Contact Us
Search Print
Font Size
A A A
FacebookInstagramLinkedinWechatXYoutube
Select Category
Show All Options
Modification Time
Done
Done
Done
a
Done
News and Media
Press ReleasesR & M ColumnVideos
SpeechesForthcoming Events
inSightPhoto Gallery
Smart Consumers
Overview
e-Banking
Personal Digital KeysInternet BankingATMs
Payment and Transfer
Faster Payment System (FPS)e-Payment and Transfere-Wallets and Prepaid CardsCredit Cards
Loans
Personal CreditMortgagesPremium Financing
General Banking Services
Account Opening and MaintenanceAutopay ServicesInvestment ServicesDeposits
Beware of Fraudsters!
Don't Lend/Sell Your Account
Notes and Coins
2018 Series Hong Kong BanknotesCoin Cart Schedule
Retirement Planning
Practical Information
Barrier-free Bank Branches and ATMsHotlines of Banks & Stored Value Facility LicenseesComplaintsRegisters and ListsPublic Education VideosPublic Education EventsFAQs
Information in Other Languages
Data, Publications and Research
Data & Statistics
Daily Monetary StatisticsMonthly Statistical BulletinEconomic & Financial Data for Hong KongCMU Bond Price Bulletin
Legislative Council Issues
Publications
Annual ReportSustainability ReportHalf-Yearly Monetary & Financial Stability ReportQuarterly Bulletin
Guide to Hong Kong Monetary, Banking and Financial Terms
Research
Research MemorandumsExternal PublicationsHong Kong Institute for Monetary and Financial ResearchOther Research Papers
HKMA's Open Application Programming Interface (API)
Regulatory Resources
Registers and Lists
Register of AIs & LROsRegister of Securities Staff of AIsRegister of SVF LicenseesList of AI-related Trustees
Authorization, Licensing, Designation and Approval
Regulatory Guides
By Subject (Current)Supervisory Policy ManualGuidelinesCircularsGuide to AuthorizationCode of PracticeExplanatory NotePractice NoteAdditional Guidance
Consultations
OpenClosed
Key Functions
Money
Linked Exchange Rate SystemLiquidity FacilitiesHong Kong Currency
Reserves Management
HistoryExchange Fund's Statutory Purposes and Investment ObjectivesInvestment ManagementInvestment PerformanceRisk ManagementResponsible InvestmentExchange Fund Statistics and Publications
Banking
Banking Regulatory and Supervisory RegimeBanking Legislation, Policies and Standards ImplementationBanking Conduct and EnforcementAnti-Money Laundering and Counter-Financing of TerrorismResolution RegimeSmart BankingRegulatory GuidesRegtech Knowledge HubHKMA – BIS Joint ConferenceGreen and Sustainable Banking Conference & Green Fintech Competition
International Financial Centre
Hong Kong as an International Financial CentreFintechBond Market DevelopmentFinancial Market InfrastructureStored Value Facilities and Retail Payment SystemsStablecoin IssuersSoft InfrastructureInternational & Regional Financial Co-operationCentre for Green and Sustainable FinanceHKMA Infrastructure Financing Facilitation OfficeCross-boundary Wealth Management Connect Scheme in the Guangdong-Hong Kong-Macao Greater Bay AreaGlobal Financial Leaders' Investment SummitHKMA – BIS High-Level ConferenceHong Kong Green Week – Finance Stream
About Us
The HKMA
Governance StructureAdvisory CommitteesThe Chief Executive's CommitteeOrganisation ChartInternal AuditSustainable HKMA
Tender Invitations
The HKMA Information Centre
Exhibition AreaLibraryGeneral InformationGuided ToursSouvenirs
Related Organisations and Links
HKMA-related Organisations and LinksHKSAR Government & Related OrganisationsCentral BanksMultilateral OrganisationsOthers
Join Us
Why the HKMA?What We Do?Current VacanciesOpportunities for Students and Graduates to Join the HKMA
News and Media
Smart Consumers
Data, Publications and Research
Regulatory Resources
Key Functions
About Us

Two-Factor Authentication

inSight

02 Jun 2005

Two-Factor Authentication

Earlier this week the HKMA and the Hong Kong Association of Banks (HKAB) announced the introduction of two-factor authentication for high-risk retail Internet banking transactions.

Readers may have recently received letters from their banks inviting them to apply for two-factor authentication for conducting high-risk retail Internet banking transactions. The introduction of this security measure is an important milestone in Internet banking, and will, we hope, address the growing challenge of Internet banking fraud.

In June 2003 we received the first report of a fake bank website targeting members of the public in Hong Kong. This was followed shortly by reports about phishing emails, which contained embedded hyperlinks to connect bank customers to fake bank websites. These early cases were not difficult to deal with because the fake login webpage did not carry a security padlock or digital certificate. Our efforts therefore, and those of the banks, focused on educating customers to pay attention to these important security features.

Later on, new fraud techniques emerged. For example, it became possible to fake even the security padlock and digital certificate information on websites. There were also reports about Trojan software, which was planted surreptitiously in a victim's personal computer (PC) to capture his or her keystrokes and then transmit them covertly to the fraudster. So our education programme shifted to stressing the importance of installing anti-virus software and personal firewalls to protecting bank customers' PCs against these attacks.

As the frauds became more sophisticated, we recognised that mere reliance on authentication of the login ID and password and consumer education were no longer sufficient. A general consensus was reached by the banking industry in June 2004 that two-factor authentication would be the appropriate solution. It was no easy task to find two-factor authentication methods that would be tamper-proof and fail-safe, given the ability of criminals to find ever new ways of exploiting the authentication system. Nevertheless, the banking industry in Hong Kong has identified three types of two-factor authentication solutions believed to be effective and simple to use. They are

  • non-duplicable digital certificate – an electronic identification certification that helps establish a customer’s identity online and is stored in a secure device such as a Hong Kong Smart ID card or an electronic security key
 smartcard
  • token-based one-time password – a one-time password generated by a security device or token. Each password is used once and expires within a short period of time
 token
  • SMS-based one-time password – a Short Message Service-based one-time password generated by the bank and sent to a customer’s mobile phone for additional identity authentication for example, to confirm a high-risk transaction.
 mobile

More information on two-factor authentication may be found in a leaflet and on an interactive programme available at the websites of the HKMA (www.hkma.gov.hk) and HKAB (www.hkab.org.hk), and at the HKMA Information Centre, and from individual banks.

We understand that a number of bank regulators throughout the world are currently reviewing the implications of Internet banking frauds and consulting banks about the adoption of two-factor authentication for Internet banking. We are proud that Hong Kong is one of the first places to introduce this security feature. It should help ensure that Internet banking in our city can continue to be carried out in a safe and sound environment.

 

Joseph Yam

2 June 2005

 

Related Viewpoint Article:

 

Related Press Release:

 

Related Information:

Internet Banking: Two-factor Authentication

 

Click here for previous articles in this column.

Document in Word format

Latest inSight
View All View All
Last revision date : 02 June 2005