How well is my information being protected with your Internet Banking Service?

• The system is equipped with network security features. It includes TLS（Transport Layer Security) with end-to-end encryption and Firewalls protection. Your input is encrypted by the end-to-end encryption within your browser before it is sent to our bank through the SSL channel to ensure every transaction is safe.
• Our bank currently accepts password token as two-factor authentication vehicle for the Internet Banking. Password token adopts new generation technology of dynamic password for authentication to ensure security when performing transactions in Internet Banking.
• Identification of User ID and password with enforced change of password upon the first login.
• The Internet banking Service will be suspended if the login password has been incorrectly entered for 3 consecutive times in the same day.

For your maximum protection, we would like to remind you to take the following precautionary measures to prevent the fraudulent use of the password or unauthorized disclosure.

• Install up-to-date virus protection software and personal firewalls, keep the virus definition/signature up-to-date, to ensure you have adequate protection to your personal computers.
• Do not install software or open email attachments from unknown sources.
• Do not access the Bank's website through hyperlinks embedded in e-mails.
• Verify the validity of digital certificate of Internet Banking server.
• Change your initial password when you first access Internet Banking Service.
• Change your password periodically.
• Keep your password confidential at all times. Do not disclose your password to any other person, including Bank's employee.
• Do not write down or record the password in any form recognizable as password.
• Do not send the password via e-mail.
• Do not use your identity card number, telephone number, birthday or recognizable part of the name as your password.
• Do not use the same user name and password for your Internet bank accounts and for access to other services (for example, for connection to the internet or accessing other web sites).
• Use combination of numbers and alphabets, upper and lower case for your password if possible.
• Log out the Internet Banking Service and clear the browser cache after your have completed your banking activities. You should not leave a session unattended at any time.
• Ensure the personal computer/mobile device is not left unattended whilst the service are in use.
• Ensure proper physical access controls for your personal computer and Internet connections. Do not access the Internet Banking service from public personal computers (e.g. cyber cafes).
• You should provide a valid mobile phone and contact numbers for notification purpose and notify the Bank timely if any of these numbers are changed.
• Review regularly and follow security tips published by the Hong Kong Association of Banks, the Consumer Council, the Hong Kong Police Force, the Hong Kong
• Monetary Authority, the Securities and Futures Commission or the Information Technology Services Department.
• For security sake, you should protect your password token and its password and make sure the computer where you log on Internet Banking is reliable. You should update your antivirus software periodically. Do not open unsolicited procedures, links, and e-mails and keep safe of the password after use.

Please consider to review our security tips and supplement the following security controls to mitigate the risks of trojan horse affecting your PC:

• Customers should not download files from any unknown websites.
• Customers should not open emails or its attachment from unknown senders.
• Customers should never access your internet services such as internet banking through hyperlinks embedded in emails, internet search engines, suspicious pop-up windows or any other doubtful channels. (customers should connect to a bank website through typing the authentic website address in the address bar of the browser or by bookmarking the genuine website and using that for subsequent access).
• Customers should not open emails or its attachment from unknown senders.
• Customers should validate the identity and genuineness of our e-banking website before usage.

For IE (internet explorer) users, please press F11 to validate the identity and genuineness of our e-banking website before usage, the steps are as followings:

• Press F11 during your visit in the ICBC (Asia)’s internet banking webpage. (If there is a "closed" lock showing on top of your browser, it is TLS-enable.)
• After pressing F11, you can find a small icon of a lock or a key in the top right corner of your browser. A *certificate window will be display and it will show you the owner of the web page which you are currently browsing, you can then verify if the current web page belongs to ICBC (Asia).

*Note: The following messages in the certificate window will be display for customers to verify the trustiness of the website.
- the website name which is certified (issued to): myebankasia.icbc.com.cn
- the certifier of the website whom is issued by: Symantec Class 3 EV SSL SGC CA - G2
- the valid date: to check whether the website is within the valid date

For other browsers such as Safari, the verification steps are the same as above, but you not need to press F11 to access the top bar during visit in the online banking webpage.

If you suspect there are unauthorized transactions in your account, immediately contact our Bank via the Customer Service Hotline on (852) 218 95588 or any of our branches.

Important:
To minimize the risk of your Router being hacked by using default password, please change the password immediately.

More on Security Questions -- Your Roles and Responsibilities

1. How should I take care of my password?
   A: You should note the following points in taking care of your password:
   - Do not disclose your password or account number to anyone.
   - Do not allow anybody else to use your password.
   - Do not write down or record the password without disguise.
   - Do not use your Hong Kong Identity Card number, telephone number or date of birth etc. as your password.
   - Use a password that is difficult to guess.
   - Change your password regularly, the length of password can be from 8 to 12 alphanumeric characters.
2. May I save my User ID and password so that I do not need to enter them every time I login?
   A: To ensure every transaction is safe, the User ID and password cannot be saved.
3. May I save my User ID and password so that I do not need to enter them every time I login?
   A: To ensure every transaction is safe, the User ID and password cannot be saved.
4. What is data encryption?
   A: Encryption refers to the scrambling of data to to protect the security of data. The encryption and decryption functions are based on complex mathematical theories.
5. Why do we need end-to-end encryption in addition to TLS?
   A: TLS treats transaction data and password in the same way while end-to-end encryption can handle the password in different way so that your password can enjoy the highest protection. End-to-end encryption enables the encryption of information at its origin and decryption at its intended destination without any intermediate decryption.
6. How can I know that my browser is TLS-enable?
   A: If there is a "closed" lock at the bottom of your browser, it is TLS-enable. You may verify connection encryption status by select menu bar "File" and then "Properties".
7. How to enable TLS in my browser?
   A: Generally speaking, you can enable TLS 1.0, TLS 1.1 and TLS 1.2 in the security settings of internet browser. For example, in case of Microsoft Internet Explorer 8.0, you can follow the procedure below:
   1. Select "Tools" from the Menu bar
   2. Select "Internet Options"
   3. Click on the "Advanced" tab
   4. Choose "Security" and enable TLS 1.0, TLS 1.1 and TLS 1.2.
   5. Click "OK"
8. How can I make sure that the web pages of the Internet Banking I am currently browsing really come from your Bank?
   A: When you reach the login page that requires you to enter ICBC(Asia) Internet Banking Account Number, User ID where applicable and Password, for security purpose, you can click the small icons of a lock or a key at the bottom of your browser. A certificate windows will be displayed telling you the owner of the web page you are currently browsing, you can then verify if the current web page belongs to ICBC(Asia).
   - the website name which is certified (issued to): myebankasia.icbc.com.cn
   - the certifier of the website whom is issued by: Symantec Class 3 EV SSL SGC CA - G2
   - the valid date: to check whether the website is within the valid date
9. What should I be aware while using the Internet Banking Service?
   A: In order to protect your interest in enjoying our service, you are highly recommended not to use the "Back"/"Reload" button, minimize, maximize or resize the browser. If you do that, our security module might disconnect the session.
10. How do I secure my personal computer if I have static internet connection?
    A: You are recommended to install the most up-to-date anti-virus software and update the software with virus signature regularly. For maximum protection, we also advise you to install personal firewall software to protect your personal computers against intrusion via the Internet. You are recommended to discuss with reputable information security professionals and software vendors to select the best suit security protection software.
    
    It is noted that different security software products might have different strength and weaknesses in different protection scenarios. You are always reminded to alert to different security vulnerabilities and exposures and patch the software promptly.
11. What should I do if I suspect there are unauthorized transactions in my account?
    A: Immediately contact our Bank via the Customer Service Hotline on (852) 218 95588 or any of our branches.

Important

If you suspect any unauthorized use of your Internet Banking account or any abnormal transactions in the account, you should contact us at once. Our bank will never ask you for your password or send you emails requesting that information.
Our bank will never ask for any sensitive personal information such as bank account details, login ID, login password and one-time passwords or credit card number through phone calls, emails or SMS messages.
If you receive such a request, contact us immediately. Call our Customer Service Hotline (852) 218 95588; or click hereto send your enquiry.

Email / Instant Message

• Use strong password in your email service;
• Use two-factor authentication as far as possible to secure your email account;
• Monitor and review login activity;
• Do not download files from unknown sources, open emails or its attachment from unknown senders. Delete emails from unknown senders immediately after receipt. Such mails should also be deleted from the "Trash Bin" of your email box;
• Scan executable files attached before you open or execute them;
• Disable scripting features for emails applications to prevent auto-execution of the unknown files;
• Be vigilant to suspicious email or website which asks you to provide your login credentials;
• Use different email address for different account. For example, avoid using the same email address for banking and gaming services. Also use different passwords for different online services;
• Do not use public Wi-Fi to access sensitive services. Using telecommunication network is more secure;
• Do not click any hyperlink embedded in an unknown email / instant message.

When an email claiming to originate from us looks suspicious to you, e.g. if it says you have won a prize draw or there is an offer for you to make some easy money without any action on your part, contact the HKMA hotline on 2878 8196 or the police hotline on 2860 5012-3 or Call our Customer Service Hotline (852) 218 95588; or click here to send your enquiry; or Contact any of our branches in person.

Online attack

Fraudulent emails, Advance fee or '419 Fraud'
This involves unsolicited letters and e-mail messages offering the recipient a generous reward for helping to move large sums of money, usually in US dollars. These funds are said to be anything from corporate profits/accumulated bribes/unspent government funds to unclaimed money belonging to a deceased person.

Or the email sender claimed to be a bank staff, inviting the recipient to pretend to be the next-of-kin of a deceased client who has left a huge sum of unclaimed fixed deposit. Upon receiving favourable reply, the fraudster requested the recipient to pay a fee in advance for preparing the necessary documents in order to claim that estate. Finally, the email recipient was cheated and could not reach the sender again.

The fraudsters are after banking details. The transactions typically require the recipient of the letter or e-mail message to pay something like a fee/tax/bribe to complete the deal - this is the Advance fee. However, any fees paid will be lost.

Lottery fraud
This involves letters or e-mail messages which advise the recipient that they have won a prize in a lottery. To obtain the funds they are asked to respond to the letter or e-mail message. A request will then be made for the recipient to provide his/her bank account details to allow for funds to be transferred. The recipient may also be asked to pay a handling/processing fee. If paid, this fee will be lost. Also, any details given will probably be used to commit further fraud.

Virus hoax e-mail
Many e-mail warnings about viruses are hoaxes, designed purely to cause concern and disrupt businesses. Such warnings may be genuine, so don't take them lightly, but always check the story out by visiting an antivirus site such as McAfee, Sophos or Symantec before taking any action or forwarding them to friends and colleagues.

Beware of Email Scam "Verify Suspicious E-mails Uncover Online Swindlers"
In cases of email scam, the fraudsters hacked into the victim's email account, checked the victim¡¯s business correspondence with business partners. They sent an email to the victim using the same or similar email account of his business partner and claimed that the payment bank account had been changed who further requested the victim to deposit the payment for goods into the fraudster¡¯s designated bank account. Police appeal that if you receive any suspicious emails, you should confirm the identity of the purported business partners or the authenticity of the requests by means of telephone before remittance so as to prevent from being deceived.。

Man-In-The-Browser Attack
Please be highly aware of a recent online threat known as a Man-In-The-Browser (MITB) attack, where an attacker takes control over a customer's connection and transmits counterfeit screens to the customer in attempt to capture and manipulate customer data.

• A frequent MITB attack scenario involves the attacker taking control over a customer's login session. The attacker transmits screens similar to the online banking screens requesting the customer to wait while their details are being verified. During this, the attacker would initiate a request for adding payee or updating personal information while the customer's account is being compromised. An SMS containing a One-Time Password (OTP) is sent to the customer's mobile phone as part of the process. More counterfeit screens are transmitted to the customer to prompt the customer to key in the OTP in order for the attacker to proceed with payee addition and/or personal information update.
• Please do not proceed if you notice an unusual screen or message during your online banking login session.
• Do not act on an SMS containing an OTP that you have not requested for, review your existing payee list for any unauthorized additions.

Detecting and Reporting Abnormal Activities / Suspected Frauds / Frauds

• Check your account balance & statement regularly, contact us immediately should you encounter any abnormal transaction. (Don't ignore any unusual activity even if it is a minor one.)
• Check your personal profile regularly to avoid loss caused by unauthorized usage of your personal information.
• Notifying us of any change of your contact information immediately, so that we can contact you in case an abnormal online transaction is found.

If you suspect any online transaction case, you should immediately submit the information (Your last logon time; Printouts of account information from Internet Banking; or Emails; or Screen captures (such as images) relating to the activities or suspected frauds.) to us via the following channels
Call our Customer Service Hotline (852) 218 95588; or click here to send your enquiry; or Contact any of our branches in person.

More Security Information

To know more about the security issue of Internet Banking, please refer to below video provided by HKMA:
https://www.hkma.gov.hk/eng/smart-consumers/personal-digital-keys/

(1) Two-factor Authentication to Strengthen Security

The Two-factor authentication uses a combination of 2 different factors for verifying a user's identity:

Advantage of Two-factor Authentication:
Your transaction is highly protected because the fraudsters cannot steal your physically possessed tools (such as your mobile phone) over the Internet. All of the high-risk Internet Banking transactions, such as fund transfers to non-designated accounts, are protected by this additional authentication tool physically held by yourself. By just a few simple steps, you can enjoy this enhanced security level of online transactions.

(2) Security Tips

After you have finished all online transactions, you must remember to click "Logout" to exit from the Internet Banking system to avoid any information leaking. Please safeguard your password token and mobile because it is an important tool for two-factor authentication. Do not access Internet Banking through hyperlinks embedded in e-mails. The Internet banking Service will be suspended if the login password has been incorrectly entered for 3 consecutive times in the same day. You may try to login again in the next day. If you are still unable to login to Internet Banking, your service may be suspended. Please call 218 95588 or visit the branch for assistance.

(3) Note of using Java Plugin

We recommend customers to perform the following actions if you are using Java to login our Internet Banking.

• Download and install the latest Java patch, which should fix the problem that Oracle officially announced on 13 January 3013, from official Oracle website announced on 15 January 2013 or thereafter.
• Open the related Java software only before using the Internet Banking Service.
• Enter our official website directly: www.icbcasia.com (Do not use the link in Bookmark), follow by logging in the Internet Banking from the ICBC (Asia) website.
• Customer can refer to the question 8 in the “More on Security- Your Roles and Responsibilties” in the "ebanking Security Tips", to ensure if the browsing wesbite is provided by ICBC (Asia).
• Login and use Internet Banking normally, do not get into other unknown website which uses Java simutanleously.
• Logout Internet Banking normally.
• If customers worry about Java on their computer security, they can stop using Java after logging out the Internet Banking and open Java when you login Internet Banking next time.

(4) Review of Registered Third Party Accounts

Before your registration of third party's account(s) which is of high risk categories (e.g. money service operator or agent that provides services or products that can be easily converted to money such as remittance agent, money changer, jewellery companies, casino, finance/loans related service such as stock agents, credit card merchants) for fund transfer, please consider carefully and read the Bank's online security tips. Please be aware of the potential risk of registering third-party accounts of some institutions which may be used for retrieving funds or transferring funds to another non-designated beneficiary.

More on Mobile Banking Security Tips

1. How to increase the security level when using Mobile Banking Service?
   A: Customers are reminded to be vigilant of any fraudulent websites or Mobile Banking app related to ICBC (Asia). It is always prudent to access to the official Mobile Banking websites through the address official "m.icbcaisa.com" / "//mobilehk.icbc.com.cn", or through the official Mobile Banking app downloaded from official application stores.
   - Do not store your password in browser, and disable the “AutoComplete” feature to prevent any third party from accessing to your login credential via the browser.
   - Install or update the latest anti-virus and anti-spyware software regularly on your mobile devices (smartphones or tablets). Do not use any ‘jailbroken’ or ‘rooted’ mobile devices which may have security loopholes to logon to Mobile Banking.
   - Make sure you are using compatible versions of operating systems of your mobile devices. Remember to install and regularly update the latest security software, make sure your mobile device software, operating system and anti-virus software are up-to-date. Enable the auto-update feature to obtain and install security patches regularly from trusted sources. If you find an application is suspicious, please do not download, install, login and should stop operation immediately.
   - Avoid access to the Mobile Banking via public Wi-Fi (wireless network) and Wi-Fi without password setting. Choose a reliable Telecom Service Provider.
   - Disable any wireless networking functions (e. g. Wi-Fi, Bluetooth, NFC) when not in use.
   - Please verify your last login and logout records every time you use mobile banking service. You should also check your account balance and transaction records regularly. If there are any suspicious transactions, please contact us immediately.
   - After receiving the PIN notification letter, please memorize the PIN and destroy the notification letter immediately. To enhance the security level, we suggest you changing the PIN when you use it for the first time. Do not use your identity card number, telephone number, date of birth, driving license number, or easy-to-guess numbers or words as your password, and avoid selecting the same password that you have used for accessing other web services.
   - Do not disclose your user name and password(including one-time password) of Mobile Banking to anyone (including bank staff and the police). You should also avoid disclosing your personal information such as identity card number and date of birth to anyone.
   - Do not store your mobile banking account name and password in the mobile.
   - Do not write the password on any of the devices used for accessing Mobile Banking or anything nearby. You should memorize the password instead.
   - Do not allow anyone else to use your mobile banking or password. Set a passcode for your mobile device that is difficult to guess and activate the auto-lock function.
   - Avoid using Mobile Banking in crowded area and take note of entering password via specific handsets. The format of password may be enlarged with clear display. It would let people nearby get your sensitive information indirectly.
   - Check your surroundings before performing any banking transactions, and make sure that no one sees your Mobile Banking password.
   - For security purpose, change your Mobile Banking password regularly via our Internet Banking Services.
   - For security reason, you cannot logon the same "Internet Banking Account Number / Defined User Name" with three channels (e.g. WAP\ iPhone App\ Android App) simultaneously.
2. What should I do if I lose my password or mobile handset?
   A: If you lose your Mobile Banking password/mobile handset, or suspect that your password or security device is used by an unauthorized party, or find any unauthorized transaction(s) associated with your account, please contact your Telecom Service Provider and contact us immediately.
3. Any cost for using Mobile Banking Application?
   A: We do not charge for using the Mobile Banking App. However, you are responsible for the charges incurred by your mobile network operator when you access or download the Application.
4. Is two-factor authentication available on Mobile Banking? What is the advantage?
   A: The Two-factor authentication uses a combination of 2 different factors for verifying a user's identity:
   
   Advantage of Two-factor Authentication:
   Your transaction is highly secured because the fraudsters cannot steal your physically possessed tools (such as your Password Token) over the Internet. All of the high-risk Mobile Banking transactions, such as fund transfers to non-designated accounts, are protected by this additional authentication tool physically held by yourself. By just a few simple steps, you can enjoy this enhanced security level of online transactions