Yup. Also, CIMB limiting their password to only 8 characters, it's plain dumb.

Other countries already using 2FA for banking transaction, but Malaysian banks still use Mobile Number authentication. Just a ticking timebomb considering how easy it is to hijack a number..

Instead of recaptcha, they should follow what UK banks doing. 2FA. But problem is that could be too complicated for users to set up the first time. Recaptcha is to identify bots. What about real humans? I don't think recaptcha is relevant for a banking website.

I'm using HSBC UK's 2FA. Really powerful. But is a pain to set up for the first time.

This post has been edited by jimmyktp: Dec 16 2018, 11:00 PM

Thanks for the info! I got frustrated because of this. Gonna change my password now..

It is super easy.

Coupled with installing Cerberus app on an unsuspecting phone, I can even read or send sms from my computer/phone

Note: Cerberus is a legitimate app but could be easily misused.



Let's take this as a scenario:

1. You went overseas for holiday bringing your phone with you. Someone knew you are not in the country.

2. Scammer goes to police station and make a report saying lost IC (pretending as you).

3. Using the police report, goes to make a temporary IC.

4. Using temp IC and police report, makes a report with telco to get them reissued a replacement sim card.

5. You realised your phone cannot use while you were in overseas. You didn't bother because you think you will sort it out when u come home.

6. Scammer can get banks to reissue a new CC, or if they already have your username and password, you GG because now any new sms from banks to you will be sent to the replacement sim card which is being held by the scammer.

7. See how powerful if someone gets your Phone Number?? A chain is only as strong as the weakest link. The phone number is the weakest link!

*Happened to my friend's dad* A big foreign bank in Malaysia who is famous with issuing CCs wanted to sue my friend's dad* The suit was thrown out eventually.

This post has been edited by jimmyktp: Dec 16 2018, 11:15 PM

Lack of resources, too expensive and not enough professional IT security experts could be the limiting factors.

Also, too high-end security features, Malaysians might not know how to appreciate. LOL.

I'm not sure with this, perhaps there could be other ways to bypass this. Perhaps a replacement credit card sent straight to the home address? It is easy getting CC replaced without going to the bank.

Nowadays you don't need to go to banks to get things done.

Now they force you to add in special character in their password. Lagi menyusahkan.

Really half pass six implementations. Instead of making life hard for 1 time, they make life hard everytime someone login!

Their app and website really lack user-friendliness. I remember I send in CC enquiry via their website compose message box, the stupid bank officer have the cheek to ask for a reply reason. Problem is, there isn't a reply button! KNS.. I had to compose a new message again.

This post has been edited by jimmyktp: Dec 16 2018, 11:34 PM

That one I not sure, but it happened in 2005. Last time you need to hold your temporary paper IC for a month and wait for your MyKad. Now you can get it on the day itself.

But what I wanted to stress here is, Phone Number is not a secure method especially for banks.

This post has been edited by jimmyktp: Dec 16 2018, 11:37 PM

If you not at home then GG lah.. If the postman/courier man hardworking, they will take it back. If not, they just drop into your house letterbox, even easier for the scammer to climb over your fence and collect the letter for u.. HAHA

if Bank come and chase you for a Rm70k debt, your mind already can't think straight. Coupled with the hassle of runaround, having to take leave off work, shit credit profile. All these just because of phone number authentication.

Haha, more complex than MFA. It's already 2018. Gone are the days of complex passwords. Besides, the website doesn't support Google Password which makes your life even harder. online banking should make life easier, not harder

Wow.

The method I explained was the modus operandi in 2004. Seems like the loophole is even easier now. Seriously, I started despising sms based authentication in 2015 when I arrived in UK to realise banks such as HSBC uses 2FA + Secureword. Just wow. Setting up initially is a pain and confusion, but once you done first time set up, everything is secured and easy. Consumers have to be smart. Say no to SMS authentication especially when it comes to banking..

That is a fucking idiot move. I was complaining about this in earlier post. I didn't even know they SECRETLY allowed more than 8 characters now. But they forcing you to put special character now! Makes life even harder logging in from phone

This post has been edited by jimmyktp: Dec 17 2018, 01:36 AM

Rookie web and app developer.

Don't bother following America. Their security are shit anyways. Look at their card payments fraud. Still using magnetic lol

SMS TAC is not secure and can be exploited

Eh, sure or not.. don't think it is that weak... I tried on my acc, doesn't work.

Haha, this time they will charge u RM16 as annual fee.. or maybe RM32. Fido keys are too expensive for implementation unless users buy themselves. But Banks cannot discriminate..