can confirm.. once change pw is ok.

but this dent in trust, i cannot accept.

https://www.nst.com.my/news/crime-courts/20...-back-data-lost

Guys rhe issues is not about the password.

The real issue is that our bank information has been leaked , they do not use cimbclicks to hack your money but just through your card info link to paypal.

I have 10 ringgit in my account omg

Wadapak. I already reset my password B4 I sleep. Now.j login. It ask me to reset again????

Anyone facing same issue?

twitter posted 12 december, now 17 december, aumm

Yes. I think need to change my password

I already said, cimb have its fault.

but paypal allowed this to happen. I have 3 other banks in my paypal and they are also treated the same as cimb cards.

that's why I said direct your anger to the correct parties in this thread, not elsewhere.

U want their stock to crumble?admit mistake or fix silently like nothing happen.
Anyway,this is wakeup call for bank to safeguard their user data.

From some analysis it seems
- hacker create a paypal account n link it to the victim cimb debit card
- it seems it only effected cimb debit card
- paypal transfer/payment does not require sms/otp for debit card linkage
- so hacker should be able to find a loophole or hacking the cimb part that they able to obtain the latest debit card transaction
- to link a debit card in paypal, paypal will debit/credit a small amount of money to the debit card with a 4 pin code for activation
- the hacker requires this 4 pin code to add the debit card into the paypal account
- so highly likely they able to find a loophole to get this latest transaction statement with the attached information as pin code
- and this loophole seems to happen for cimb only, as from the reported case

fixing the cimb webpage with a recaptcha wont solve the prob imo, it's a loophole y paypal can be linked to cimb debit card to begin with!

aint all the atm card they issued already a debit card nowadays?

Ermmmm. They spoof js var for timestamp and server side never validates and keep track of requests? So that's how they brute force?

Stateless server side request processing? If true, I really don't know what to say....

why they need the PIN?

it could be compared to a hash of the pin

where else would they store? the ATMs report back to their server

How is this abnormal, you ask? It scares even more that nobody else in our office managed to identify the problem. I’ve been in a lengthy discussion with the good guys at Nasi Lemak Tech and here’s what we have to say about it.

You see, your PIN (Personal Identification Number) is YOUR personal identifier which even the banks are NOT supposed to know.

    When you get your ATM card, you slot the card into the card reader and you set your temporary PIN which you are requested to change it again later at the ATM.
    When you registered e-banking for the first time, you have to pay a visit to the bank, insert your card, validate the PIN and then a temporary PIN is issued for your usage.
    When you do a VISA transaction using wave, you can just tap the card and get done with it, but if you want to use the PIN, you MUST insert the card into the terminal first, before entering the PIN.

As you can see, you can never eliminate the need to have your card physically before using your PIN. This is because, the PIN is stored in the card. When it is needed, the server sends an encrypted string to the machine, requesting the PIN to unlock the secure container. Once the PIN is entered, the validation happens on the machine level itself where it checks against the stored PIN on the card (of course, encrypted). When everything matches, the transaction details are carried with a verified payload back to the servers. This is how the process is supposed to work.

I guess Pokde doesnt know about EMV specification. This is nothing new.

Well, the lowyat article explains things more clearly... But I'm still blur on the credit card and Paypal side.

1. CIMB customers' credit card information and CVV2 could have been compromised in the lost tape or some other way.

2. With this, couldn't the hackers just use this CC information to link up to Paypal and use this directly to steal money?

3. Whilst I understand the hacking attempts to go into CIMB Clicks portal, how does it help them to do no. 2? They could have done so directly, in the first place.

4. Any attempt to transfer will be negated by the need of TAC.

5. Unless the hacking into CIMB clicks is done directly without any information on the customer CC in the first place. After hacking, they obtain the CC details from CIMB Clicks and then proceed to link it to Paypal?