CIMB Bank Bhd has debunked rumours that there is a security flaw in its online banking portal related to the password input.
"We would like to confirm that the news related to the online security of CIMB Clicks is untrue. Our platform remains safe and all customer transactions continue to be protected," CIMB said in a reply to The Star.
This is in response to social media posts claiming that users were able to login to their CIMB Clicks account despite adding a few invalid characters beyond the correct first eight characters of their password.
"You (users) are experiencing this due to the way the Clicks Password Rule is designed. We can assure you that CIMB Clicks and your banking transactions remain safe," it says, adding that the system only looks at the exact number of characters of the password to validate login and ignores the rest.
The bank elaborates that for passwords set before Nov 18, the password length must be exactly eight characters with no requirements on special characters.
This means the Clicks Password Rule only allows users to login if their eight-character password is correct, and ignores any additional characters typed beyond the correct eight.
CIMB encouraged users to change their passwords to avoid any concerns regarding login.
It explained that passwords set on or after Nov 18 must be between eight to 20 characters and utilise a combination of letters, numbers, and special characters. The system will not allow the customer to login when they key in any additional characters.
A test by The Star confirmed that changing passwords stops users from logging in unless they key in the exact password.
To change passwords, users can login and go to their account settings.
They will be required to enter their old password and a unique six-digit TAC (Transaction Authorisation Code) that is sent to their phone, in order to change the password.
A cybersecurity trainer, who chose to remain anonymous, raised concerns that a Password Rule should only accept the exact number of characters and that allowing users to login with additional characters pointed to a data input validation issue.
They added that such an issue could expose users to risks, while in terms of the general public, they might be exposed to threats due to lack of password hygiene awareness.
However, cybersecurity company LGMS director Fong Choong Fook says the extra characters allowance is a feature not a bug, and has been used by other banks before.
"It can be used under duress. Say someone is watching you while you key in your password, you can key in long strings of text and still be able to login," he says, pointing out that the user still needs a valid password to login.
He cautioned netizens not to be misled by viral news, and to always get feedback from official sources.
Over the weekend, purported issues with CIMB's online banking portal went viral after social media users claimed that funds from their online banking accounts had been transferred out to online payment site PayPal.
Users had also alleged that their passwords were vulnerable to hacking.
On the same weekend, CIMB introduced additional measures to enhance the security of its CIMB Clicks transactions including accommodating passwords longer than eight characters and up to 20 characters, and adding the reCaptcha security measure to ensure the user is not a bot.
Did you find this article insightful?