Well, that is because they got the information from CIMB official statement.

there's been a few shares earlier on...

likely your password was still using the old policy which is only 8 chars. try this:
* when changing password, just use the first 8 chars of old password as your old password
* use complex password for the new password

dang thats works

thanks mate

4KlsgiwwRkmXzUzejwCufy4HMQO5bN7LERoNwzCBX5o7AqULFX7VOg8oOQmthXOpqvrfVdc5C4UMKJpwDMQHHFTqoso1LF5NivnC

no worries. helping where i can.

i know it's scary for many.. myself included.

Wow, your case is different. May I know if you use CIMB app for mobile phone OR just CIMB clicks website? Did the transaction ask any SMS tag?

Only use cimbclick website. Got sms but check no deduction so thought is scammer's prank to cause panic. Who knows really money gone after 2 days. Only found out after lowyat news say possible cimb hacked. I no day day open cimbclick check my acc balance habit.

Similar deduction thing happened to me early this year but with MOLPAY, not sure how it was charged to my debit card. I went to CIMB, changed my card and disabled Debit as a precautionary measures. Thankfully, CIMB reimbursed my money

They did mention did nothing wrong @ cimb clicks
other all wrong did not mention too.

if cimb not wrong then how come only cimb kena

is there other bank kena same attack?

See how they putar..unauthorized transaction not related with cimb click - which is correct.but not mention unauthorized transaction of stolen data..they said unauthorized transaction is still low and under control

This post has been edited by peja5081: Dec 19 2018, 10:09 AM

With the benefit of the nasilemakTech rebuttal, they say the truncation to 8 chars is not an issue at all because ALL old passwords are 8chars long anyway.

IF that's true, yeah it's a non issue. But why need slice with substring(0, 8) ??

BUT I asked here and some people said that their old passwords were longer than 8 chars. In which case, logic says that CIMB must have the passwords stored As Is somewhere in their system

So which is it? Were old passwords pre 18Nov exactly 8 chars OR minimum 8 chars (ie longer also got) ??

PS: those who kena unauthorised transactions should flood nasilemak tech with proof / police reports etc (where's the batu api smiley )

PPS: just saw the latest version of se7en's article ... everything I talked about is there

This post has been edited by okuribito: Dec 19 2018, 12:20 PM

once facebook saw from maybank debit card by paypal also,
but then only 1 not sure some people try to gain attraction or what la.
Cimb mean nothing wrong in CIMB@Clicks
but other part of CIMB all gone wrong.

this one easily cracked. what u need is

♋︎●︎●︎ ⍓︎□︎◆︎❒︎ ♌︎♋︎⬧︎♏︎ ♋︎❒︎♏︎ ♌︎♏︎●︎□︎■︎♑︎ ⧫︎□︎ ◆︎⬧︎

haha further evidence that mainstream media not reliable, it's crystal clear that cimb has weaknesses that been exploited

lol no wonder najib brother jump out of ship,he already knew this shit gonna happened

https://www.thestar.com.my/business/busines...zak-steps-down/

Want to see if BNM take action or not.

From what I understand, there were 3 steps to this

1. Passwords were allowed to be 8 or more characters
2. Rules changed, passwords allowed MAX 8 characters
3. Rules changed again, passwords allowed 8-20 characters

So if you had a password in (1) that was longer than 8 chars, it was truncated. Maybe the passwords were stored encrypted instead of hashed, so was possible to work out the original password and truncate it for (2).

They likely need to slice it because the backend does not know if this is a new/old password format. By right, backend should not care about such things. The fact that they slice says nothing about whether the passwords were stored as hashes or not.

Lets say your very old password was:

"lowyatisthebest"

Then CIMB stupidly changed their rules that passwords must only be 8 characters long, so your password now is:

"lowyatis"

They can hash this value, and since they hash it they will always need the 8 character version of your password to compare with the DB. They don't have to store it as plaintext. Its very unlikely that they are storing passwords in plaintext, wouldn't be able to pass any form of certification/audit if that were the case.

but all online transaction must use TAC rite?

NLT has amended the two articles in question and added a note in the first paragraph for clarity.

https://nasilemaktech.com/cimb-did-nothing-...al-explanation/
https://nasilemaktech.com/debunking-mainstr...never-happened/