For purposes of clarity: this article discusses the issue of CIMB Clicks password or login system exclusively. The other issue regarding problems of CIMB debit transactions is indeed concerning and should be investigated by CIMB. 

As of yesterday, there have been numerous reports regarding how CIMB Clicks was hacked and customers’ accounts were compromised. Reports had ranged from “secret exploit” to “buffer overflow”. To clear things up(short story), there was never any compromise to CIMB Clicks yesterday or today or any so far. So what made the public and other media outlets to believe such security breach had happened?

ASUS ZenBook 13 UX333

One prominent term that had been used wrongly by the public and media was “buffer overflow” which is simply not true. What they were referring to actually was the behaviour of CIMB Clicks system accepting passwords that are mixed in with their actual password in a single string.

 

 

CIMB has recently implemented a password policy change. Let’s see the difference

As we can see here, old passwords do not support or contain special characters. Since their implementation of the new password policy, CIMB Clicks had implemented an additional password validation process on the client side. Pay attention to the green box below highlighting a few lines of code here. For those who are playing along, you can find this piece of code here (https://www.cimbclicks.com.my/clicks/js/dist/rccp.compressed.min.js)
Archived version here: (http://archive.fo/p02I0)

As we can see here, what the client side code does is actually determining if your password was an old policy password or the new policy password. If it was the old one, your password will be truncated to include only the first 8 characters. The way they determine this is that they detect if your password contains a special character or not. This is because old passwords never had any special characters.

The speculation of doing so is to actually reduce the processing load of their server by offloading this validation and truncation to the client side. This never compromises any security at any point because you still need to provide the correct password.

So here, we can conclude that this is far from any definition of a “buffer overflow”. Buffer overflow is actually an exploit process that leaks data into a part of the system’s memory(RAM) where it is not supposed to be in. One can have more in-depth study on how this process works with the help of this video:

It is safe to say that login wise on CIMB Clicks was never compromised. No, it is not “buffer overflow” or “secret exploit”. Especially after implementing ReCaptcha in their login process together with the new password policy, their login system is now even more resistant to attack vectors such as brute force.

What CIMB should have done is probably include one more password policy which is to not accept a new password that contains your old password in it. Perhaps enforce everyone to change their password would be a great idea too.

Though, trying to see CIMB’s perspective as to why they don’t enforce mandatory password change might because they are only doing a routine upgrade to increase security. If they are responding to a password leak case, then it would make more sense to enforce a mandatory password change.

Remember, always verify the address you are on and make sure that the SSL certificate is valid! Never share your TAC number with anyone including CIMB, the CIMB staff members or callers! CIMB will never ask for your TAC number or account password through phone, SMS or Whatsapp.