TLDR: if your password is a simple password, change to complex password (UPPER CASE + lower case + NUMBER + special character) then your login is safe

Implementing reCaptcha is their way of saying their system sucks so bad that they need to implement such a low level protection to keep bots away. A proper firewall would stop bots dead in their tracks. A lock out mechanism for wrong passwords would protect accounts. You're a billion ringgit bank for gods sake. Is this the best you can do?

they can siphon out money that wasnt there right?

like making me go into 1 million credit debt

4chan introduced capcha a few years ago, but CIMB doing it now? For what though? 4chan I understand to cut spam, but CIMB is bank login, if a bot tries different variations to log into a single account, transactions will be suspended, and you need to unblock the account for security reasons at branch or something kan?

So which stupid shit in CIMB decided to introduce capcha?

The comic makes the assumption that the hacker still tries to brute force via character / symbol though. What happens if this simple word password usage takes off, and the hacker switches to brute forcing via dictionary words?

You see, your PIN (Personal Identification Number) is YOUR personal identifier which even the banks are NOT supposed to know.

When you get your ATM card, you slot the card into the card reader and you set your temporary PIN which you are requested to change it again later at the ATM.
When you registered e-banking for the first time, you have to pay a visit to the bank, insert your card, validate the PIN and then a temporary PIN is issued for your usage.
When you do a VISA transaction using wave, you can just tap the card and get done with it, but if you want to use the PIN, you MUST insert the card into the terminal first, before entering the PIN.
As you can see, you can never eliminate the need to have your card physically before using your PIN. This is because, the PIN is stored in the card. When it is needed, the server sends an encrypted string to the machine, requesting the PIN to unlock the secure container. Once the PIN is entered, the validation happens on the machine level itself where it checks against the stored PIN on the card (of course, encrypted). When everything matches, the transaction details are carried with a verified payload back to the servers. This is how the process is supposed to work.



However, in the case of CIMB password reset, there is no physical card contact. We submit the PIN and suddenly the validation happens. This means that CIMB is storing our PIN numbers on their servers and this is something very seriously worrying.

I got a feeling they didn’t do this because they fear customer service will be smashed with calls/queries.
Looks like CTO’s or management decision.

since it's festive season la supposed to be lagi havoc.. GG cimb..

But over the weekend, seems like nothing happen..

Does CIMB finally rectifies the wrong-password-able-to-login thingy?

Does unauthorized payment still being made thru debit card/paypal?

Does the TAC thing still happening?

I don't really do FB, so sudah lamaaa tak log in FB..