Malaysian bank CIMB denies security breach after customers say accounts compromised

In a statement, CIMB assured its customers that its website remains secure and all transactions are protected. PHOTO: ST FILE

KUALA LUMPUR - Malaysia's second largest bank CIMB on Monday (Dec 17) denied that it suffered a security breach after several customers complained on social media over the weekend that their accounts had been hacked.

In a statement, the bank assured its customers that the site remains secure and all transactions are protected.

"The bank would like to inform that it had, over the weekend, introduced a few additional measures to enhance the security of its (online portal) CIMB Clicks transactions.

"Apart from ensuring that the system is now able to accommodate passwords longer than eight characters and up to 20 characters, we have also added the reCaptcha security measure on CIMB Clicks to ensure the user is not a bot," it said on Monday.

The statement came hours after Mr Vijandren Ramadass, the founder of tech portal Lowyat.net, made a posting about the alleged breach on Sunday.

"Something strange is happening with CIMB Clicks, and judging by their rather abrupt implementation of a reCaptcha code on their login page today, there are reasons to be concerned," he said.

Google reCaptcha is a free service from Google that helps protect websites from spam and abuse. It also acts as a tool to tell humans and bots apart.

"We are not publishing details for now, as it might lead to more abuse. We recommend changing your password to something complex using an online password generator until this massive security flaw is patched," Mr Vijandren added.

Some of the bank's customers have alleged that their debit cards were charged to PayPal though they have never subscribed to the latter's services.

A Facebook user by the name of Anastasia Rubina Rubin made a public posting at 2.20pm on Sunday about how her bank account was hacked.

"My CIMB bank account (has) been unknowingly hacked and I lost RM1,723.18 (S$565) with nine transactions from PayPal," she wrote, adding that it all happened in just one hour and that she has never had any PayPal account.

Her post was shared at least 239 times.

Another bank customer, Mr Qazreen Qazz, advised the public to immediately block their debit cards or contact PayPal should an unauthorised transaction take place.

"Before this, I only saw other people (become) victims to such fraud. Well now, it happened to me... RM4,000 lost just like that... Please be careful with online transactions, if possible, don't use it. Call the bank immediately if you've been hit," he said, adding that there were 28 unauthorised transactions made via his debit card to PayPal.

Some Facebook users noted that the breach could be due to a "buffer overflow" attack.

CIMB is Asean's fifth largest bank with branches in Singapore, Thailand and Indonesia.

At press time, no statement had been issued by the authorities except CIMB.

Join ST's Telegram channel and get the latest breaking news delivered to you.