Update from cimb
https://www.thestar.com.my/news/nation/2018...-all-is-secure/

Update from lowyat.com
https://www.lowyat.net/2018/175102/what-cim...you-but-should/


CIMB Clicks ‘kena hacked’ concern: Here are 4 things you need to know
Cimb Faq about recaptcha:
https://www.cimbclicks.com.my/pdf/201812-Cl...-Public-FAQ.pdf
Hack story
https://m.facebook.com/story.php?story_fbid...100000746122106

https://m.facebook.com/story.php?story_fbid...100000339018919

People lost money .someone hack and use to transfer through paypal






https://pokde.net/news/cimb-clicks-facing-m...security-flaws/
Update:cimb use recaptha to slow hacking process
Update from pokde. Basically u can login with wrong password
Update source:
https://www.soyacincau.com/2018/12/17/was-c...-clicks-hacked/
Quote for the lol
This post has been edited by peja5081: Dec 17 2018, 07:58 PM

something is definitely wrong with the cimb clicks login page. we are investigating.

Oh shit!

Pls do keep us updated se7en.

Thanks.

tried it, app no recaptcha image.. but i tried on chrome pc, and chrome ipong, got that recaptcha image.. changed my password, never login again

PSA: move out all of your $$$

using safari on iphone. got recaptcha too

the web site one captcha, damn wtf is cimb doing?

Is this only happens on android phones?

My iphone never got show this recaptcha thing.

can confirm those recaptcha shows up on chrome desktop, didnt even proceed to put in user id

Oh shit,,I login via the app yesterday, it prompted the captcha "click all the images containing traffic lights". So I did, should I be worried? Bank account still same balance.

Incomprehensible

Looking at the page network traffic it's all going to either cimb server or google (for captcha most probably)

But I don't dare login with a real id

This post has been edited by juzmafia: Dec 16 2018, 10:42 PM

better change password or withdraw ur money just to be safe

Good fitnah attempt for unwanted purchase that cannot get refund.

Gonna use this reason as purchases haven’t arrive.

Ohwaiii

i justt checkked aaaatt tthe cimb wbsitet fater ii read tthiis threaad. yes, theres a recappcha tthing doown on bottom rightt.

Tried on mobile site, has that recaptcha thingy

Crap, but how to change password? The captcha logo is still on cimbclicks website, later login change password also no use because website is still hacked. Tomolo I go withdraw all my balance then, thanks.

OP dude the link you post got nothing to do with the capthcha thing, not even a mention there??

looks to me like their debit card is registered and linked with paypal and some sort of exploit there

can we get a quick rundown of what supposed to be done?

and how not to be targeted

Good point, TS pls explain.

So what is the problem with the captchcha thing?

Then got card numbers leak?

reCaptcha is already quite a common thing, lah.

https://m.facebook.com/story.php?story_fbid...100000339018919
Original post..that one i post is feedback from other case.but similar

ok, ran through their page, apart from the recaptcha, nothing else to worry about.

and for the record, using recaptcha on a bank login page is plain dumb.

Recently a exploit involving Paypal payment gateway was shown in some videos.

Either their data is compromised by their own carelessness on website or data breach at seller side like the Starwood issue.

But many water fish just blame it on banks and make malicious fitnahs.

This shows the general public lack of common sense to determine the reliability of the information and knowledge of the basic issue.

#donedakwah

Ok.maybe nothing to do we recaptcha.but many report unauthorized usage from paypal

one more thing is for the app...if u put your password and any numbers or letters after it....you would still be able to login...i've tried myself

plus the weird placement of recaptcha is kinda throwing people off

really? someone is so fired

Yup. Also, CIMB limiting their password to only 8 characters, it's plain dumb.

Other countries already using 2FA for banking transaction, but Malaysian banks still use Mobile Number authentication. Just a ticking timebomb considering how easy it is to hijack a number..

Called the call centre. They say the recaptcha is a recent enhancement and that it's indeed the original CIMBClicks page. Also checked about the phone number +603 6204 7788 which they say is legit.

Number is legit but alot number spoofer using this number

the person must have had link his bank info to paypal and had his paypal info hacked or something. you dont need tac if you are paying using paypal

But seems only C*** is always being affected? I dun see other banks kena that much.

most likely leak card info

but how do they get around the registration of card into paypal is another story, as far as i know, paypal charge you with a code number in the description, and you can only get that code via your statement. after input the code only can link.

its not that you can input any text after your pass, most people didnt realize this but before this cimb only can input 8 character as password, really dumb but i think since this month only they allow for more characters as password. made me scratched my head a bit when it happen, last2 i just input first 8 character then walla. all this while i thought it was capturing my full password even during regeistration

This post has been edited by feiraron: Dec 16 2018, 11:01 PM

Instead of recaptcha, they should follow what UK banks doing. 2FA. But problem is that could be too complicated for users to set up the first time. Recaptcha is to identify bots. What about real humans? I don't think recaptcha is relevant for a banking website.

I'm using HSBC UK's 2FA. Really powerful. But is a pain to set up for the first time.

This post has been edited by jimmyktp: Dec 16 2018, 11:00 PM

Yeah I know was worried when I heard about that. Quickly hung up the phone...

CIMB increased the character count above 8 recently. But yes, it was mind boggling that they capped it at 8 before.

Blame other people because of their own stupidity

Yup, my friend shared a post on FB...gotta try myself and it works. Immediately change password

goddamn huh so real onot? seems real nation world wide

how easy to hijack a number? that we should take precaution of

I've just got off the line with cimb customer service who has told me that the recaptcha has been instituted by cimb.

Thanks for the info! I got frustrated because of this. Gonna change my password now..

ive read through the comments asking same question whether they had ever link before. they answer they had never used paypal

Yeah agreed , all my emails and socials apps are safely secured with 2FA , its kinda annoying that the local banks dont take initiative for 2 Factor Authentication and Yubiki

If that's the case better withdraw all money to be safe lol

It's kinda stupid to initiate something without prior notification to the users

Gaya Malaysia

Dun dare even open

It is super easy.

Coupled with installing Cerberus app on an unsuspecting phone, I can even read or send sms from my computer/phone

Note: Cerberus is a legitimate app but could be easily misused.



Let's take this as a scenario:

1. You went overseas for holiday bringing your phone with you. Someone knew you are not in the country.

2. Scammer goes to police station and make a report saying lost IC (pretending as you).

3. Using the police report, goes to make a temporary IC.

4. Using temp IC and police report, makes a report with telco to get them reissued a replacement sim card.

5. You realised your phone cannot use while you were in overseas. You didn't bother because you think you will sort it out when u come home.

6. Scammer can get banks to reissue a new CC, or if they already have your username and password, you GG because now any new sms from banks to you will be sent to the replacement sim card which is being held by the scammer.

7. See how powerful if someone gets your Phone Number?? A chain is only as strong as the weakest link. The phone number is the weakest link!

*Happened to my friend's dad* A big foreign bank in Malaysia who is famous with issuing CCs wanted to sue my friend's dad* The suit was thrown out eventually.

This post has been edited by jimmyktp: Dec 16 2018, 11:15 PM

Lack of resources, too expensive and not enough professional IT security experts could be the limiting factors.

Also, too high-end security features, Malaysians might not know how to appreciate. LOL.

oh my duit

Login without password as long as username is valid?
Oh my.....what a screwup.

Luckily my username might be a bit too long......cause last time cimb didn't allow long password,so I made my username longer.

the app got cache features maybe.

It's this, not the normal reCaptcha
https://developers.google.com/recaptcha/docs/invisible
https://wptavern.com/google-launches-invisible-recaptcha

This post has been edited by DeniseLau: Dec 16 2018, 11:25 PM

Bank so stupid no check thumbprint?

I'm not sure with this, perhaps there could be other ways to bypass this. Perhaps a replacement credit card sent straight to the home address? It is easy getting CC replaced without going to the bank.

Nowadays you don't need to go to banks to get things done.

I kena also..but it was due to wrong password which I swear is correct. Dem..now I dun dare open to check the balance.

Now they force you to add in special character in their password. Lagi menyusahkan.

Really half pass six implementations. Instead of making life hard for 1 time, they make life hard everytime someone login!

Their app and website really lack user-friendliness. I remember I send in CC enquiry via their website compose message box, the stupid bank officer have the cheek to ask for a reply reason. Problem is, there isn't a reply button! KNS.. I had to compose a new message again.

This post has been edited by jimmyktp: Dec 16 2018, 11:34 PM

Omg shit... they dont check finger print when making a new IC ka?

this recaptcha shit is fucking stupid, can they not disable this on their site?

That one I not sure, but it happened in 2005. Last time you need to hold your temporary paper IC for a month and wait for your MyKad. Now you can get it on the day itself.

But what I wanted to stress here is, Phone Number is not a secure method especially for banks.

This post has been edited by jimmyktp: Dec 16 2018, 11:37 PM

I wanted to collect my replacement card from a designated branch but was told the bank does not allow that anymore and it MUST be couriered to me.

so what's the fuss now, because they publish this captcha thing without prior notice to us? Or were they legitimately hacked, that's why added this captcha thing? Or they dont have answer why got this captcha thing appearing for some users?

zzzzz

So cimb stock turun?
BBBBBBBB UUUUUUUU

Tried app login. Put in correct username and correct image and correct password. Immediately prompt alert ask me go to their website to change password. De fuck? I just successfully login last week.

If you not at home then GG lah.. If the postman/courier man hardworking, they will take it back. If not, they just drop into your house letterbox, even easier for the scammer to climb over your fence and collect the letter for u.. HAHA

Aik? se7en keeps on changing the frontpage title.

so reCAPTCHA not an issue?

We got so many aunties and uncles that can't even comprehend on how to login properly. 2FA will just make them think they're living in a different planet. Although I really want 2FA also, I can understand how it feels for the bankers to actually teach uncles and aunties about how to setup and actually use it.

sorry about that, the more we dig, the more shit we are getting. for now, all i can say is this is going to be VERY bad.

Anyone can verify if I check balance using android CIMB apps with fingerprint will have issues or not?

i can safely say now, they abruptly implemented the recaptcha, to avoid further damage.

Most probably no, the captcha reports back to genuine google servers

i find it a bit odd that they introduce the recaptcha, at around the same time they introduce duitnow. i wonder if duitnow has caused some security issues.

So.....I presume it is pointless for us to change cimb password right now?

Soon Lowyat.net expose this issue,
will forum lowyat.net kena media diu like last time tho

wouldn't say its pointless, but you probably need to keep changing it till they fix it up.

My suggestion, use an online random password generator, to get a really complex password.

Been getting the same past few weeks, called their rep and all I got was "you probably put in the wrong password" response. I checked my account and there was no out of the ordinary transactions, changed the password to something I never used before. cimb is not my main account so I didn't think too much about it.

That's why I dont use CIMB.
Always have so many issue.

My company use cimb bank, but every month gaji masuk, i straightly transfer to maybank or rhb

long password is much harder to crack than a complex, but short password

SOS

so better to transfer all my cimb moneh to other bank account for the time being..?

They should learn from Maybank. Maybank has the best mobile apps for now.

PBB is shit. CIMB is shit.

so after 5 page, apa conclusion ? safe or not safe?

My iPhone safari browser also kena this captcha thing
Is it safe?

PBB online banking for dekstop version is not for human use one.

So shit

ok masuk lowyat.net headline

https://www.lowyat.net/2018/175051/cimb-cli...er-the-weekend/

No shit!? What the fuck is this?

Happen when I tried to change my password

Best part is the courier guy knows it's a credit card.

In theory the courier needs signed acknowledgement by recipient.

However recently I had an issue with the bank where they claimed I had signed acknowledgement of a redemption item although I've not received it. Only resolved when I told them I will file a police report for forgery against the courier n aiding & abetting a crime against the bank.

Ya man. PBB app lagi teruk. Maybank app and website is the best. CIMB website is second but their app is shit. PBB is the worst among all.

just login and transfer ur money to other acc. i saw 2 fb friends post their card got unauthorized usage on paypal.

I tried Cimb mobile app android
No recaptcha

Wonderful. It will be so complex that I won't be able to remember it.

Last month my CIMB account kena lock 4 times because someone did an unsuccessful login attempt.

I think CIMB security really mess up. Mcb

This post has been edited by audi90: Dec 17 2018, 12:02 AM

See above, read 2nd link.