While we initially suspected these three issue to be inter-related to each other, we soon came to the realization that it was not the case. The CIMB Clicks password issue, which we covered in depth here – should not have happened in the first place. Enforcing a mandatory password change to the updated password policies would have easily solved the problem. CIMB has yet to do that. If this whole incident was only in relation to the weak CIMB Clicks password implementation, then it would not have blown up to where it is now. The fact that people were loosing money at the same time was what made customers sit up and take notice.
Nothing about this is ‘normal’
Fraudulent card transactions are always going to happen. There are a variety of reasons and means that fraudsters and carders are able to acquire card details of customers. Sometimes, eCommerce sites involved in a data breach might leak this information out. Sometimes users might be tricked into sharing their card details on phishing sites. And there is also even the occasional time when physical cards are stolen from legitimate owners. But the case to be made here is this, there is just too many fraudulent transactions happening over the last week, and it is almost all tied down to one particular card – the CIMB issued Debit MasterCards. These debit cards are issues to all account holders as it doubles up as an ATM card. The modus-operandi of the transactions are also very similar – overseas transactions via Paypal involving small amounts under RM100 per trasaction. More often then not, these transactions happen quickly over a short period of time and often involve multiple transactions. The above are a small collection of screenshots taken from the comments section of a single post on CIMB Malaysia’s Facebook page, highlighting users who are facing issue with unauthorized transactions with their CIMB Debit Card. Some of these customers have never even used their Debit Cards for online transactions. The victims are also scattered all over the country ruling out the possibility that this affected only customers from a single branch. The question that needs to be asked here is how did so many CIMB Debit Card numbers fall into the wrong hands. Even if the transactions were done through PayPal, the fraudsters would still need complete card details, inclusive of card number, security code, expiry date, customer name as well as their billing address. This information is not available on CIMB Clicks, and as far as we know, even CIMB’s own credit card customers are not affected. It is only exclusively limited to CIMB’s Debit MasterCard holders – a card that is automatically issued to each and every CIMB account holder as an ATM card. And while Credit Card fraud involves a credit line that the bank offers you, Debit Card fraud directly impacts the cold hard cash already in your account. Wake up CIMB. The first step to overcoming a problem is to admit there is a problem.