Ok, I see now.

The password issue is due to some customers with weak passwords such as an all numerical password getting compromised. What I still don't get then is that CIMB didn't implement the 'three strikes and you're out' system? I mean this is done for ATM cards. Why not for their online banking? 

when linking debit/credit card, paypal will impose a min amount to ur acc together with 4 pin code. You either receive it from sms or online banking statement. The linking will only succeed once you key in the 4 pin sent by paypal. After that, paypal will refund the min amount imposed earlier. Failure to do so wont link your card to paypal. After a certain duration, PayPal will still refund the amount imposed even if card linking failed. My cards were linked without sms or transaction details from cimb.

Just sharing, about the debate on truncate overflow password (Any characters over the given limit will not take into account).

As far as I know, it's pretty common in Malaysia bank, i can confirm Maybank and Public Bank implement this way too. (At least for me since my password pretty long, missing few last characters still able to login).

I guess his head going to roll after this incident

of coz CIMB going to deny this happened

billions of institutional money will be gone if they admit this case happening

u want them to take action? go organise protest kat hq dia, biar viral kao2

just read sin chew daily , they put this cimb thing as "fake news" section lol 

Nasi lemak tech says cimb did nothing wrong:
NLT

The current updated FAQ from CIMB suggests that special characters were allowed in the past, just not mandatory.
The JS implementation also allows for special characters to be submitted if it was less than 8 characters.

The first article was taking the assumptions of how the old system used to work.
The second article reflects a more accurate situation due to the currently given evidence.

So far we cannot find good evidence that special characters were not allowed during the 8 character era. Everything else points to it being allowed back then.
Regarding the 8 characters thing you mentioned earlier, in the past, the characters were fixed to 8 characters maximum and minimum.
There was never > 8 characters in the past because it does not exist due to the old password policy being fixed at 8 characters.
The JS logic representing the old policy is the one that is saying "less than 8" as a criterion.



All that said, the conclusion is that security was never compromised or hacked due to the new mechanisms for CIMB Clicks as some articles are suggesting in their clickbait headlines