Contact Us
Search Print
Font Size
A A A
FacebookInstagramLinkedinWechatXYoutube
Select Category
Show All Options
Modification Time
Done
Done
Done
a
Done
News and Media
Press ReleasesR & M ColumnVideos
SpeechesForthcoming Events
inSightPhoto Gallery
Smart Consumers
Overview
e-Banking
Personal Digital KeysInternet BankingATMs
Payment and Transfer
Faster Payment System (FPS)e-Payment and Transfere-Wallets and Prepaid CardsCredit Cards
Loans
Personal CreditMortgagesPremium Financing
General Banking Services
Account Opening and MaintenanceAutopay ServicesInvestment ServicesDeposits
Beware of Fraudsters!
Don't Lend/Sell Your Account
Notes and Coins
2018 Series Hong Kong BanknotesCoin Cart Schedule
Retirement Planning
Practical Information
Barrier-free Bank Branches and ATMsHotlines of Banks & Stored Value Facility LicenseesComplaintsRegisters and ListsPublic Education VideosPublic Education EventsFAQs
Information in Other Languages
Data, Publications and Research
Data & Statistics
Daily Monetary StatisticsMonthly Statistical BulletinEconomic & Financial Data for Hong KongCMU Bond Price Bulletin
Legislative Council Issues
Publications
Annual ReportSustainability ReportHalf-Yearly Monetary & Financial Stability ReportQuarterly Bulletin
Guide to Hong Kong Monetary, Banking and Financial Terms
Research
Research MemorandumsExternal PublicationsHong Kong Institute for Monetary and Financial ResearchOther Research Papers
HKMA's Open Application Programming Interface (API)
Regulatory Resources
Registers and Lists
Register of AIs & LROsRegister of Securities Staff of AIsRegister of SVF LicenseesList of AI-related Trustees
Authorization, Licensing, Designation and Approval
Regulatory Guides
By Subject (Current)Supervisory Policy ManualGuidelinesCircularsGuide to AuthorizationCode of PracticeExplanatory NotePractice NoteAdditional Guidance
Consultations
OpenClosed
Key Functions
Money
Linked Exchange Rate SystemLiquidity FacilitiesHong Kong Currency
Reserves Management
HistoryExchange Fund's Statutory Purposes and Investment ObjectivesInvestment ManagementInvestment PerformanceRisk ManagementResponsible InvestmentExchange Fund Statistics and Publications
Banking
Banking Regulatory and Supervisory RegimeBanking Legislation, Policies and Standards ImplementationBanking Conduct and EnforcementAnti-Money Laundering and Counter-Financing of TerrorismResolution RegimeSmart BankingRegulatory GuidesRegtech Knowledge HubHKMA – BIS Joint ConferenceGreen and Sustainable Banking ConferenceGreen Fintech Competition
International Financial Centre
Hong Kong as an International Financial CentreFintechBond Market DevelopmentFinancial Market InfrastructureStored Value Facilities and Retail Payment SystemsStablecoin IssuersSoft InfrastructureInternational & Regional Financial Co-operationCentre for Green and Sustainable FinanceHKMA Infrastructure Financing Facilitation OfficeCross-boundary Wealth Management Connect Scheme in the Guangdong-Hong Kong-Macao Greater Bay AreaGlobal Financial Leaders' Investment SummitHKMA – BIS High-Level ConferenceHong Kong Green Week – Finance Stream
About Us
The HKMA
Governance StructureAdvisory CommitteesThe Chief Executive's CommitteeOrganisation ChartInternal AuditSustainable HKMA
Tender Invitations
The HKMA Information Centre
Exhibition AreaLibraryGeneral InformationGuided ToursSouvenirs
Related Organisations and Links
HKMA-related Organisations and LinksHKSAR Government & Related OrganisationsCentral BanksMultilateral OrganisationsOthers
Join Us
Why the HKMA?What We Do?Current VacanciesOpportunities for Students and Graduates to Join the HKMA
News and Media
Smart Consumers
Data, Publications and Research
Regulatory Resources
Key Functions
About Us

Are Cookies Bad for You

inSight

15 Oct 2010

Are Cookies Bad for You

Have you ever noticed that when you re-visit certain websites which you have browsed before, the website "remembers" you and shows you the web pages in the same setting (e.g. language, font size, audio volume level) as your last visit to enable you to browse the website more efficiently? This is likely due to the use of "cookies". Cookie is a technical jargon for a file containing certain data stored in a user's computer by a website. The web server sends a cookie to the user's web browser which in turn stores the cookie at the user's computer. The web browser then returns the cookie to the server the next time the user visits the same website. In other words, cookies allow a website to store information on a user's computer and later retrieve it. With the use of cookies, a website knows, for example, whether a user is new to the website or an existing user.

Although cookies provide capabilities that make the internet much easier to navigate and provide a better user experience, some people have indicated concerns that the information collected using cookies might give rise to data privacy issues. We believe that if used properly, cookies can be helpful in providing convenience and better user experience to internet users.

We have reviewed the retail banks' internet banking services and found no cause for concern about their use of cookies in such services. There are currently 21 retail banks in Hong Kong which offer personal internet banking services. All of them make use of cookies in the provision of such services. The main purpose for using cookies is to enable a bank's web server to maintain dialogue with a customer's web browser throughout the session after the customer has logged in his/her internet banking account (commonly referred to as "session management"). In this context, a cookie contains a unique identifier assigned by the bank to the customer upon his/her login and stored in the customer's computer for the bank's server to identify the customer throughout the session. Without the use of this unique identifier, the customer might need to provide login credentials (i.e. user ID and password) repeatedly on navigation to each new web page of the website. The use of cookies for such purpose is actually a common and relatively effective means of session management in the world of internet browsing.

Some banks also make use of cookies for tracking internet banking web usage statistics within their website (e.g. number of visitors to the bank's internet banking website) to generate aggregated web usage data for internal analyses by the banks concerned. Furthermore, certain banks use cookies for storing personal preferences of customers (e.g. preferred language for the website, or to allow a customer to select whether his/her user ID (but not password) will be memorised on the internet banking login page to facilitate subsequent logins), and to determine whether certain internet banking services should be provided to a customer (e.g. whether he/she has enrolled in such services).

What is most important from our perspective is that cookies were used by the banks only for purposes related to the provision of internet banking services to their customers and the data stored in cookies is not transferred to third parties for purposes or activities that are not related to the provision of internet banking services. In performing all the functions above, internet banking password or personal data (such as customer full name, HKID card number, e-mail address, phone number or contact address) which might enable a third party to identify or contact the customer is NOT stored in or captured by cookies. As such, it appears that the use of cookies by the retail banks for personal internet banking purpose does not give rise to or have implications on data privacy issues or concerns.

Some customers may ask why it is necessary to use cookies and whether there could be ways of providing internet banking services without having to store a cookie in their computers. We understand that there are indeed alternative ways of managing logged-in sessions in the internet browsing process, but those arrangements either would be very inconvenient for customers (such as providing user credentials including passwords every step of the way) or could have other security concerns (such as embedding the unique session identifier into the address link of a web page1). By comparison, the use of cookies stored in the users' computers is a relatively simple, effective and commonly used way of achieving session management purposes in the internet environment. Furthermore, as mentioned above, the retail banks offering personal internet banking services do not use cookies to store or capture the personal data of customers and the cookies are only used for the purpose of providing internet banking services to their customers. As such, we believe the current usage of cookies by the retail banks is an appropriate tool for managing the internet banking service channel.

Let me also take this opportunity to remind the public to stay vigilant to potential security issues when using internet banking services including fraudulent bank websites, phishing e-mails and other threats (e.g. Trojan horse attack). As we have mentioned previously, bank customers should never access their accounts through hyperlinks embedded in e-mails, suspicious pop-up windows or other doubtful channels. Customers using internet banking should connect to their bank website through typing the website address in the address bar of the browser or by bookmarking the genuine website and using that for access. Customers should also change their passwords periodically and not use simple passwords. Further information and advice on internet banking safety may be found on the HKMA website and on the websites of most banks.

Bank customers are also strongly advised to make use of the two-factor authentication provided by banks for the internet banking services. In particular, one of the important security measures is that banks are required to notify their customers immediately via an effective means (e.g. SMS message) after completing an online high-risk transaction (e.g. transferring fund to an unregistered third-party account) with the transaction details. Bank customers should make full use of such a service, verify the transaction details and notify their bank immediately if they discover any suspected unauthorised transactions. So long as both banks and their customers have taken appropriate security precautions, internet banking services are safe to use.

Hong Kong does have a generally safe internet banking environment. But we appreciate that the technological landscape relating to the provision of internet services is ever changing and fraudsters will become smarter over time. The HKMA will continue to monitor the development and trend of internet banking services and to review and, if necessary, strengthen the relevant controls where appropriate.

Meena Datwani
Executive Director (Banking Conduct)
15 October 2010

1 That is, by embedding the unique session identifier into the Uniform Resource Locator (URL) (the "address" of a web page in the internet) of a web page (e.g. http://www.example.com/abc/pgm?session_id=123)

Latest inSight
View All View All
Last revision date : 15 October 2010