Late on Sunday night, when we first published our news that CIMB might have a serious security issue, we decided to refrain from publishing any details on what we had discovered. There were three major issues that came to our attention that night, the CIMB Clicks password issue, the sudden implementation of the reCaptcha code, and finally the CIMB Debit Card fraudulent transaction issues.
While we initially suspected these three issue to be inter-related to each other, we soon came to the realization that it was not the case. The CIMB Clicks password issue, which we covered in depth here – should not have happened in the first place. Enforcing a mandatory password change to the updated password policies would have easily solved the problem. CIMB has yet to do that.
If this whole incident was only in relation to the weak CIMB Clicks password implementation, then it would not have blown up to where it is now. The fact that people were loosing money at the same time was what made customers sit up and take notice.
But as we have mentioned earlier, and quickly discovered on Sunday night, these two incidences were in no way related. And the CIMB Debit Card issue is the more serious of the two. At the end of the updated FAQ CIMB released on the 17th of December, they included a quick mention of the Debit Card/Paypal issue.
You would think that something this serious would deserve its own press release and investigation, but instead it was quietly added into a FAQ on their site. Even then, all they are saying is “Yes, these two issues are separate issues, but OTP on PayPal is not our problem, and that the fraudulent transactions are within ‘normal levels’ and affected customers should raise the matter through ‘official channels’ to get a refund.”
Nothing about this is ‘normal’
Fraudulent card transactions are always going to happen. There are a variety of reasons and means that fraudsters and carders are able to acquire card details of customers. Sometimes, eCommerce sites involved in a data breach might leak this information out. Sometimes users might be tricked into sharing their card details on phishing sites. And there is also even the occasional time when physical cards are stolen from legitimate owners.
But the case to be made here is this, there is just too many fraudulent transactions happening over the last week, and it is almost all tied down to one particular card – the CIMB issued Debit MasterCards. These debit cards are issues to all account holders as it doubles up as an ATM card. The modus-operandi of the transactions are also very similar – overseas transactions via Paypal involving small amounts under RM100 per trasaction. More often then not, these transactions happen quickly over a short period of time and often involve multiple transactions.
The above are a small collection of screenshots taken from the comments section of a single post on CIMB Malaysia’s Facebook page, highlighting users who are facing issue with unauthorized transactions with their CIMB Debit Card. Some of these customers have never even used their Debit Cards for online transactions. The victims are also scattered all over the country ruling out the possibility that this affected only customers from a single branch.
The question that needs to be asked here is how did so many CIMB Debit Card numbers fall into the wrong hands. Even if the transactions were done through PayPal, the fraudsters would still need complete card details, inclusive of card number, security code, expiry date, customer name as well as their billing address.
This information is not available on CIMB Clicks, and as far as we know, even CIMB’s own credit card customers are not affected. It is only exclusively limited to CIMB’s Debit MasterCard holders – a card that is automatically issued to each and every CIMB account holder as an ATM card. And while Credit Card fraud involves a credit line that the bank offers you, Debit Card fraud directly impacts the cold hard cash already in your account.
Wake up CIMB. The first step to overcoming a problem is to admit there is a problem.