A series of security concerns about the CIMB Clicks platform went viral over the weekend, which has led to CIMB denying that its platform was compromised. But if you have a CIMB Clicks account, you should change your passwords immediately.
Sometime last weekend, CIMB implemented the reCAPTCHA anti-spam service on its CIMB Clicks portal, leading to plenty of concern to users. reCAPTCHA is a Google service that protects websites from spam and abuse. It appears as if the bank was protecting itself from some sort of brute force attack, which may have been triggered by another feature implemented by the bank recently.
Before this, CIMB Clicks requires users to set a password that is at most 8 characters in length – a legacy security feature that can be easily compromised by brute force attacks from hackers (some say it takes less than five minutes if the password is simple enough!) The bank removed this limitation two months ago, but it somehow led to even more security vulnerabilities, such as being able to log in with the wrong password entered or with extra characters added after the first 8 characters.
The reCAPTCHA implementation may have been a way to stop or delay the brute force attacks, but it appears some users have already had their accounts compromised. In response to queries from users, CIMB’s social media team encouraged users to change their passwords immediately. However, its statement to the media this morning was less urgent:
"CIMB Bank Berhad (“CIMB” or “the Bank”) would like to address recent social media news on the alleged insecurity of its online banking portal, CIMBClicks. Please take note that our CIMBClicks system remains secure and all customers' transactions continue to be protected.
The bank would like to inform that it had, over the weekend, introduced a few additional measures to enhance the security of its CIMBClicks transactions.
Apart from ensuring that the system is now able to accommodate passwords longer than eight characters and up to 20 characters, we have also added the reCaptcha security measure on CIMBClicks to ensure the user is not a bot."
This is in contrast to the FAQ it has published on CIMB Clicks, which was far more descriptive and attempts to ensure customers that its platform is secure. (Update: CIMB has released an updated FAQ that expands the "Password Related" section to include the table above)
How to change CIMB Clicks password?
Regardless of the media statement, if you haven’t already done so, you should change your CIMB Clicks password immediately. This is the most important step to safeguard your account. To do so, you’ll need to log in to your CIMB Clicks account via desktop browsers – the option does not appear on mobile browsers or the app. Click on the Settings icon (the one that looks like a gear) at the bottom left corner, and you’ll find the option to change your password.
From there you’ll need to enter your current password as well as the new one, before getting a TAC code to confirm the change. Note that the new password requires users to use a minimum of 8 characters, a special character (such as "!", "?" etc), at least one capital letter, and at least one number. Multiple users have confirmed that after this password change, they are no longer affected by the 8-character password issue.
(Further reading: Amanz, Lowyat.NET, Soyacincau)