edge markets, about scam transactions......

http://www.theedgemarkets.com/article/fast...ctions-—-cimb

Irony nya

Or they aldy found out something not right with the password system ?

Lol saw this on FB

Is this even normal ?

no, the code snippet does not prove anything on how they store the password. it only shows thier 'lazy' development to do not want to change backend API, so they convert/translate those inputs (for this case password) as front end.

I would say dont just believe everything you read online.

With this hot issue now, many web admins and bloggers would take advantage to increase their page traffic eventhough they know nuts anout IT.

I believe they key in old password + random characters.

This is known issue already

yes, initial pw is >8 characters, and I can login as usual everytime. nvr try to purposely key in wrong pw to testing. for me, since everything is safe for me, just change new pw only la, not need kpkb so much. of coz i wont say this if im the victim of this loophole.

So u pindah ke tak?

since this tread people so intreasted on the login process. you can just open developer tools -> console. you can learn abit there...

This post has been edited by brkli: Dec 18 2018, 02:38 PM


Attached thumbnail(s)

tak, change new pw, limit transaction limit only.

its been some time i no login. huhuh. later check balance @ atm.

no sms notification so far.

This post has been edited by budi1413: Dec 18 2018, 02:42 PM

still not fix their coding?
i tried mine cant be exploit through this loophole.

convenience come at a price in first place. In this case, it's security.

Also, i'm sure that they can do something to improve it if they wanted to.

Instant transfer to bank rakyat disabled. other bank interbank transfer still work at the moment

This post has been edited by heinlein: Dec 18 2018, 03:30 PM

No one can use your inactivate debit or credit card....

You can ask your family to check thier bank account if you are worried.

FYI, police stated no one reported lost their money
https://www.lowyat.net/2018/175119/pdrm-cci...ort-not-yet-in/

we all know report police no use

hashed/salted or not i no idea.

good question you asked.
but probably, with old format of password, CIMB also only takes in 8 character.

e.g:
you create account with password abc1234567890,
before inserting into database, it only takes in abc12345 and hash/salt it.

this is to my assumption only. i got no idea how they work on the password.
if it stored as plain text then .