HSBC issues security update on e-payment app PayMe, removing function to change user phone numbers

  • Expert says this is ‘interim solution’ to wider system flaw that should require two-step verification for any account changes
  • Update comes after some 20 client accounts were compromised and illegal transactions made
PUBLISHED : Sunday, 11 November, 2018, 4:25pm
UPDATED : Sunday, 11 November, 2018, 11:45pm

Banking giant HSBC on Saturday issued a security update to its e-wallet app which eliminated an option for users to change the associated telephone number, two days after it was revealed that about 20 client accounts were compromised in a phishing incident.

HSBC announced the breach in its PayMe system on Thursday, with illegal transactions totalling around HK$100,000 (US$12,770).

Before Saturday’s update, users had an option to change their phone numbers while logging in, which would enable them to bypass entering a pin and instead use their email address. When PayMe was prompted to allow a phone number change, a link was then emailed to users, which opened a channel that would also allow a password change.

Email accounts hacked, leading to ‘unauthorised transactions’, HSBC says

This weakness in the system could enable fraudsters with users’ email credentials to gain control of PayMe accounts, said Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation.

“Once your email has been compromised, [hackers] click on the link and change the PayMe account password,” Fong said.

Once your email has been compromised, [hackers] click on the link and change the PayMe account password
Francis Fong, Information Technology Federation

In the cases reported on Thursday, it was suspected that the email accounts of users were first compromised by phishing methods, where scammers posed as email service providers and sent messages prompting a change in email account passwords.

They then infiltrated the accounts and looked for PayMe notifications in the emails, opening channels into password changes for the app. It is not clear at present if they had used the loophole caused by the function allowing phone number changes.

Fong called the removal of the phone number option “an interim solution”.

Implementing a two-step verification to change a password, email or phone number would be a standard security measure to prevent such unauthorised access, he said.

App users noticed the change in function on Saturday. An HSBC spokesman only confirmed a “security update” was implemented for PayMe, but did not provide more details on features that were enhanced or plans for future security measures.

Phishing attacks are a significant security concern in Hong Kong, including spear-phishing, where attackers use an individual’s information available online to personalise messages, making them seem more believable. The Hong Kong Monetary Authority has published 10 warnings of fraudulent websites associated with banks and six warnings about phishing emails since the start of October.

PayMe app under fire over ‘way too easy’ user ID verification

In such cases, users need to remain vigilant against providing their personal details to unverified sources. Other important security protections include avoiding using the same password across different platforms, or storing passwords and other credentials in easily accessible places, according to experts.

On the hacking of financial accounts in general, Chester Soong, director of the Internet Society Hong Kong, said humans were the weakest link in cybersecurity as, even with secure mechanisms in place, users tend to simply come up with password configurations that were easy to guess, or store these in readily accessible places.

For applications that prioritise convenience, such as e-wallets, adding additional security layers could be cumbersome for customers, but this might be inevitable as risks increase and more user data becomes available online, he added.