Internet Banking

  • Smart Tips on Using Internet Banking Services
    • Login Passwords

      Set a password that is difficult to guess and different from the ones for other services. The login password should be changed regularly and should never be stored on computers, mobile phones or placed in plain sight. Keep the security token (if any) provided by your bank at a safe place.

    • Computers and Mobile Phones

      Protect your computer and mobile phone which are used for logging into your Internet banking. Avoid using public computers or public Wi-Fi to access Internet banking services.

    • Bank Websites and Apps

      Internet banking should be accessed by entering the bank’s website address directly, or using a bookmark or an Internet banking mobile application (App). Never access your bank website or provide your personal information (including your password) through any hyperlinks or attachments embedded in emails or from websites.

    • Login Process

      Beware of any unusual login screen or process (e.g. a suspicious pop-up window or a request for providing additional personal information) and whether anyone is trying to peek at your password. Log out immediately after use.

    • Messages from Banks

      Check your bank’s SMS messages and other messages in a timely manner and verify your transaction records. Inform your bank immediately in case of any suspicious situations, regardless of the amount. Banks will not ask for any sensitive personal information (including passwords) through phone calls or emails.

  • Smart Tips on Protection of Your Computers and Mobile Phones
    • Passwords

      Set difficult-to-guess passwords for your computer and mobile phone. Activate the auto-lock function.

    • Secure Systems and Software

      Use the latest versions of operating system, Internet banking App and browser. Do not jailbreak or root your mobile phone or tablet.

    • Beware of Computer Viruses

      Install and update promptly your security software. Do not download or open doubtful files, browse suspicious websites, or click on the hyperlinks and attachments in questionable sources (e.g. emails, instant messaging, SMS messages, QR codes). Download and upgrade your Apps from official App stores or reliable sources only.

    • Network Functions

      Disable any wireless network functions (e.g. Wi-Fi, Bluetooth, NFC) not in use. Choose encrypted networks when using Wi-Fi and remove any unnecessary Wi-Fi connection settings.

    Reference: The Government’s Cyber Security Information Portal (

  • Smart Tips on Internet Share Trading

    Banks have introduced two-factor authentication security controls to further strengthen the security of Internet share trading. To prevent fraudsters from getting into the share trading accounts, customers should use two-factor authentication and seek to understand the related operations, so that they would have peace of mind when trading shares.

    The following are additional safety tips on Internet share trading:

    • Two-factor Authentication

      Customers should use two-factor authentication, seek to understand the related operations, and protect the devices of two-factor authentication (e.g. security tokens or mobile phones).

    • Messages on Share Trading

      Check your bank’s notifications and other messages on share trading in a timely manner. 

  • What is Two-factor Authentication?
    • Stronger Security

      Two-factor authentication protects you from Internet banking fraud. Take a few seconds to read how you can benefit from this new technology and enjoy far more secure online banking services. It is simple and straightforward. Contact your bank for more information about two-factor authentication.

      Two-factor authentication is required if you wish to conduct high-risk Internet banking transactions.

    • The Need for More than Just a User ID and Password

      Cases have been reported of user IDs and passwords being stolen by fraudsters through phishing emails, fraudulent websites and malwares. This shows the need to use additional tools to increase the security of Internet banking.

      Different banks may offer different types of two-factor authentication methods to customers. Two-factor authentication uses a combination of two different factors for verifying a user's identity. Below is one of the common examples:

      Three common types of two-factor authentication currently being adopted by banks are:

      Expand All
      Collapse All
      • Security Token-based One-time Password (OTP)

        An OTP generated by a security device/token. Each OTP is used only once and expires within a short period of time.

        • How it Works - You press the button on the security device/token to obtain an OTP, which is used as the additional identity authentication, e.g. to confirm a high-risk transaction.

        User types in token-based OTP to confirm high-risk transactions

      • SMS-based One-time Password (OTP)

        An SMS-based OTP generated by the bank and sent to your mobile phone for additional identity authentication. Each SMS OTP is used only once and expires within a short period of time.

        • How it Works - When you initiate a high-risk transaction, you will receive an SMS OTP on your mobile phone. You then type in the OTP to confirm the transaction.

        User types in SMS OTP to confirm high-risk transactions

      • Digital Certificate

        An electronic identification certificate that helps establish your identity online. It can be stored in a smart card (e.g. the Hong Kong Smart ID card) or an electronic key (e.g. USB key).

        • How it Works - You insert the smart card or key into a smart card reader or a USB port of a PC during the authentication process.

        User inserts Hong Kong Smart ID card into a smart card reader and types in digital certificate password to confirm high-risk transactions

    • Remember
      • Safeguard your devices for two-factor authentication (e.g. smart card, security token or mobile phone).
      • Follow the security tips given by your bank.
    • Biometric Authentication

      Apart from the above-mentioned authentication factors, which are “Something You Know” and “Something You Have”, for the two-factor authentication, more banks have implemented or planned to implement biometric authentication. Customers may make use of their unique biological characteristics, such as fingerprints and voice, as a means for authentication. This factor of “Something You Are” can be used jointly with one of the aforementioned factors as another way of two-factor authentication.

    • Benefits of Using Two-factor Authentication
      • Much more Secure - fraudsters cannot steal 'something you have' in your physical possession (such as a mobile phone) over the Internet.
      • Protection for High-risk Transactions - all high-risk Internet banking transactions (such as fund transfers to non-designated accounts) are protected by an additional authentication factor which is physically held by you only.
      • Convenient and Easy to Use - online security can be enhanced substantially by taking a few simple and straightforward steps.
  • Smart Tips on Services Provided by Third Party Companies

    The advancement of technology has brought about different types of digital financial services in the market. They include some mobile applications or websites operated by third party service providers (e.g. fintech companies), which enable bank customers to consolidate their financial information in different bank accounts. Before opting for these services, the public should take note of the following:

    • Partnership of Third Party Service Providers with Banks
      • Some of the third party service providers have partnered with banks. With banks making available their internal systems and information, these service providers integrate the systems and services between banks and other industries (e.g. online retailing) to provide diversified services.
      • On the other hand, some of the third party service providers may not have any partnership with banks. They may request customers to provide their e-banking login details (e.g. user name and password) and may save such information. The services provided by them are not banking services, and they are not subject to the HKMA’s supervision.
    • Terms and Conditions of Relevant Services
      • Even if these third party service providers have partnered with banks, you should also understand the purpose of collecting your personal data, how they handle, use, hold and erase customers’ personal data, and understand the terms and conditions of the relevant services thoroughly, for instance, the liability for loss in the event of any financial loss incurred as a result of data leakage or unauthorised transactions conducted through customer’s account, and the related settlement arrangement.
      • If the third party service providers do not have any partnership with banks, the issue of who should bear the liability for loss could be very complicated in the event of any financial loss incurred as a result of data leakage or unauthorised transactions conducted through customer’s account. Therefore, the public are reminded to clearly understand the terms and conditions of the relevant services, especially the liability for loss and settlement arrangement.
Education Videos
Security Tips on Using Internet Banking
Security Tips on Using Internet Banking
Security Tips on Using Mobile Banking
Security Tips on Using Mobile Banking
Education Drama Series (in Cantonese)
Publicity Materials
Leaflet - Protect Your Money with Two-factor Authentication
PDF File, 977.7 KB
Issued by the Hong Kong Association of Banks and endorsed by the Consumer Council, the HKMA and the Hong Kong Police Force
Last revision date : 14 January 2020