Unfortunately, might not.
If hacker already snapshot your account info especially credit card/debit card number.
They can link your card number to paypal and take money from there.

Read more especially screenshot from people @ https://www.soyacincau.com/2018/12/17/was-c...-clicks-hacked/

i had been hating cimb for a long time because they forced user to limit password for 8 chars..  After so many years since the existence of online banking, they made that changes only recently...

Read someone posted that those TAC protocols aren't that secure and easily bypassed.

damn... cant even transfer all my moolah to maybank now.... dont dare login cek my account now hahaha

paypal mana support TAC bang.

tak percaya?

give me your card number.

I can't remember if it even ask for the CVV digit.

but as already demonstrated by the criminals, CVV or not, ....

after verified you will have a higher spending limit. I still can use my card without verification in paypal.

the one that didn't support transaction validation (malaysians call it TAC via mobile number) is paypal.

even if CIMB is to be faulted for "releasing" card numbers to criminals, Paypal as platform provider is also guilty for not supporting mastercard and visa initiative to validate transactions.

this cannot happen if paypal implements support for transaction validation.
https://en.m.wikipedia.org/wiki/3-D_Secure

also like the guy above said, alipay also didnt ask for TAC. i bought alot of stuff from taobao never once ask for TAC.

this is just not some paypal or hack issue...its an internal security flaw.... In CIMB there is a 2nd page after entering your username, where you need to confirm a "secureword" before you can proceed to the password page. I entered my email id once by mistake and i got logged into some other guy's secureword page.. So i just closed the site.

So lets not just blame someone outside. the security systems were rotten to start with, even a small kid could hack into their websites

if i read correctly,

if password following the new format (have special characters and more or equal to 8 characters) then password will be as it is

else if old password format (8 characters), it will only take first 8 characters. any characters behind don't care..kena chopped

if got special characters and >= 8 characters, it will pass to server as it is
else it will chop off after 8 characters.

topkek betul. that's why your password + any characters behind still can pass

Or backend should reject passwords <8 with no special chars. Only except password length of 8 or more with special chars. They can force all users to change it and they can delete legacy code.

its not about conflict, it about the .substring(0, 8) part.

means if it doesn't satisfy the first condition, it will only take the first 8 characters of the password

e.g:

your password is 123456789
since it doesn't satisfy the first condition, it will take first 8 characters which is 12345678

logically, 123456789 is not the same as 12345678. even if you plainly compare it is not the same.
so those who want to attack the site, just need to guess for 8 characters which lessen the time to guess a correct password

what they should do (IMO) is just send the password to server as it is instead of plainly showing to the world the checking.

that's why I said direct your anger to the correct parties in this thread, not elsewhere.