CIMB denies security breach after clients complain of hacking

In a statement, CIMB assured its customers that its website remains secure and all transactions are protected.
In a statement, CIMB assured its customers that its website remains secure and all transactions are protected.PHOTO: ST FILE

Malaysia's second-largest bank CIMB yesterday denied that it suffered a security breach after several customers complained on social media at the weekend that their accounts had been hacked.

In a statement, the bank assured its customers that the site remains secure, and that all transactions are protected.

"The bank would like to inform that it had, over the weekend, introduced a few additional measures to enhance the security of its CIMB Clicks (online portal) transactions.

"Apart from ensuring that the system is now able to accommodate passwords longer than eight characters and up to 20 characters, we have also added the reCaptcha security measure on CIMB Clicks to ensure the user is not a bot," it said yesterday.

The statement came after Mr Vijandren Ramadass, founder of tech portal Lowyat.net, posted about the alleged breach on Sunday.

"Something strange is happening with CIMB Clicks, and judging by their rather abrupt implementation of a reCaptcha code on their login page today, there are reasons to be concerned," he said.

Google reCaptcha is a free service from Google that helps protect websites from spam and abuse. It also acts as a tool to tell humans and bots apart.

"We are not publishing details for now as it might lead to more abuse. We recommend changing your password to something complex using an online password generator until this massive security flaw is patched," Mr Vijandren added.

Some of the bank's customers have alleged that their debit cards were charged to PayPal though they have never subscribed to the latter's services.

A Facebook user by the name of Anastasia Rubina Rubin made a public posting at 2.20pm on Sunday about how her bank account was hacked.

"My CIMB bank account (has) been unknowingly hacked, and I lost RM1,723.18 (S$567) with nine transactions from PayPal," she wrote, adding that it all happened in just one hour and that she has never had any PayPal account. Her post was shared at least 239 times.

Another customer, Mr Qazreen Qazz, advised the public to immediately block their debit cards or contact PayPal should an unauthorised transaction take place.

"Before this, I only saw other people (become) victims to such fraud. Well now, it happened to me... RM4,000 lost just like that... Please be careful with online transactions... Call the bank immediately if you have been hit," he said, adding that there were 28 unauthorised transactions made via his debit card to PayPal.

CIMB is Asean's fifth-largest bank with branches in Singapore, Thailand and Indonesia. At press time, no statement had been issued by the regulatory authorities in Malaysia on the matter.

A version of this article appeared in the print edition of The Straits Times on December 18, 2018, with the headline 'CIMB denies security breach after clients complain of hacking'. Print Edition | Subscribe