Transcription

Secure Use of ElectronicBanking ServicesGeorge ChouHong Kong Monetary AuthorityDec 2013

Agenda Recent Development of Internet Banking in Hong Kong Regulatory Requirements on Internet Banking Supervisory Approach Public Education by the HKMA Security Tips for Internet Banking Users

Recent Development of InternetBanking in Hong Kong

Recent Development of Internet Bankingin Hong Kong* As of June 2013

Recent Development of Internet Bankingin Hong Kong* As of June 2013

Recent Development of Internet Bankingin Hong KongGrowth of Internet Banking AccountsNumber of Internet Banking Accounts8.4PIB (million)8.57.7BIB 7End2006End2005162

Recent Development of Internet Bankingin Hong KongHigh mobile service subscription penetrationrate in Hong Kong– 233.2% as of July 2013 (around 2.3 mobile service subscription per person)(Source: Office of the Communications Authority (OFCA) in HK – Key Communications Statistics)Mobile service subscription versus population of HK (%)250%200%150%100%50%0%

Recent Development of Internet Bankingin Hong Kong Mobile Banking in Hong Kong (as of June 2013)Personal Mobile Banking 16 banks 7,600,000 accountsBusiness Mobile Banking 10 banks 590,000 accounts

Recent Development of Internet Bankingin Hong Kong NFC Mobile Payment Contactless payment in point-of-sale terminals Currently offered by a number of banks in Hong Kong Other possible functions E-coupons Transaction history enquiry

Recent Development of Internet Bankingin Hong KongElectronic Bill Presentment and Payment (e-bill) system

Regulatory RequirementsonInternet Banking

Regulatory Requirements on Internet Banking HKMA aims to create a safe and sound environment for electronicbanking development in Hong Kong without standing in the way ofprogress Independent assessment before launch of new Internet bankingservice or major enhancement to the existing Internet banking service

Regulatory Requirements on Internet BankingTwo-factor authentication for high-risk transactions Unregistered third party fund transfer Online registration of third party account for fund transfer Bill payment to high-risk merchant categories (e.g. credit cards,telebet service) Increase of Internet banking daily transaction limit Online change of sensitive personal information

Regulatory Requirements on Internet BankingTwo-factor authentication Why we need two-factor authentication? User ID and password alone no longer sufficient – casesreported where user IDs and passwords were stolen throughphishing, fake website, virus, Trojan, etcWhat is two-factor authentication?

Regulatory Requirements on Internet BankingMajor types of two-factor authenticationDigital CertificateSecurity Token-based OTPSMS-based OTPSecurity Token

Regulatory Requirements on Internet BankingControls over fund transfers Default transaction limit – set the default transaction limit tozero when a new Internet banking account is first activated Increase of transaction limit – customers can increase thetransaction limit through secure channels (e.g. at branches or bypost) Reset transaction limits for inactive customers - reset thetransaction limit to zero if such a facility has not been used for aprolonged period (e.g. 1 year)

Regulatory Requirements on Internet BankingProtection of one-time password (OTP) andcustomer alerts Validity of OTP – shorten the expiration of OTP (e.g. within 100seconds) used for authenticating online high-risk transactions SMS OTP message – prominently display transaction details(e.g. type of transaction, partial payee account number andtransaction amount) before the OTP within the SMS OTP message SMS notification – include transaction details in the SMSmessage notifying customers of the execution of high-risktransactions

Supervisory Approach

Supervisory ApproachInternational co-operationIndependent compliance assessmentContinuous monitoring and examinationsAwareness & trainingPolicies & guidanceFoundation

Public Education by theHKMA

Public Education by the HKMA Press release on fake bank websites / phishing emails InSight articles on emerging threats Online learning on the HKMA website Cooperation campaign with the Police, OGCIO and HKCERT Radio broadcast

Security Tips forInternet Banking Users

Security Tips for Internet Banking Users Apply security patches for your OS and applications regularly Install anti-virus, anti-spyware and personal firewall with up-to-datedefinition applied NEVER access your Internet banking website from a public computer(e.g. in a cyber cafe) Always log off after using Internet banking service

Security Tips for Internet Banking UsersMobile security Lock your mobile device when not in use Install mobile security software if available Install the official mobile banking app from reputable sources (e.g.Apple App Store or Google Play) Do NOT access banking services with jail broken / rooted devices Avoid accessing banking services through public Wi-Fi network

Security Tips for Internet Banking UsersDo NOT access bank websites through hyperlinks embedded in e-mails internet search engines suspicious pop-up windowsBanks in Hong Kong will NOT send e-mails to customers with embedded links to thetransactional websites NEVER ask customers for sensitive information (e.g. logon passwordsor one-time passwords)

Security Tips for Internet Banking UsersBeware of unusual log-on process and notify yourbank if you encountered Unusual pop-up screen Abnormally slow computer response Unexpected steps or information required for log-on

Recent Development of Internet Banking in Hong Kong Growth of Internet Banking Accounts 3.3 3.8 4.9 5.7 6.2 7.0 7.7 8.4 8.5 162 234 307 401 477 573 658 765 798 End 2005 End 2006 End 2007 End 2008 End 2009 End 2010 End 2011 End 2012 Mid 2013 Number of Internet Banking