Lately, the industry has become focused on reducing the friction associated with payments, but perhaps we’ve forgotten why we asked so many questions – HSBC discovered the answer; it’s to keep the criminals out:
“Simple verification procedures for HSBC e-payment app PayMe allowed hackers to carry out unauthorised transactions after luring victims into disclosing their email passwords using phishing scams, a police source said on Friday.
Cybersecurity experts have called on the bank to introduce two-factor authentication, which requires users to provide an additional piece of information besides a password.
HSBC said on Thursday night that about 20 accounts with the e-wallet system had been accessed without authorisation, and transactions carried out involving HK$100,000 (US$12,770).
The breach had been reported to police and the Hong Kong Monetary Authority, the bank said.
A veteran policeman with knowledge of the incident said hackers posing as an email service provider had sent out phishing emails asking victims to submit their passwords to initiate an update to their accounts.
“That’s how the victims’ email accounts were hacked. But the scammers then looked for PayMe notifications in their emails, and if they saw one, would send a message to the app requesting a password change,” the source said.
“The hackers could then control their victims’ PayMe accounts. PayMe has no security issue as such, but the verification process is way too easy.”
Chester Soong, director of the Internet Society Hong Kong, said two-factor authentication should be adopted, which requires information other than a password, such as a thumbprint, face scan, ID card number or passcode sent to a phone.”
In this case a quick biometric challenge issued to the users smartphone would have prevented the fraudsters transfer of funds while still making the payment easy for smartphone users. For millennials and the wealthy, banks that fail to adopt the biometric solutions available on modern smartphones are beginning to come across as simply obstinate. Consumers use biometrics to open the phone and to make card payments via the wallet, they now expect bank apps to similarly adopt that simple and secure method. In the case of HSBC it could have saved them from some really terrible publicity.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group