diff --git a/src/controllers/auth.controller.js b/src/controllers/auth.controller.js
index 6b80029..c6103d1 100644
--- a/src/controllers/auth.controller.js
+++ b/src/controllers/auth.controller.js
@@ -39,6 +39,9 @@ async function login(req, res) {
     }
 
     const userCheck = await authService.findUserByCustomerNo(customerNo);
+    if (!userCheck) {
+      return res.status(404).json({ error: 'customer not found' });
+    }
 
     if (loginType.toUpperCase() === 'IB') {
       // check DB locked flag
@@ -52,9 +55,13 @@ async function login(req, res) {
     }
 
     // --- Step 2: Check migration status
-    const isMigratedUser = await authService.isMigratedUser(customerNo);
-    if (isMigratedUser)
+    const migratedPassword = `${userCheck.customer_no}@KCCB`;
+    const isMigratedUser = userCheck.password === migratedPassword;
+    if (isMigratedUser) {
+      if (password !== migratedPassword)
+        return res.status(401).json({ error: 'Invalid credentials.' });
       return res.status(401).json({ error: 'MIGRATED_USER_HAS_NO_PASSWORD' });
+    }
 
     // --- Step 3: Validate credentials ---
     const user = await authService.validateUser(customerNo, password);