Thursday, December 20, 2018

Problem with CIMB, but NO admit to it



Base on the published news form lowyat forum on CIMB might have a serious security issue. There were three major issues, the CIMB Clicks password issue, the sudden implementation of the reCaptcha code, and finally the CIMB Debit Card fraudulent transaction issues.

The CIMB Clicks password issue, which covered in depth here - should not have happened in the first place. Enforcing a mandatory password change to the updated password policies would have easily solved the problem. CIMB has yet to do that.

If this whole incident was only in relation to the weak CIMB Clicks password implementation, then it would not have blown up to where it is now. The fact that people were loosing money at the same time was what made customers sit up and take notice.

And the CIMB Debit Card issue is the more serious of the two. At the end of the updated FAQ CIMB released on the 17th of December, they included a quick mention of the Debit Card/Paypal issue.


You would think that something this serious would deserve its own press release and investigation, but instead it was quietly added into a FAQ on their site. Even then, all they are saying is “Yes, these two issues are separate issues, but OTP on PayPal is not the problem, and that the fraudulent transactions are within ‘normal levels’ and affected customers should raise the matter through ‘official channels’ to get a refund.”

Nothing about this is ‘normal’

Fraudulent card transactions are always going to happen. There are a variety of reasons and means that fraudsters and carders are able to acquire card details of customers. Sometimes, eCommerce sites involved in a data breach might leak this information out. Sometimes users might be tricked into sharing their card details on phishing sites. And there is also even the occasional time when physical cards are stolen from legitimate owners.

But the case to be made here is this, there is just too many fraudulent transactions happening over the last week, and it is almost all tied down to one particular card – the CIMB issued Debit MasterCards. These debit cards are issues to all account holders as it doubles up as an ATM card. The modus-operandi of the transactions are also very similar – overseas transactions via Paypal involving small amounts under RM100 per trasaction. More often then not, these transactions happen quickly over a short period of time and often involve multiple transactions.




These are  the small collection (sample) screenshots taken from comments section of a single post on CIMB Malaysia FB page . Click [here] for the original post on more screenshot or go to CIMB Malaysia’s Facebook page to view more.

All these users are facing the same issue with unauthorized transactions with their CIMB Debit Card. Some of these customers have never even used their Debit Cards for online transactions. The victims are also scattered all over the country ruling out the possibility that this affected only customers from a single branch.

The question that needs to be asked here is how did so many CIMB Debit Card numbers fall into the wrong hands. Even if the transactions were done through PayPal, the fraudsters would still need complete card details, inclusive of card number, security code, expiry date, customer name as well as their billing address on PayPal.

As there is no police report needed for normal credit card fraud case, sure there is no report of money lost! And it need to go through PayPal, so there is another stage of "protection" (where PayPal will hold the money before anyone can withdraw)

This information is not available on CIMB Clicks, and as far as we know, even CIMB’s own credit card customers are not affected. It is only exclusively limited to CIMB’s Debit MasterCard holders – a card that is automatically issued to each and every CIMB account holder as an ATM card. And while Credit Card fraud involves a credit line that the bank offers you, Debit Card fraud directly impacts the cold hard cash already in your account.

but still CIMB will not admit there is a problem with them.

A chinese version can view by this [ link ]

No comments: