e-Banking Security Guidelines

1.1 PIN Recommendations

  • Change your PIN once you have received the token
  • Avoid PIN based on user-id, birth year or any personal information
  • Keep the PIN confidential and do not divulge to anyone
  • Must be memorized and not recorded anywhere
  • Should be changed regularly
  • The same PIN should not be used for different websites, applications or services, particularly when they relate to different entities.


1.2 Token Recommendations

  • Allow anyone to keep, use or tamper with your One-Time Password (“OTP”) security token is not recommended
  • Reveal the OTP generated by your security token to anyone is not recommended
  • Divulge the serial number of your security token to anyone is not recommended


1.3 Web Browser Security Recommendations

  • The browser option for storing or retaining username and password should not be activated
  • The authenticity of the financial institutions website should be checked by comparing the URL and the financial institutions name in its digital certificate or by observing the indicators provided by an extended validation certificate.
  • Check that the financial institutions website address changes from http:// (a non-secured website) to https:// (a secured website). A security icon that looks like a lock or key appears when authentication and encryption is expected. This is to ensure the site you go to is protected.

1.4 Other Recommendations

  • Your bank account balance and transactions should be checked frequently and any discrepancy should be reported

2.1 Security Tools

  • Install anti-virus, anti-spyware and firewall software in your personal computers, particularly when they are linked via broadband connections, digital subscriber lines or cable modems
  • Update the anti-virus and firewall products with security patches or newer versions on a regular basis


2.2 Data

  • Remove file and printer sharing in your computers, especially when they have internet access via cable modems, broadband connections or similar set-ups
  • Make regular backup of critical data
  • Consider the use of encryption technology to protect highly sensitive data


2.3 Email

  • Delete junk or chain emails
  • Do not open email attachments from strangers


2.4 Access

  • Log off the online session and turn off the computer when not in use
  • Do not use a computer or a device which cannot be trusted
  • Do not use public or internet café computers to access online banking or perform financial transactions


2.5 Vigilance

  • Do not install software or run programs of unknown origin
  • Do not disclose personal, financial or credit card information to little-known or suspect websites

3.1 HKMA Article about Trojan Horse Attack on Internet Banking Services

Recently a number of suspected Trojan Horse fraud cases, chiefly relating to business or corporate internet banking services, were detected in Hong Kong. In this connection, the HKMA issued an inSight article (see the hyperlink and attachment below) on 24 Apr 2013 to remind the users that it is very important to vigilantly protect their computers to safeguard against Internet banking fraud. Please refer to the article to learn about security best practices.

InSight Article on Trojan Horse Attack on Internet Banking Services