This article first appeared in The Edge Financial Daily on December 18, 2018
KUALA LUMPUR: CIMB Bank Bhd yesterday said the security of its online banking portal, CIMB Clicks, has been enhanced with the introduction of reCAPTCHA as part of its ongoing efforts to safeguard customers from any potential security threats.
“This is just a preventive measure to strengthen our online security. The introduction of reCAPTCHA is part of the bank’s ongoing efforts to increase the security of CIMB Clicks and safeguard our customers from any potential security threats. There is nothing to be worried about. We can assure you that CIMB Clicks and your banking transactions remain safe,” CIMB said in a statement yesterday.
But the abrupt introduction of the new security measure over the weekend has sparked a spate of speculation on social media that its online banking security had been breached.
A source close to the bank told The Edge Financial Daily that over 900 accounts of its customers were affected in a recent hacking incident. These involved customers with “very simple passwords”, who inadvertently disclosed to the hackers — who have been monitoring their online banking activities — their one-time-transaction passwords when contacted.
CIMB has refuted these allegations. “We would like to confirm that the news related to the online security of CIMB Clicks is untrue. Our platform remains safe and all customer transactions continue to be protected,” it stated in a frequently-asked-question (FAQ) fact sheet in response to questions from The Edge Financial Daily.
It also addressed the frustrations expressed by several CIMB Clicks users regarding unauthorised transactions on PayPal or debit cards, saying these are “separate from CIMB Clicks”, though it did not elaborate on the root cause of these issues. It only said the number of unauthorised transactions on its debit cards remained at “normal levels”. “Our continuous monitoring suggests that everything is as per normal levels. Customers who notice any irregularity in their statements should raise the matter through any of our official channels. If there is any irregularity for non-3D transactions, subject to a verification process the transaction amount will be credited back into the customer’s account within 14 days,” it said.
Meanwhile, CIMB explained that reCAPTCHA is a service from Google that helps protect websites from spam and abuse. Once a customer has validated it successfully, they can proceed to log in to CIMB Clicks. Apart from the reCAPTCHA, the bank also said it has ensured that its system is now able to accommodate passwords longer than eight characters and up to 20 characters. As to why CIMB Clicks users can still log in to their accounts despite adding a few invalid characters (more than eight characters) after their password, CIMB said this is because of the way the Clicks Password Rule is designed.
It explained that for passwords set before Nov 18, the password length must be eight characters and the system only looks at the exact number of characters of a password to validate login and ignores the rest. “For passwords set on/after Nov 18, 2018, the password length must be between eight and 20 characters. The system does not allow the customer to log in when they key in any additional characters,” CIMB said. Apart from CIMB, there was speculation that the online security of a handful of accounts under Public Bank Bhd and Affin Bank Bhd have been compromised as well.
However, in an email response to The Edge Financial Daily, Public Bank managing director and chief executive officer Tan Sri Tay Ah Lek denied this. “No, it is not true. Our banking customers’ accounts are not affected at all. The processing of our customer transactions is intact. Our banking IT system is safeguarded with stringent security control measures and we are always vigilant in protecting our customers’ accounts,” he said.
Similarly, Affin Bank said none of its customers’ data have been exposed to hacking activities. “Cybersecurity protection is our utmost priority. Affin Bank systems remain secured and all customers’ transactions are protected with full end-to-end security defences in place, with round-the-clock security surveillance and preventions.
“The implementation of Fraud Management System is used to monitor high-risk transactions. Stronger two-factor authentication via AffinSecure is also another of our initiatives to ensure peace of mind for our customers in protecting their banking needs and interests, as well as to combat cybersecurity crimes,” it added.
CIMB’s share price fell by nine sen or 1.55% to RM5.71 yesterday, giving it a market capitalisation of RM54.61 billion. Public Bank’s share price declined 52 sen or 2.1% to RM24.22, valuing it at RM94.03 billion, while Affin’s closed unchanged at RM2.35, with a market cap of RM4.57 billion.