Set a password that is difficult to guess and different from the ones for other services. The login password should be changed regularly and should never be stored on computers, mobile phones or placed in plain sight. Keep the security token (if any) provided by your bank at a safe place.
Protect your computer and mobile phone which are used for logging into your Internet banking. Avoid using public computers or public Wi-Fi to access Internet banking services.
Internet banking should be accessed by entering the bank’s website address directly, or using a bookmark or an Internet banking mobile application (App). Never access your bank website or provide your personal information (including your password) through any hyperlinks or attachments embedded in emails or from websites.
Beware of any unusual login screen or process (e.g. a suspicious pop-up window or a request for providing additional personal information) and whether anyone is trying to peek at your password. Log out immediately after use.
Check your bank’s SMS messages and other messages in a timely manner and verify your transaction records. Inform your bank immediately in case of any suspicious situations, regardless of the amount. Banks will not ask for any sensitive personal information (including passwords) through phone calls or emails.
Set difficult-to-guess passwords for your computer and mobile phone. Activate the auto-lock function.
Use the latest versions of operating system, Internet banking App and browser. Do not jailbreak or root your mobile phone or tablet.
Install and update promptly your security software. Do not download or open doubtful files, browse suspicious websites, or click on the hyperlinks and attachments in questionable sources (e.g. emails, instant messaging, SMS messages, QR codes). Download and upgrade your Apps from official App stores or reliable sources only.
Disable any wireless network functions (e.g. Wi-Fi, Bluetooth, NFC) not in use. Choose encrypted networks when using Wi-Fi and remove any unnecessary Wi-Fi connection settings.
Reference: The Government’s Cyber Security Information Portal (http://www.cybersecurity.hk)
Banks have introduced two-factor authentication security controls to further strengthen the security of Internet share trading. To prevent fraudsters from getting into the share trading accounts, customers should use two-factor authentication and seek to understand the related operations, so that they would have peace of mind when trading shares.
The following are additional safety tips on Internet share trading:
Customers should use two-factor authentication, seek to understand the related operations, and protect the devices of two-factor authentication (e.g. security tokens or mobile phones).
Check your bank’s notifications and other messages on share trading in a timely manner.
Two-factor authentication protects you from Internet banking fraud. Take a few seconds to read how you can benefit from this new technology and enjoy far more secure online banking services. It is simple and straightforward. Contact your bank for more information about two-factor authentication.
Two-factor authentication is required if you wish to conduct high-risk Internet banking transactions.
Cases have been reported of user IDs and passwords being stolen by fraudsters through phishing emails, fraudulent websites and malwares. This shows the need to use additional tools to increase the security of Internet banking.
Different banks may offer different types of two-factor authentication methods to customers. Two-factor authentication uses a combination of two different factors for verifying a user's identity. Below is one of the common examples:
Three common types of two-factor authentication currently being adopted by banks are:
An OTP generated by a security device/token. Each OTP is used only once and expires within a short period of time.
User types in token-based OTP to confirm high-risk transactions
An SMS-based OTP generated by the bank and sent to your mobile phone for additional identity authentication. Each SMS OTP is used only once and expires within a short period of time.
User types in SMS OTP to confirm high-risk transactions
An electronic identification certificate that helps establish your identity online. It can be stored in a smart card (e.g. the Hong Kong Smart ID card) or an electronic key (e.g. USB key).
User inserts Hong Kong Smart ID card into a smart card reader and types in digital certificate password to confirm high-risk transactions
Apart from the above-mentioned authentication factors, which are “Something You Know” and “Something You Have”, for the two-factor authentication, more banks have implemented or planned to implement biometric authentication. Customers may make use of their unique biological characteristics, such as fingerprints and voice, as a means for authentication. This factor of “Something You Are” can be used jointly with one of the aforementioned factors as another way of two-factor authentication.
The advancement of technology has brought about different types of digital financial services in the market. They include some mobile applications or websites operated by third party service providers (e.g. fintech companies), which enable bank customers to consolidate their financial information in different bank accounts. Before opting for these services, the public should take note of the following: