CIMB Clicks Reportedly Suffers Data Breach
CIMB’s online banking system may have suffered a severe data breach over the weekend. The CIMB Clicks mobile app implemented a reCAPTCHA system without warning on Sunday 16 December 2018. Prompting concerned parties to investigate what was going on.
Consumer technology site Lowyat.NET then reported that CIMB Clicks was experiencing technical issues, and that users should be prepared to change their passwords as a security precaution. Later, a video appeared on demonstrating the vulnerability. Essentially, there seems to be an error that allows malicious hackers to gain access to CIMB customer accounts.
Multiple users on social media have been reporting money from their CIMB accounts being moved out through PayPal. However, the extent of the issue is unknown.
As it stands, the reCAPTCHA verification was implemented to prevent brute force attacks. Which is believed to be a mitigation effort from the bank.
Another consumer technology site Soyacincau also noted that there is an account on the Dark Web already soliciting CIMB account information. It’s unknown if this has anything to do with the breach, and it is impossible to tell without gaining access to the data.
CIMB issued a statement saying that the new reCAPTCHA system was meant increase security, and that all user accounts are still secure.
“The bank would like to inform that it had, over the weekend, introduced a few additional measures to enhance the security of its CIMBClicks transactions.
“Apart from ensuring that the system is now able to accommodate passwords longer than eight characters and up to 20 characters, we have also added the reCaptcha security measure on CIMBClicks to ensure the user is not a bot.”