[Owasp-Malaysia] How To Verify Call SMS From CimbClicks or Banks

Harisfazillah Jamel linuxmalaysia at gmail.com
Sun Jan 2 00:49:47 EST 2011


While Im login into Cimbclicks... A notice popup with content


To provide the best service to all our CIMB Clicks customers, whilst
remaining ahead of the game, it’s imperative that we make CIMB Clicks
a safer internet banking alternative. We shall be introducing CIMB
Clicks Transaction Protection sometime in January 2011 to reduce the
risk of fraud through a non-invasive user experience.

As a user, based on the risk level, you may be asked for some
additional information before completing a transaction; either through
CIMB Clicks or by our Call Center agents with the purpose of ensuring
that you’re actually the person who’s conducting the transaction.
However if we find the risk level far too high, there will be cases
whereby your transaction gets rejected (currently this feature is only
applicable to Western Union transfers).

On the right are the scenarios that you may encounter whilst transacting :


My opinion with this approach Its can still be manipulate.

1) SMS can be clone or customers do not know the real SMS numbers

2) Call can be done from any phone numbers. How we can verified its from cimb?

How we can to verify?

Google has the ways of verifying by sending SMS or voice call soon
after we click the verify button.

at the end, customers need to be inform and brief.

More information about the Owasp-Malaysia mailing list