CIMB ‘kena hacked’: CIMB says it’s normal to login with extra characters added to password

After CIMB had issued a statement assuring that CIMB Clicks and other systems are secure, the bank has just released an FAQ to address the additional security concerns. This morning, they had confirmed that reCAPTCHA was added as an additional measure to enhance security. 

Yesterday evening, there were a number of social media postings that claimed that CIMB Clicks had allowed access for “wrong” passwords. The reality is that access was only granted when a correct password was used for the first 8 characters followed by any additional characters. (E.g. If the password was abcd1234, you can access with abcd12345678.)   

In the FAQ, CIMB has clarified that this is completely normal and it is due to the way the Clicks Password Rule was designed. According to CIMB, this only affects passwords set before 18th November 2018. If you’ve changed your password recently, you can’t login with additional characters added to the actual password. Below is the FAQ on the password issue. 

CIMB had also mentioned that any news related to online security of CIMB Clicks is untrue and they insisted that their platform remains safe and all transactions are protected. According to CIMB, they have an IT security team that monitors any suspicious activities on CIMB Clicks. For customers that suspected their account has been compromised, they are urged to call their contact centre at 03-6204 7788 or by email at cru@cimb.com.

CIMB has not responded to our queries on unauthorised debit card transactions and this tweet by ZDNet’s security reporter. You can read the full FAQ here.