Regulation: HKMA issues circular on internet banking security

In a statement issued after close of business today, HKMA is quoted as saying ""Given the increasingly sophisticated fraudulent techniques, there is a need for AIs to step up their security measures to combat Internet banking frauds. One of the important security measures is that AIs are required to notify their customers immediately via a SMS message or other effective means after completing an online high-risk transaction (e.g. transferring fund to an unregistered third-party account) with the transaction details."

The important word in that statement is "required."

Some registration criteria for Hong Kong internet banking have proved so tortuous that some customers have simply given up trying to use it. The MD of one company we spoke to said "we have tried to register for internet banking on a number of occasions, even going so far as to go to the bank itself to try to do it. But their processes required us to log on remotely using a key number that was usually out of date by the time it reached us. So, two years after opening the account, we still have no internet banking."

HKMA wants to make sure that customers are aware of what is happening: "We would strongly encourage bank customers to make full use of such a service, verify the transaction details and notify their bank immediately if they discover any suspected unauthorised transactions. We believe that so long as both bank customers and banks have taken appropriate security precautions, Internet banking services with adoption of two factor authentication are safe to use," said a HKMA spokesman.

The HKMA noticed that the recent fraudulent technique adopted by fraudsters is believed to involve infecting the customer’s personal computer (PC) with Trojan horse programs to hijack the Internet banking login credentials of customers (including one-time passwords for two-factor authentication) during the Internet banking login process. The hijacked login credentials were used by the fraudsters to conduct high-risk Internet banking transactions such as making fund transfer to an unregistered third-party account.

Of course, the Trojan horse program does not originate at the bank. It arrives in user's machines as a result of drive-by loading of malicious software from dubious websites, in the html of e-mail (which is why many companies allow text-only e-mail) and via carelessly used USB memory sticks.

All of these have been known to infect machines in recent weeks, and as a result banks are already on alert.

Two factor controls are those that have a username/password followed by a random code which may be randomly selected characters and numbers from a known passphrase or one-time codes created by a portable device held by the user.

The problem is not new to banks: authenticating the user is a recognised problem in relation to money laundering and Hong Kong recently suffered a case where dozens of accounts were opened by individuals who then handed the control of the accounts to criminal gangs.