bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

hooksAmpRedirectArticle

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

paywallTypes

createdDate

publishedDate

sponsorType

urlAlias

moreOnThisArticles

commentCount

authorLocations

authors

corrections

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

articleSpeeches

socialHeadline

headline

images

flag

firstTopic

glossary

flattenTypeIds

image

relatedLinks

relatedNewsletters

__typename

sponsor

pdfFiles

seriesReverseOrder

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

readingTime

customTimezone

liveContents

Christy Leung

Simone McCarthy

Simple verification procedures for HSBC e-payment app PayMe allowed hackers to carry out unauthorised transactions after luring victims into disclosing their email passwords using phishing scams, a police source said on Friday.
Cybersecurity experts have called on the bank to introduce two-factor authentication, which requires users to provide an additional piece of information besides a password.
HSBC said on Thursday night that about 20 accounts with the e-wallet system had been accessed without authorisation, and transactions carried out involving HK$100,000 (US$12,770).
The breach had been reported to police and the Hong Kong Monetary Authority, the bank said.
A veteran policeman with knowledge of the incident said hackers posing as an email service provider had sent out phishing emails asking victims to submit their passwords to initiate an update to their accounts.

“That’s how the victims’ email accounts were hacked. But the scammers then looked for PayMe notifications in their emails, and if they saw one, would send a message to the app requesting a password change,” the source said.
“The hackers could then control their victims’ PayMe accounts. PayMe has no security issue as such, but the verification process is way too easy.”
Chester Soong, director of the Internet Society Hong Kong, said two-factor authentication should be adopted, which requires information other than a password, such as a thumbprint, face scan, ID card number or passcode sent to a phone.
“When a user wants to change something as critical as the login information, then stronger authentication should be in place,” he said.
Email accounts hacked, leading to ‘unauthorised transactions’, Hong Kong’s biggest bank HSBC says
“Two-factor authentication is always better ... A lot of banks and online services use SMS verification, because typically the real user has their phone on them most of the time.”
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, agreed.
There were a variety of ways email accounts could be compromised and then used to request password changes for affiliated services, Fong said.
A one-time verification code sent to a user’s mobile phone was a crucial way to ensure passwords were not reset without an account holder’s knowledge, he added.
Data security expert Michael Gazeley said customers needed to be vigilant about their personal information and not use the same password across multiple platforms. But ultimately it fell to companies to secure the data, he added, and breaches were becoming commonplace.
“Institutions have to wake up and take responsibility. They can’t keep writing more and more powerful disclaimers,” said Gazeley, the managing director of cybersecurity service provider Network Box Corporation.
HSBC on Friday said PayMe itself was secure and had “not suffered any breaches”.
“We have taken immediate action to block this threat and have contacted the affected customers, who will be compensated for the unauthorised transactions,” the bank said in a statement.
Last month the Monetary Authority said there had been 10 suspected cases of fraud involving a new e-payment system it recently rolled out.
The authority said HK$400,000 had been stolen from customers on the platform, which allows for instant transfer of funds between banks and e-wallet operators.
PayMe, launched in Hong Kong last year, was not affected, as it had yet to join the system.
Additional reporting by Naomi Ng


Philippine police thwart Roblox-linked school shooting plot by 7 teens

Frenzy over AI agent OpenClaw shows the lobster has escaped the pot

Fix, don’t fire ‘digital employee’ OpenClaw over security risks: Paul Chan

Inside OpenClaw mania in China, as security fears surge alongside enthusiasm for AI agent

Cybersecurity

HSBC e-payment app PayMe under fire over ‘way too easy’ user ID verification after unauthorised transactions

PayMe is a peer-to-peer payment service launched by HSBC. Photo: Handout

epa07129030 A general view made with a zoom effect of the Hong Kong and Shanghai Banking Corporation (HSBC) headquarters in Central District, Hong Kong, China, 29 October 2019. HSBC has posted a 28 per cent growth in quarterly profit, exceeding market expectations. Pre-tax profit came in at 5.9 billion USD in the third quarter, up from 4.6 billion USD in the same period last year. Revenue growth climbed 6 per cent to just under 13.8 billion USD during the period, whilst operating costs fell nearly 7 per cent to just under 8 billion USD. EPA-EFE/ALEX HOFFORD

News

Hong Kong

Law and Crime

Cybersecurity experts call on bank to require more than just a password after criminals gain access by first breaking into email accounts


Cybersecurity experts call on bank to require more than just a password after criminals gain access by first breaking into email accounts.


HSBC

HSBC e-payment app PayMe under fire over ‘way too easy’ user ID verification after unauthorised transactions

.css-1mniedq{color:inherit;font-weight:inherit;font-size:inherit;font-family:inherit;line-height:inherit;}Cybersecurity experts call on bank to require more than just a password after criminals gain access by first breaking into email accounts

Cybersecurity experts call on bank to require more than just a password after criminals gain access by first breaking into email accounts