HSBC tightens e-wallet app security after PayMe breach allowed access to 20 accounts holding HK$100,000
- Two-step verification and text message notification added to process
HSBC has responded to an email scam in which 20 accounts were illegally accessed through its PayMe system by adding extra layers of security to the e-wallet app.
On Friday, Hong Kong’s biggest bank said users who wanted to change their personal identification number on the app would now have to follow a two-step process, while any changes in personal information would be verified via text message.
PayMe, one of the most popular e-wallet apps in the city, with a million users since its inception last year, had about 20 accounts illegally accessed last month involving HK$100,000 (US$12,770).
At the time, a police source told the Post the verification procedure on the app was too simple, and that hackers had sent out fake emails asking victims to submit their passwords to initiate an update to their accounts.
Greg Chapman, who heads the bank’s e-wallet operations in the city, said the fresh measures were designed to help ensure a secure and reliable payment service.
The new changes mean users will undergo a two-step verification process, and will be asked to reset their passwords. In the future, when a PIN is changed, the user will receive a text message, and email notification.
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation and a frequent user of PayMe, welcomed the moves.
“It is appropriate and safer now,” he said. “Notifications are very important whenever any personal data is changed in the app.”
Improving the security surrounding online fund transfer services has been a high priority in Hong Kong.
In October, about HK$400,000 was stolen from customers using the new e-payment system, which prompted the Hong Kong Monetary Authority to suspend the automatic transfer of funds services at one stage. PayMe has yet to join the system.
Another example came last week when Marriott International revealed 500 million customers who had made bookings at its hotels since 2014 were likely to have had their personal data stolen, one of the biggest hacks ever.
Data security expert Michael Gazeley said the personal data from about 5.6 billion accounts worldwide had been posted or shared on the dark web – the unseen portion of the internet that cannot be accessed through traditional search engines – and the number was growing.
Gazeley, also managing director of cybersecurity service provider Network Box Corporation, said consumers should take steps to protect their personal data.
“For example, separate your online accounts with different email addresses, different passwords, and even register yourself with different user names,” he said. “Write down some simple questions on a piece of paper to remind yourself of the different information you used online.”