CIMB’s dark weekend

• Plagued on social media by allegations of multiple security issues over Dec 15/16
• Declares online system ‘remains secure and all customers' transactions continue to be protected’

THE news of potential security vulnerabilities in CIMB that were highlighted two weekends ago (Dec 15-16) were in fact several separate potential security issues highlighted on social media. This barrage was the probable catalyst for moderators of local online forum Lowyat.NET sending out a tweet on Dec 17  stating that "Serious security flaws in @CIMBMalaysia might have led to accounts being hacked" and requesting that the CIMB security team contact them for details.

The most prominent issues were reports of unauthorised payments to Paypal charged to their CIMB debit cards, with at least four examples highlighted in social media. Fortunately, the affected users received SMS's informing them of the transactions, but some could not block payments in time, resulting in losses of thousands of ringgit in some instances.

Until now, CIMB maintains that these unauthorised payments are unrelated to other issues identified over that weekend and despite the increased coverage, they say that "everything is as per normal levels".

CIMB were contacted by Digital News Asia but were unable to respond in time for this article.

Allegations, hypotheses and hackers looking for partners

The publicity of these apparent breaches led users on LowYat.net forum to speculate on why it may have happened. Some linked the attacks to the appearance of a new security feature on the CIMB Clicks website, with one user commenting “better change password or withdraw ur money just to be safe”(sic).

The suspicion was that the new reCAPTCHA authentication mechanism introduced to the CIMB Clicks website was somehow related to the illegitimate PayPal payments. According to LowYat.net, the introduction of the reCAPTCHA system had been preceded by the CIMB Clicks platform being "completely inaccessible" for most of Saturday, Dec 15, with no formal announcement beforehand of the changes to be made.

Further investigation by others uncovered unusual and unexpected behaviour in the CIMB Clicks log in page, where users were allowed to log in, despite entering incorrect passwords. In particular, passwords which were appended by extra random characters were allowed entry into the system (even though these longer passwords are technically incorrect).

This bizarre behaviour then led at least one website to identify it as a "buffer exploit" in the CIMB online banking website. The term refers to a genuine method to bypass security by feeding an input string which is longer than expected, and can allow an attacker unauthorised access.

News also broke out that a ZDNet reporter who covers security stories revealed earlier in the week that he had seen messages from an XMPP server asking, “Hacker looking for a cash-out partner to target CIMB Bank”.

It is understood that "cash-out" refers to the process of making unauthorised withdrawals from bank accounts whose security details have been compromised (e.g. debit cards whose numbers have been revealed), and it is not uncommon for attackers to ask for help from third-parties to do this.

Throughout that weekend however, there was no indication that CIMB had reacted to these allegations.

CIMB responds: “Please do not be worried”

After Lowyat.NET sent out their tweet reaching out to CIMB, the bank released a media statement highlighting that "CIMBClicks system remains secure and all customers' transactions continue to be protected", despite apparently being in direct contradiction with the reports of users who lost money in unauthorised payments to PayPal.

CIMB then released an FAQ related to these issues. The FAQ explained that the new reCAPTCHA security was indeed implemented by CIMB. "Please do not be worried," it read.

The FAQ also clarifies that the ability to log into the system despite adding extra characters to the password is "due the way the Clicks Password Rule is designed" (sic). However, passwords set after Nov 18 do not suffer from this behaviour.

It also explains that "Our system will only allow you to perform financial transactions with a valid TAC."

The earlier FAQ made no mention of the PayPal transactions. However, in the latest version, CIMB clarified that the unauthorised transactions in PayPal "are matters separate from CIMB Clicks" and that "many international websites such as Facebook or PayPal do not require an OTP". (It is unclear if there have been any unauthorised transactions involving Facebook.)

The FAQ also states that if there has been any irregularity for transactions that do not require an OTP, the transaction "will be credited back into the customer's account within 14 days".

The FAQ also maintains that there has not been an increase in unauthorised transactions on debit cards and that "everything is as per normal levels". The FAQ did not state how many unauthorised transactions constitute "normal levels", nor did it comment on requests made by possible attackers on the XMPP servers for "Bank Out" earlier in the week.