First published: 31st July 2009
The Hong Kong Monetary Authority (HKMA) has issued a circular requiring banks to step up security controls for their internet banking services after recent online fraud cases. Between April and June, eight banks discovered attempts to steal login credentials of customers.
Hong Kong banks already have a number of controls in place to prevent online fraud, including tokens providing one-time passwords for two-factor authentication, but the attacks are using trojan keyloggers to capture the login credentials, including the one-time passwords. The stolen credentials are used to make unauthorised fund transfers.
One of the security measures is that banks are required to notify their customers immediately via a SMS message after completing an online high-risk transaction, such as transferring fund to an unregistered third-party account. Customers are advised to check such notifications carefully, and notify their bank if there is a problem.
Roy Ko Wai-tak, manager of the Hong Kong Computer Emergency Response Team Co-ordination Centre (HKCERT), said that the onus was on online banking customers to protect their accounts, "The banks have already adopted security measures like two-factor authentication. The key issue now is whether the customers' computers are clear [of malware] ... if they've been infected, it's like they are leaving their front doors unlocked."
Yui Kee Chief Consultant Allan Dyer commented, "You should only operate your online bank account from a computer you really trust: probably your personal laptop or home computer, running only the software you approve. Online banking without anti-virus software is like lending your chequebook to Mr. A. Thief."