*************************
Following is a question by the Hon Sin Chung-kai and a written reply by the Secretary for Financial Services and the Treasury, Mr Frederick Ma, in the Legislative Council today (October 15):
Question:
The Hong Kong Monetary Authority (HKMA) issued a press release last month to alert the public to a suspected Internet fraud involving a website with the domain name similar to that of a bank's former subsidiary. Moreover, it has been reported that in recent months there have been cases of swindlers impersonating staff of licensed banks and sending out e-mails with the intent of obtaining bank account particulars of the e-mail recipients so as to defraud them. In this connection, will the Government inform this Council:
(a) of the current number of authorized institutions under the Banking Ordinance which adopt e-Certs (e.g. server certificates or other technologies) for consumers to verify the authenticity of their websites;
(b) whether it has formulated any measures or guidelines requiring the attachment of e-Certs to the websites of all the authorized institutions (including licensed banks or virtual banks providing services to their clients through Internet or other electronic forms) and to the electronic messages (such as e-mails and mobile short messages) sent out by the institutions, to facilitate the verification of the authenticity of the websites and the identity of the senders of electronic messages; and
(c) whether it has drawn up plans to educate consumers to guard against Internet fraud or deception; if so, of the details?
Reply:
Madam President,
(a) All of the 35 authorized institutions (AIs) that are offering e-banking services have installed digital certificates on their e-banking servers to allow customers to verify the authenticity of the e-banking websites.
(b) The Hong Kong Monetary Authority (HKMA) issued a guidance note "Management of Security Risks in Electronic Banking Services" to all AIs in July 2000. The guidance note requires AIs to implement appropriate measures (e.g. digital certificates) for the customers to verify the identity and genuineness of AIs' websites for accessing e-banking services. The guidance note, however, does not mandate the use of digital certificates for authenticating electronic messages due to certain technical limitations such as:
(i) digital certificates cannot be used to verify the source of an SMS message, according to the HongkongPost; and
(ii) popular web e-mail services including Yahoo and Hotmail do not generally provide functions for their users to verify e-mails authenticated by digital certificates.
A more pragmatic approach is recommended in the HKMA's circular "Overseas Fraud Cases involving Fake E-mails or Websites" and a related press release issued in May 2003 (which was re-issued in August 2003). The circular proposes that AIs take the following measures:
(i) ensuring that their e-banking customers are made aware that the institution or its agents/business partners will never ask for customers' sensitive account information (such as PIN numbers or passwords) by e-mail;
(ii) advising their e-banking customers of ways to ensure that they are communicating with the official site, e.g. by checking the digital certificate of the e-banking site. Customers should be asked not to access the institution's e-banking website through hyperlinks embedded in e-mails; and
(iii) searching the internet regularly to see if there are other websites with domain names which could be mistaken for that of the institution or websites which have established hyperlinks to the institution's site. If the intent of these websites is doubtful, the institution should consider disputing the use of those similar domain names or seeking the assistance of the Police or the HKMA.
(c) The HKMA, the Police and the Hong Kong Association of Banks (HKAB) have co-operated to launch a multi-channel consumer education programme to promote awareness of e-banking security precautions among the general public. This programme includes:
(i) an educational leaflet (please see the Annex) - the leaflet is now available to the public at over 10 types of outlets (e.g. banks, public libraries, district offices, and secondary schools) and 10 websites (e.g. the HKAB, the HKMA, the Police, ESDlife, and educational portals). The leaflet is issued by the HKAB and endorsed by the HKMA, the Police and the Consumer Council;
(ii) TV episode - TVB Jade Channel has shown a short TV episode on e-banking security at 7:00pm on 21 September 2003;
(iii) radio segments - Commercial Radio 1 has started broadcasting 4 radio segments on e-banking security on 6 October 2003. Each segment is to play 3 times a day for an entire week; and
(iv) Police's TV programme - TV programme Police Magazine (in Chinese), Police Report (in English), the Road Show programme for public buses and China-Hong Kong Shuttle Buses have been broadcasting 6 TV episodes on e-banking security since July and will run until December 2003.
Ends/Wednesday, October 15, 2003
Ends/Wednesday, October 15, 2003
Issued at HKT 15:40
NNNN
