Security Tips

Security measures for the use of User ID and PIN of Internet Banking/Mobile Banking

Ensure nobody is watching you while inputting your User ID and PIN or any other sensitive personal information.
Do NOT keep any written record of the User ID and PIN near the computer.
Keep your User ID and PIN private and NEVER disclose to anyone else including our staff and police.
Do NOT allow others to use your User ID and PIN.
Use different User ID and PIN for online services of different banks and credit card companies. Do NOT use the same User ID and PIN for other websites.
Check your last login record every time you use Internet Banking/Mobile Banking Services.
Customers are reminded to stay vigilant to anything abnormal when using the Internet Banking services (e.g. unusual pop-up screens, unusually slow browser response, multiple requests for password input, incorrect website address etc.).
Please change your PIN regularly to minimize the risk.
Always contact us at Customer Service Hotline 3199 9188 immediately if you lose your User ID or PIN, or suspect your Internet Banking/Mobile Banking account is stolen.
Check SMS messages and other messages from the Bank in a timely manner and verify your transaction records. Inform the Bank immediately in case of any suspicious situations. If there are any changes to your contact information, please notify the bank promptly to update your details for receiving important notifications.
If you suspect a website, SMS or email that is not owned or sent by the Bank, leave it immediately and do not follow the instructions or click and open the hyperlinks, attachments or QR codes it provides.
The Bank will not contact customers by SMS or e-mail to request customers to provide or validate personal and transactional information such as User ID and PIN, account number, credit card number and SMS or email one-time password.
Access your account in a safe environment and avoid letting other people to see your screen as you enter confidential information.
Turn on security feature in your mobile phone to prevent others from accessing and using the device when you are not around.
Setup password for your mobile devices, to prevent unauthorized people stealing your personal data when your mobile devices is lost.
Use strong User ID and PIN. A good, strong User ID and PIN should meet all of these criteria:
- Easy for you to remember, but difficult for others to guess,
  - The length of the PIN must be EIGHT and required to use a combination of letters and numeric characters
  - Use THREE or more different characters, e.g. b2a22aa2
  - Do not use the same character for SIX times or more, e.g. 1111ab11
  - Do not use SIX or more consecutive characters (in alphabetical or reverse alphabetical order), e.g. a123456t, fedcba11
  - Do not use your User ID as your PIN
  - Do not use a word found in the dictionary
  - Do not use a User ID and PIN that is hard to memorize so that you have to written it down
  - Do not use easy accessible number or data such as your birthday, ID number or personal telephone number as your User ID or PIN

Protect your computer

Do not install unlicensed software, which may contain bugs or viruses.
Install anti-virus and anti-spyware software and update the software regularly to ensure you have the latest protection.
Install a personal firewall to help your prevent unauthorized access and update the firewall regularly to ensure you are covered with the latest protection. For details, please contact your software vendor.
Install security updates and patches to your operating systems or browser when they are made available. They are designed to provide you with protection from known possible security problems.
Ensure the file sharing feature is disabled in your operating system while online, particularly if you are linked to the Internet through a cable, DSL modem, or network router.

Security Measures for the use of Internet Banking

To ensure your protection, always exit Internet Banking/Mobile Banking by using "logout" button.
Regularly check your account balances and statements. If any discrepancies or suspicious transactions found, report to us without delay.
Do not conduct Internet Banking/Mobile Banking transaction using personal computers, which are available for public access (e.g. Cyber Cafe).
Do NOT use a common computer in public area (e.g. Cyber Cafe) to login Internet Banking services.
Only access the reliable wifi network.
Do NOT click any hyperlink in email which is link to the Internet Banking services.
To prevent leakage of your login details, please make sure no one is watching you when you are entering the login details.
Please check the previous record of login and logout time when using Internet Banking services.
Please install and update the latest fire wall and anti-virus software regularly.
Never leave the Internet Banking/Mobile Banking Services unattended after logging in.
Ensure the "File & Print sharing" is disabled while online, especially if you are connecting Internet through broadband connection.
Review your online transaction limits regularly and make necessary adjustments to manage risk.
You can decrease your daily transaction limit of Internet Banking/Mobile Banking Services to reduce the loss as a result of your User ID and PIN being stolen.
You may verify the security certificate of our website by clicking the 'Lock' icon at the browser's address bar, which a server certificate issued by DigiCert will appear and the details validity of the certificate will be shown.
Please report to us without delay when you detect any unusual transactions or observations like suspicious pop-up screens, abnormal Internet banking login steps etc.
You are strongly advised to do prompt checking of all relevant notifications and accounts statements/advice from the Bank and any information about the date and time of the last login to Internet banking (e.g.as shown in the notifications or upon login to Internet banking).
Your account service will be suspended after 12 months of not logging on Internet / Mobile Banking.

Internet

If you suspect a website that is not owned by the Bank, leave it immediately and do not follow the instructions it provides.
Logout the service, close the browser and clear browser cache after a banking session.
Do not leave your relevant devices (e.g. personal computer, mobile phone or palm) unattended in the middle of a session.
Do not browse other website by opening a new session, while you are using Internet Banking/Mobile Banking Services.
Do not use "Auto Complete" function provided by browsers or other software to remember your User ID and PIN.
You should also check if the domain name is one of the following
www.ocbc.com.hk
ebanking.ocbc.com.hk
m.ocbcwhhk.com
Do not access to the Bank's website through internet search engines or suspicious pop-up windows.
Please always connect to a bank website by typing the authentic website address into the browser or by bookmarking the genuine website for subsequent access.
Use encryption to protect your wireless network.

Types of Threats when using Internet

Fraudulent or spoof websites
Where customers are asked to input their personal information, mistaking it to be the bank's genuine website.
Phishing
Normally a spam email containing a hyperlink to a log-on page, which requests online banking passwords. The page appears to be an official website but is actually a spoof website.
Trojan software
A malicious code attached or embedded in software that is planted in a customer's PC by a fraudster to access the customer's personal information. A form of Trojan is "key-logger" which monitor and record the keystrokes when a person types on the keyboard(e.g. User ID and PIN). This information can be passed back to an unauthorized person.
Spyware
Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers.
Identity threat
Fraudsters open bank accounts remotely by luring customers into conducting selfies and liveness tests, so to apply for unauthorised loan applications under the customers' name. The common pretexts include claiming to play a "face swapper / selfie game", or to assist the customer to apply for a job, insurance policy, or travel membership, all of which involve collecting identity and other personal information of the customers.

Protect your personal information including HKID and biometrics to avoid the information being used for unauthorized transactions.

Website's identity authentications

We have introduced the latest security measures, EV SSL Certificate (Extended Validation SSL Certificate), for website's identity verification. If you are accessing Internet Banking Services:

Before logging in, please ensure the Bank's name "OCBC Bank (Hong Kong) Limited" is shown on the top left corner of the login page and the name is shown on the address bar when accessing through some of the browsers e.g. IE and Chrome.
Click the Bank's name on the address bar (for IE) or the lock icon (for Chrome/ Edge) to see the certificate's information.
You are under secure protection if the URL address starting with "https://" or show the 'Lock' icon at the browser's address bar after log in Internet Banking.

High-risk Online Transaction

Although you are protected by our Two-Factor Authentication while you initiate a high-risk transactions (for example, Non-registered Third Party Account Transfer (include OCBC Bank and Other Bank Account Transfer, Telegraphic Transfer, CHATS and HK-Macau Instant Remittance), Bill payment to designated merchants and Overseas ATM Cash Withdrawal Setting), the following security tips are highly recommended:

Ensure nobody is watching you while inputting your Security Key No and do not disclose your Security Key No. to anyone including our bank staff (it is not necessary for the Bank's employee to know the Security Key No.)
An SMS will be sent to your mobile phone after a high-risk transaction done. Please check carefully the details in the SMS must be the same as the transaction you have just completed.
Security Key No. SMS will only be sent to customer's pre-registered mobile phone number and not be forwarded to other mobile number even if customer has subscribed "SMS Forwarding Service" provided by telecommunications service providers in Hong Kong.
Please inform the bank staff to stop the service temporary at once if you have lost your mobile phone.
If you have changed your mobile phone no., please inform the bank to update.
Before you finish the high-risk online transaction, do not leave your eBanking devices (e.g. personal computer, mobile phone or palm) unattended in the middle of a session.
Automatically reduce transaction limit. Transaction limit for "Non-registered Third Party Account Transfer" (including OCBC Bank and Other Bank Account Transfer, Telegraphic Transfer, CHATS and HK-Macau Instant Remittance) will be reset to Zero automatically if no such fund transfer was conducted for more than 12 months. To reset the limit, please go to "Daily Limit Maintenance" on Internet Banking (Security Device is required) or submit a Personal eBanking Service - Alteration Request Form to any of our branches.

Security Device

Please follow the guidelines below to protect your Security Device:

Keep your Security Device in a safe and secured place all the time.
Store your Security Device in a dry and cool environment. Leaving your Security Device in extremely high or low temperatures or water may cause problems with the Security Device.
Do not open your Security Device or remove the battery or circuit board. Request for replacement if your Security Device is running out of battery.
Never leave your Security Device unattended or exposed with the One-Time Security Code displayed
Do not lend your Security Device to others.
Do not reveal your Security Device serial number or One-Time Security Code to anyone.
Refer to FAQ - Security Device for more details.

Security Measures for the use of Mobile Banking

Please download our bank apps from official App Store or Google Play by searching "OCBC Bank".
Do NOT save or store your login name, PIN or PIN of the Soft Token in mobile device.
Please set a hard-to-guess password and enable auto-lock for your mobile device, and enable remote wiping to protect data.
To avoid logging into Mobile Banking in a crowded area (e.g. train compartment).
Prevent sharing with others the use of Mobile Banking on your mobile device.
When you have adopted device binding, biometric authentication or Soft Token, your mobile device will serve as important elements for login or transaction authentication. To reduce the associated risks related to unauthorized activities or transactions, please safeguard your personal belongings, keep your mobile device, PIN and sensitive information properly and do not allow anyone else to use your authentication factors.
Prevent accessing the public Wi-Fi when you are using Mobile Banking.
Turn off wireless communication technologies (eg. Wi-Fi, Bluetooth, NFC) when they are not in use. If using Wi-Fi, please connect to a trusted and encrypted network and remove any unnecessary connection settings.
Do NOT use any jailbroken or rooted mobile device to login Mobile Banking, which may contain security loopholes.
Please install and update the latest anti-virus and anti-spyware software in mobile device regularly.
Please logout the Mobile Banking properly after using it.
Avoid clicking on suspicious links or downloading unknown apps.
Please logout the Mobile Banking services when you are using other apps.
Please properly install and update other mobile apps and operating system of mobile platforms. Avoid installing and updating any suspicious mobile apps or operating system of mobile platforms from unknown sources.
Carefully review permissions before installing any apps and do not download any apps from unofficial source (i.e. side-loaded apps). To protect your banking login credentials from potential fraudsters exploiting side-loaded apps, please disable unnecessary or excessive device permissions (e.g. accessibility permissions) of those apps or remove them from your device. If your Android device contains side-loaded apps with excessive permissions (e.g. accessibility permissions or full control), you will be alerted while opening "OCBC Bank" mobile app.
In order to enhance the security of your banking transactions and protect you from potential malware scams, the screen capture and recording feature on Android devices for “OCBC Hong Kong” mobile app has been disabled.
Stay informed about malware scams and check for security alerts from your bank.

Security measures for the use of Telematic Code and PIN of Telematic Banking

Ensure nobody is watching you while inputting your Telematic Code and PIN.
Keep Telematic Code and PIN private and NEVER disclose to anyone else including our staff and police.
Do Not allow others to use your Telematic Code and PIN.
Do Not use the same PIN of the Telematic Banking Services of other bank.
Always contact us at Customer Service Hotline 3199 9188 immediately if you lose your PIN, or suspect your Telematic Banking account is stolen.
Use strong PIN. A good, strong PIN should meet all of these criteria:
- Easy for you to remember, but difficult for others to guess,
  - The length of the PIN must be in EIGHT numeric characters
  - Use THREE or more different characters, e.g. 12522552
  - Do not use the same character for FIVE times or more, e.g. 11115721
  - Do not use FIVE or more consecutive characters (in alphabetical or reverse alphabetical order), e.g. 81234596, 98765753
  - Do not use your Telematic Code as your PIN
  - Do not use a PIN that is hard to memorize so that you have to written it down
  - Do not use easy accessible number or data such as your birthday, ID number or personal telephone number as your PIN

Security measures for the use of ATM Card and PIN

Destroy the PIN mailer after memorizing the PIN.
Do Not write down the PIN and never keep any written record of the PIN with your ATM card.
Change your PIN at any JETCO ATM regularly.
Avoid using easily accessible number such as personal data including your birthday, ID number or personal telephone number etc.
Do Not disclose your PIN to any person including any joint account holder, the police and the bank staff. The Bank will never ask for your PIN by any means such as email, SMS, phone, etc.
Do Not send your PIN via email / SMS and never use the same PIN to access other services.
Always stay alert when using ATMs. Cover the keypad with your hand with entering the PIN, and reject any assistance from strangers.
Do Not allow others to use your ATM card and PIN.
Be careful of any suspicious device on or near ATM and card reader slot before using ATM (e.g. pinhole camera, card reader, etc.).
Stop the transaction and report to the Bank immediately if you observe the PIN panel has been removed or loosened.
Remember to take back your ATM card after using ATM or POS terminal.
Count the banknotes immediately after cash withdrawal. Do not take the banknotes or ATM card left at an ATM dispenser by another person. The banknotes or ATM card will be automatically returned to the ATM.
Check account activity regularly to spot unusual transactions.
Immediately inform the Bank in case of any actual or suspected unauthorized use of your ATM card and/or PIN, or your ATM card is stolen or lost.
To comply with the latest regulatory requirement of The Hong Kong Monetary Authority to strengthen the security controls for ATM services, with effect from 1 March 2013, the overseas ATM cash withdrawal (including cash advances) service of all ATM cards and credit cards will be pre-set as "deactivated". Customers are required to activate Overseas ATM Cash Withdrawal Service for their ATM cards and credit cards before using overseas ATM to withdraw cash (including cash advances). No activation is required for cash withdrawal via JETCO ATMs in Macau and China.
Please put your ATM/credit cards that are used for authenticating customer identity at self-service terminals in safekeeping.
For lost / stolen card*, please call our ATM Card and Credit Card 24-hour Report Lost Hotline immediately on (852) 3199 9000 (Hong Kong) or (853) 2838 8144 (Macau).

*Remark: The Cardholder is fully liable for all amounts that we debit to the ATM Card Account whether due to the unauthorized use or misuse of an ATM Card or PIN or through a lost or stolen ATM Card, before we receive notification of the loss, theft, unauthorized use, misuse and/or disclosure of a ATM Card or PIN. However, if (a) the Cardholder has not acted fraudulently or negligently in safeguarding the ATM Card or PIN and has acted honestly, in good faith and with due care and (b) has informed us as soon as reasonably practicable upon discovery that his ATM Card or PIN has been lost, stolen, used without authorization, misused by or disclosed to a third party, then the Cardholder's maximum liability for unauthorized transactions is HK$500.

Two-factor Authentication

Two-Factor Authentication (2FA) is now mandatary for Internet Banking Investment Services besides high-risk transactions (e.g. funds transfers to non-registered payee).
Please make sure you have updated mobile number & email record with us.
No our employee will ever ask you for your password or OTP (One-Time-Password). If you receive a call or email from someone claiming to be our employee, government official or even a member of law enforcement and they ask you for your password, ignore the call and contact us at Customer Service Hotline 3199 9188 immediately.
Refer to Two-factor Authentication for Internet Investment Services for more details.

Email

The Bank will not ask for sensitive account and personal information such as User IDs and passwords via e-mails.
The Bank will not send e-mails with embedded hyperlinks (including those presented as QR code) to transactional websites to the customer for requesting enter or confirming any personal information and password.
Do not open Email attachment from unknown, suspicious or unreliable sources and delete it immediately.
Be aware of scam Emails which may pretend to be sent from your trusted business partners and friends, however they were designed to trap you into downloading a virus or visiting a fraudulent website and disclosing your sensitive information including your User ID and PIN.
Do not send your User ID and PIN or other sensitive personal or financial information via Email. We always use encrypted sites that are secure to receive the information.

Security measures provided by the external parties

Click here to learn more about digital security tips published by the Hong Kong Monetary Authority.
Click here to learn more about the latest cyber security and technology crime published by the Hong Kong Police.
Click here to learn more about the cyber security information provided by the Office of the Government Chief Information Officer.
By clicking the above links, you are now leaving the OCBC Bank (Hong Kong) Limited website and entering a third party site. All the information you provide will be subject to confidentiality and security terms of the applicable third party site. OCBC Bank (Hong Kong) Limited does not take responsibility for information you provide at such third party sites.

Keep the Bank updated of your contact information