I was using Internet banking services at home the other day and could not help marvelling at how far banks in Hong Kong, and across the world, have gone to make life easier for their customers. Millions of people and thousands of companies are now benefiting from the convenience of being able to control their finances and investment at any time, anywhere. Simple statistics show the rapidly growing acceptance of Internet banking in Hong Kong over the past years. At the end of 2003, there were around 2.2 million personal Internet banking accounts (38% higher than at the end of 2002) and 67,000 business Internet banking accounts (116% higher than at the end of 2002). On average, about 4.8 million transactions were processed through personal Internet banking every month during 2003 (an increase of 38% compared with 2002) while 737,000 transactions were processed through business Internet banking every month last year: more than five times the figure in 2002.

As a technology-based platform, Internet banking comes with certain challenges in terms of management of technology risks, as shown by a small yet disturbing number of Internet banking fraud cases reported overseas. Some of those cases come in the form of fake websites seeking to lure bank customers into divulging confidential personal information. Other cases may involve Trojan software and other highly infectious computer viruses and worms. In simple terms, Trojan software is a code planted in a personal computer by a fraudster in order to access the personal information of the computer user. The code may be planted when an unsuspecting user clicks on hyperlinks embedded in e-mails or browses an infected website with pop-up advertisements. Once planted in a computer, the Trojan software may be activated when the user accesses certain websites: it can then capture keystrokes of the infected computer, which could in turn lead to leakage of sensitive personal information such as user IDs and passwords.

The general public in Hong Kong is to be congratulated on having been vigilant to the security issues arising through greater use of Internet banking. In fact, some people have been very observant and have reported to the HKMA suspicious websites or e-mails: this has been of great help to our monitoring of the situation. I am also glad to say that - so far - no retail Internet banking customer in Hong Kong is known to have fallen victim to Internet banking fraud. A few simple tips may help ensure that this continues to be the case.

First, bank customers should never access their Internet banking accounts through hyperlinks embedded in e-mails, suspicious pop-up windows, or Internet search engines.

Secondly, customers should be wary of opening unexpected e-mails with attachments, and should think twice before visiting suspicious websites. They should instead access their bank accounts by typing the website addresses at the address bar of the browser, or by bookmarking the genuine website and using that function to access their accounts.

Thirdly, as a matter of good practice, customers should install personal firewall software and anti-virus software, and should regularly download the latest updates available. This software will help ward off attempts by fraudsters to plant harmful viruses or worms in personal computers.

The Police, the banking industry and the HKMA have, since 2003, been co-operating on a multi-channel consumer education programme to promote awareness of Internet banking security in Hong Kong. A revised educational leaflet was issued in May 2004, and a new series of TV episodes and radio segments on this subject will be produced later this year. The HKMA also issued a circular in June 2004 to inform banks of our expectations on the implementation of two-factor authentication for high-risk retail Internet banking transactions within the next year. Given that passwords are commonly used as the basic factor of authentication, we recommend that banks adopt a second factor, which cannot be easily stolen by fraudsters, for customer authentication. Examples of second-factor authentication include digital certificates, one-time passwords generated by a security device and SMS-based one-time passwords. In addition, high-risk retail Internet banking transactions should at least include unregistered third-party fund transfers and payments, and change requests concerning customers' sensitive information (for example a correspondence address).

Greater convenience nearly always brings with it some form of additional risk. As in any other activity, it is in all of our interests to make sure that the safety precautions we take to manage the additional risks involved in Internet banking become a matter of habit. With the joint efforts of the banking sector, bank customers, the Police and the HKMA, I am sure we can preserve a safe and sound environment for the further development of Internet banking in Hong Kong.

Joseph Yam

15 July 2004

Related Information:

• Consumer Information: Internet Banking

Related Circular:

• Strengthening Security Controls for Internet Banking Services, 23 June 2004

Click here for previous articles in this column.

Send your comments

Document in Word format