• We have adopted the 128-bit or above Transport Layer Security ("TLS") encryption to ensure the security of your data during transmission and prevent any unauthorised access by the third party to your data.
• Our web servers are protected by firewall systems to prevent any unauthorised access to our system.
• Your login attempts are recorded systematically. In the event of several consecutive login attempts with incorrect password, the related Internet Banking Services will be suspended immediately.
• Our Internet Banking Services will be automatically disconnected after remaining inactive (i.e. no operational instructions have been received) over a period of time to prevent unauthorised transaction.
• Our Internet Banking Services provide personal customers with “Mobile Token” or “Security Device” as a two-factor authentication tool, while corporate customers are offered a  “Mobile Token”, “Security Device” or an e-Certificate as the two-factor authentication tool. This advanced security measure has been adopted to further verify your identity before the “Designated Transactions” or “Designated Investment Transactions” * could be conducted via the Internet Banking Services. For details, please refer to “Two-factor Authentication Tools”.  
• During each login to Corporate Internet Banking using e-Certificate by corporate customers, our system will verify the identity of the user based on the information of the “e-Certificate”. To apply for an “e-Certificate”. Please contact your account opening branch. To learn more about its usage, please refer to the Certification Practice Statement of Digi-Sign Certification Services Limited at www.dg-sign.com.

We use Extended Validation ("EV") SSL Certificate to allow you to verify the authenticity of our websites by checking the address bar of your browser. You can also check the certification details, including the issuer and validity date of the certificate and the other information, by clicking the "security lock" icon at the login page of our Internet Banking Services. Please note that the layouts may be different for different browser versions. For details on the EV SSL Certificate, please refer to the website of DigiCert, the issuer of the certificate.  

Template:

BOCHK
Domain name issued to: "www.bochk100.com", "its.bochk.com", "cib.bochk.com" or "igtb.bochk.com"
Issued by: DigiCert SHA2 Extended Validation Server CA

The system will run a specified Java applet programme on your personal computer when "e-Certificate" is used as an authentication tool by Corporate Internet Banking customers. For the sake of online security, most of the Internet browsers will create a pop-up window showing the "e-Certificate" signing authority and related authentication information for you to verify the programme.

If you are corporate customers, you are requested to check the following information before logging into Corporate Internet Banking:

1.Distributed by: "Bank of China (Hong Kong) Limited"

2.Publisher authenticity verified by: "Thawte Consulting cc"

3.Security certificate has not expired and is still valid

To ensure customer data security, please install any of the browser versions we recommend to log in Internet Banking.

Personal Internet Banking
Microsoft Internet Explorer (Version 11 or above)
Microsoft Edge (Version 94 or above)
Mozilla Firefox (Version 91.2 or above)
Apple Safari (Version 14 or above)
Google Chrome (Version 95 or above)

iGTB NET
Microsoft Internet Explorer (Version 11 or above)
Microsoft Edge (Version 44 or above)
Mozilla Firefox (Version 62 or above)
Apple Safari (Version 12 or above)
Google Chrome (Version 70 or above)

Corporate Internet Banking
Microsoft Internet Explorer (Version 11 or above)
Mozilla Firefox (Version 78.4 or above)

1. Beware of fraudulent website
   You should be vigilant of any fraudulent websites which seek to pass off as our websites. Unless you are certain that you are connected to our websites, particulars of your Internet Banking should not be provided.

    

2. Fraudulent emails
   Please beware that viruses, Trojan software and hacker programmes can be distributed via emails. Virus like "Worms" can even reproduce and deliver infected emails to the recipients in your address book. Hence, you should not open any unknown or suspicious emails. Instead, you should delete them immediately. Please do not log in Internet Banking through hyperlinks or QR Code embedded in any emails or SMS. You should also perform virus scanning before opening any attachment. In addition, you should pay extra care as fraudsters will perpetrate frauds using emails.
   
   Please do not rely solely on email correspondences for any remittance transaction. You should use other channels (e.g. telephone, fax, etc.) to confirm the transaction and the beneficiary details before completing the remittance.
   
   Example 1 of fraudulent emails: Commercial email scam
   A fraudster hacked into the email correspondences between a foreign buyer and its service provider over a few months. After getting to know the details of their transaction, the fraudster sent out fictitious emails at an email address very similar to that of the service provider, requesting the foreign buyer to make a remittance to a fraudulent account.
   
   Example 2 of fraudulent emails: Fraudulent claims of estate
   A fraudster claimed to be a bank staff in an email, inviting the recipient of the email to pretend to be the next-of-kin of a deceased client who has left a huge sum of unclaimed fixed deposit. Upon receiving favourable reply, the fraudster requested the recipient to pay a fee in advance for preparing the necessary documents in order to claim that estate. In the end, the email recipient was deceived.

    

3. Man in the Browser Attack
   The suspected Trojan Horse cases have been reported by few corporate customers when they used the Corporate Internet Banking. During the login process, a fake webpage was displayed requesting the customers to input their login names and passwords, as well as the one-time “Transaction Confirmation Code” generated by their Security Device.
   
   Please beware that Internet Banking login process does not require you to input the one-time “Transaction Confirmation Code” .(Please refer to the following login page)

    

   
   You should install firewall and anti-virus software in your personal computer and keep them up-to-date. You should also avoid visiting or downloading software from suspicious websites, and be wary of opening attachments in emails from unfamiliar sources.
   
   

4. Common Signs of Phishing Emails and SMS
   The “Phishing” fraudsters often send out emails or SMS purportedly from our bank in order to trick you into providing account details, passwords, personal information or credit card numbers. To stay vigilant, some common signs of phishing emails and SMS are listed below.
   • Grammatical mistakes, typos or misspelling is found in the content.
   • The name of the sender shown in emails and SMS may be exactly as same as our name.
   • It usually appears as an important notification from our bank or request for personal information to verify your account details, such as notification for a huge amount of fund transfer or notification for a new security function activation, that customer is required to click the hyperlink or open an attachment.
   • Embedded hyperlink or attachment is normally found in email. The hyperlink looks like a genuine website address of our bank, but it refers to another website address when mouse-over it.

    

   You should access Internet Banking through the Company’s official website. Please do not log in Internet Banking through hyperlinks in any email, SMS, QR code, search engine, social networking platform or any third-party website or mobile app not authorised by us. For enquiry, please contact us immediately.

   Bank	Website
   Bank of China (Hong Kong)	https://www.bochk.com

   
   
   Personal Internet Banking login
   Please input Internet Banking number/username, password and verification code, then press “Login”

   

    

   Corporate Internet Banking "2FA Login" process (Not applicable to “e-Certificate” users)
   Please input Corporate Internet Banking number/login name, user ID and verification code, then press "2FA Login"

   

   In the "2FA Login" page, please input Corporate Internet Banking password and “Security Code"generated by the Security Device

   

    

   You can select "Basic Login" for account enquiry

   
   iGTB NET "2FA Login" process* (Not applicable to “e-Certificate” users)
   Please input iGTB number/login name, user ID, password, verification code and then press "2FA Login"

   

   In the "2FA Login" page, please input “Security Code” generated by the Security Device/Mobile Token

   

   You can select "Basic Login" for account enquiry

   
   Personal Mobile Banking login
   Please input Internet Banking number/username, password and verification code, then press “Login”

   You may choose to enable “Biometric Authentication” (e.g. fingerprint, Face ID) with Mobile Token to log in Mobile Banking.

   

    

   iGTB MOBILE login
   Please input iGTB No./login name, user ID, password and verification code, then press “Basic Login” or “2FA Login”.

   
   You may choose to enable “Biometric Authentication” (e.g. fingerprint, Face ID) with Mobile Token to log in iGTB MOBILE.

   

5. Your password and personal information should be well protected
   • Upon receipt of your password mailer, please change the password via Internet Banking immediately and destroy the password mailer.
   • Please memorise your password. Do not record password in any way without covering it.
   • Do not use easy-to-guess characters as your password (e.g. name, date of birth, HKID/passport number, etc.) and avoid selecting the same password you have used for accessing other web services.
   • Please keep your password properly. Do not disclose your Internet Banking username and password to anyone. You should also avoid disclosing your personal information to anyone (e.g. HKID/passport number and copy, date of birth, etc.). And you should not upload or capture your personal information by the use of any third-party website or mobile app not authorised by us or any electronic devices of other people.
   • Please change your password regularly.
   • You should be careful about sharing information in the social networking platform. Please prevent the disclosure of the personal information (e.g. full name, email address, date of birth, corresponding address or phone number, etc).
   • You should be responsible to take reasonable steps to securely and secretly keep any devices (e.g. personal computers, Security Devices, “e-Certificates” and identity documents), secret codes (e.g. Internet Banking password, passcode and phone banking password), or Biometric Authentication (e.g. fingerprint and Face ID) used for accessing Internet Banking and activating mobile payment app.
   • Do not forward your One-Time Password(OTP) and push notification to anyone.
   • You will be responsible for all instructions given by using your devices, secret codes, or “Biometric Authentication” to log in Internet Banking.
   • If you suspect that your password or two-factor authentication tools have been used by an unauthorised party, or find any unauthorised transactions associated with your account, please contact us immediately.
   • The one-time “Transaction Confirmation Code” generated by the Security Device or Mobile Token is only required for "designated transactions". We will not request you to input any number to your Security Device or Mobile Token to obtain “Login/Security Code”. In case of doubt, please do not follow the instructions of the suspicious web page or input any data. Please terminate the operation of Internet Banking immediately and contact us immediately.
     
   • You can choose to log in Internet Banking with Security Device or Mobile Token to enhance security.

 

6. Protect your personal computer
   • Please download and install updates and patches for your operating systems and browsers regularly
     
   • Please install firewall systems on your personal computer.
     
   • Please install anti-virus software on your personal computer. Update the virus definition file and perform virus scanning regularly.
     
   • Please set a passcode for locking devices that is difficult to guess and activate the auto-lock function.
     
   • Do not download or installing programmes from unreliable sources or opening suspicious files, emails or SMS. This helps protect your personal data against hackers' programmes or viruses.
     
   • If you access Internet Banking via wireless network, please check your network security settings to ensure the network is safe and reliable.
     
   
   
7. Take precautionary measures while you are using Internet Banking
   
   • Do not save or keep your password in a browser, and disable the "Auto-Complete" feature to prevent any third party from unauthorised access to your login information via the browser.
   • Do not access Internet Banking through a shared computer or public wireless network.
   • Only pre-set and access reliable wireless networks for internet connection.
   • You should access Internet Banking through the Company’s official website. Please do not log in Internet Banking through hyperlinks in any email, SMS, QR code, search engine, social networking platform or any third-party website or mobile app not authorised by us. For enquiry, please contact us immediately.
   • Suggest to close all other internet browsers before accessing Internet Banking. Do not open other suspicious internet browsers or visit any other websites while you are using Internet Banking.
     
   • Make sure no one can see your username and password when you log in Internet Banking.
     
   • Please check your last login and logout records every time you use Internet Banking. Always aware of our SMS and email notification and check your banking transactions regularly for any unauthorised transactions or irregularities. If you discover anything suspicious, please contact us immediately.
     
   • Click the "logout" button to exit from the system after you have finished all your online transactions. Please always clear the cache and history in your browser after using our online service.
     
   • If you have adopted secure media to store the “e-Certificates” as the two-factor authentication tools, please remove them from your computer and place them safely after completing your online transactions.
     
   • Do not leave your computer unattended before logging out Internet Banking.
     
   • To learn more about other online security measures, please click here.
     
   • If you act fraudulently or with gross negligence such as failing to properly safeguard your devices, secret codes or “Biometric Authentication” for accessing Internet Banking, you will be responsible for any direct loss suffered by you as a result of unauthorised transactions conducted through your account.
     
   • You will be liable for all losses if you have acted fraudulently. You may also be held liable for all losses if you have acted with gross negligence (this may include cases where you knowingly allow the use by others of your devices, secret codes or Biometric Authentication) or have failed to inform us as soon as reasonably practicable after you find or believe that your devices, secret codes or Biometric Authentication for accessing Internet Banking have been compromised, lost or stolen, or that unauthorised transactions have been conducted over your accounts. This may apply if you fail to follow the safeguards set out above if such failure has caused the losses.
      
     
8. Points to Notes for Corporate Internet Banking customers
   • Dual authorisation for financial transactions: To enhance security, you are advised to set up dual authorisation for financial transactions to be conducted via Corporate Internet Banking.
   • Accounts Activities Monitoring: You may set up incoming/outgoing fund notification to your mobile phone, email, inbox or app notification to keep track of any activities with your accounts.
   • Regular Backups: A good backup strategy is essential for data security. You should always classify your data into different level of importance. If your data contains sensitive information, you should encrypt the data.

 

• e-Cheque/e-CO is issued with Two Factor Authentication and digitally protected by Public Key Infrastructure (“PKI”) technology to ensure the integrity and confidentiality.
• Customer should be aware for unauthorised usage on e-Cheque/e-CO services. After is using the e-Cheque/e-CO, please check the transaction details in notification (email or SMS).
• Every e-Cheque/e-CO display the Issuer details:

Bank	Prepared by
Bank of China (Hong Kong)	Bank of China (Hong Kong) Limited



• e-Cheque/e-CO is transmitted through email. Do not open any suspicious email to avoid your computer infected by virus and do not login Internet Banking via hyperlinks or QR Code embedded in any email or SMS. Before opening any attachment in email, please use anti-virus software for scanning the attachment.

How to download Personal Mobile Banking Apps?

• Personal Mobile Banking provides various banking and securities services. You can:
  • BOCHK - search “BOCHK > More > e-Banking Service > BOCHK Mobile Application” to download the Apps;
  • Search "BOCHK中銀香港" (Bank of China (Hong Kong)) for free download of the Apps through the online App stores (Google Play, App Store and Huawei AppGallery).
  • If there are suspicious App for downloading, please do not log in and stop proceeding the download immediately.

• To ensure the search wording is correct and prevent from downloading any counterfeit Apps which is attached with phishing program / Trojan to steal the login information.
• Do not reproduce and install any suspicious Apps on your mobile devices.
• If there is any abnormal operation, e.g. suspicious pop up pages or a delay login, please stop the operation immediately.

Is Mobile Banking secure?

• Company's website is protected with strong encryption (128-bit SSL). Access is protected by personalised user name and password. The system is protected from duplicate access, i.e. customers cannot log in the system at the same time using different mobile devices. The session will be automatically disconnected after remaining inactive over a period of time to prevent unauthorised transaction.

How can I access and log in Mobile Banking?

• To ensure secure transactions, please download BOCHK Mobile Application from official application stores or BOCHK website, to log in Mobile Banking. Details

Have you obtained any security certification for your Mobile Banking? 

• We have obtained the certificate issued by VeriSign, "Bank of China (Hong Kong) Ltd" for our Mobile Banking. 

What should I be aware of when using Mobile Banking? 

• Do not save or keep your password in a browser, and disable the "Auto-Complete" feature to prevent any third party from unauthorised access to your login information via the browser.
• Avoid logging in Mobile Banking via wireless network (i.e. Wi-Fi) which is public or without password setting. We advise using encrypted and reliable mobile internet connection.
• Activate the auto-lock function of your mobile devices and avoid logging in Mobile Banking in a crowded area and be careful when inputting your password via specific mobile devices. The format of password may be enlarged with clear display. It would indirectly disclose your login information to other people.
• Disable any wireless network functions (e.g. Wi-Fi, Bluetooth, NFC) or Payment Apps not in use. Choose encrypted networks when using Wi-Fi and disable Wi-Fi auto-connection settings.
• Avoid using mobile devices from other to log in Mobile Banking and sharing your mobile devices with others.
• It is recommended to setup firewall and install anti-virus software / mobile security App in your mobile devices and update regularly. You can visit HKCERT website for reference: https://www.hkcert.org/mobile-security-tools, to select the appropriate Apps.
• To protect your online transactions, we will check whether your mobile devices are jailbroken or rooted and with recommended operating systems for minimum security requirements upon using of the Bank's Mobile App. You may not be allowed to access Mobile Banking via such devices. Please pay attention to the reminder.
• Please check your last login and logout records every time you use our Mobile Banking. You should also check your account balance and transaction records regularly. If there are suspicious transactions, please contact us immediately.
• You should ensure proper protection of your password and personal information and hold accountability of this:
  • Please memorise your password. Do not record the password in any way without covering it.
  • Do not use easy-to-guess characters as your password (e.g. name, date of birth, HKID/passport number, etc.) and avoid selecting the same password you have used for accessing other web services.
  • Please keep your password properly. Do not disclose your Internet Banking username and password to anyone. You should also avoid disclosing your personal information to anyone (e.g. HKID/passport number and copy, date of birth, etc.). And you should not upload or capture your personal information by the use of any third-party website or mobile app not authorised by us or any electronic devices of other people.
  • Please change your password regularly.
  • If you suspect that your password or two-factor authentication tools have been used by an unauthorised party, or find any unauthorised transactions associated with your account, please contact us immediately.
• Please download and install the latest version of the Bank's Mobile App, other Mobile Apps, operating systems and browsers regularly in the official App stores (Google Play and App Store) or our website. Do not install Mobile Apps from mistrusted sources. If there is any suspicious App, please do not download and stop the operation immediately.

• You should use all reasonable care to keep your mobile devices secure. If you find that your mobile devices have been lost or stolen or that any unauthorised transactions have occurred, you should contact us immediately.

  
  

What should I be aware of when using Biometric Authentication service?

• Upon the successful registration of the “Biometric Authentication” service on your mobile devices, any fingerprint or Face ID that being stored on your mobile device can be used for the purpose of the “Biometric Authentication” service. You must ensure that only your fingerprint or Face ID is stored on your mobile devices, and ensure the security of the security codes as well as the passwords or codes that you can use to store your fingerprint or Face ID and register the “Biometric Authentication” service on your mobile devices.
• For security reasons, do not use jailbroken or rooted mobile devices.
• You can cancel the “Biometric Authentication” service by disabling the option of "Enable Biometric Authentication Login and Use Mobile Token" via "Setting > Mobile Token Setting" after logging in Mobile Banking or contacting our customer service hotline or accessing any of our branches to "suspend mobile token". Please note that after you cancel the “Biometric Authentication” service, your fingerprint or Face ID will be continuously stored on your designated mobile devices. You may consider cancelling the data at your own decision.
• If your fingerprint or Face ID record of your designated mobile devices has been changed or the “Biometric Authentication” service has not been used for a specified period of time (which shall be defined by the Bank from time to time), your “Biometric Authentication” service will be suspended. You are required to re-register or re-activate the “Biometric Authentication” service.
• You must not use “Biometric Authentication” if you have reasonable belief that other people may share identical or very similar biometric credentials of you. For instance, you must not use facial recognition for authentication purpose if you have identical twin or triplet siblings.
• You must not use “Biometric Authentication” if the relevant biometric credentials of you are or will be undergoing rapid development or change. For instance, you must not use facial recognition for authentication purpose if you are an adolescent with facial features undergoing rapid development.
  

What if there is an incoming call or weak signal when I am placing an instruction? How can I ensure the instruction has been submitted?

• If your instruction has been successfully submitted and executed, a transaction reference number will be displayed on the webpage of Mobile Banking. You can also check the last ten transaction records as to whether the instruction has been successfully submitted and executed.
   

Do I need to close the web browser after logging out Mobile Banking?

• You are advised to close the web browser after logging out and delete the temporarily saved and past historical records on a regular basis.

In order to ensure the services and information are provided by our company, please refer to the following registered WeChat ID when searching for the WeChat official accounts. Please do not disclose your personal and account information to any unauthorised WeChat account(s). Should you have any queries, please contact the company’s staff immediately.

The company has registered the following WeChat ID:

Points to note when using WeChat official account?

• When performing account binding, user is required to set up a 8-digit “WeChat password” of which three or more consecutive numbers and “12345678” are not accepted. User should take necessary prudential measures to safeguard your password, please do not disclose your password to anyone (including the company’s staff).
• Please do not access WeChat official account via hyperlinks or QR Code embedded in any emails or SMS.
• Please do not input personal sensitive information into WeChat dialogue box. The company will not ask user to provide account number, password and personal information via WeChat dialogue box.
• For more details of account binding, please input "Account Binding Service Directory" into WeChat dialogue box for enquiry.
• For enquiry, security issues report and unbinding account request, please call：BOCHK Personal Customer Service Hotline +852 3988 2388.
• To ensure customer data security, the recommended operating systems and browsers are as follows:
  • iOS 14 or above (Default browser), WeChat 6.3.18 or above
  • Android 8.1 or above (Default browser), WeChat 6.3.18 or above
• Please download and install updates and patches for your Apps, operating systems and browsers regularly.

Protecting your ATM card and PIN

• Please keep your BOC ATM Card in a safe place, destroy the original printed copy of the PIN and memorise your PIN and change it regularly.
• Do not write down or record the PIN without disguising it.
• Please avoid writing down the PIN on the BOC ATM Card or on anything usually kept with or near it.
• For security reasons, you are advised not to use your identity card number, birthday date, telephone number, commonly used combinations of numbers (e.g. 123456) or other easy-to-guess numbers as your PIN. You are also advised not to use the same PIN to access other services, including internet banking or other websites.
• Please do not allow anyone else to use your BOC ATM Card or PIN.
• Please note that the police and bank staff will never ask you for the PIN. Do not disclose your PIN to anyone under any circumstances.
• Before using an ATM, please check if the keypad cover is abnormal (has been removed or installed with imaging facility), also if there are any suspicious devices near the card slot and keypad. If you notice anything suspicious, please notify the related bank immediately.
• Please cover the keypad with your hand when entering your PIN at ATM or Point-of-Sale devices and make sure no one is looking over your shoulder or standing next to you.
• The Bank will send you security messages by either text messaging or other form of alert under certain circumstances. Please check once received.
• You should promptly report any notice or suspicion loss, theft, disclosure or unauthorised use of your BOC ATM Card and/or PIN to our “Online Chat” in Internet Banking or Mobile Banking or by calling our 24-hour BOC ATM Card Service Hotline at (852) 2691 2323.

Exercise Care at ATM Withdrawals

• Please avoid being distracted when withdrawing cash so as not to leave banknotes and your BOC ATM Card at an ATM unattended or uncollected. Print a receipt for record and count the banknotes immediately after each cash withdrawal.
• Do not remove from an ATM dispenser any uncollected banknotes left behind by a previous user. The banknotes will be automatically retrieved by the machine after a designated period of time.
• You can use your BOC ATM Card to exchange and withdraw RMB or foreign currencies from the registered HKD account via BOCHK’s designated ATMs.

Warm Tips

• On receipt of your new BOC ATM Card, please sign on the back of the card with a fast ink ballpoint pen.
• Do not place your BOC ATM Card near any magnetic objects, such as mobile phone, magnetic button of a handbag or any device with a magnetic or electronic sensor.
• Once your new card is activated or beyond the 30th day from its issuance date, your old card (if any) will automatically become void; please cut it across the embossed card number and the chip before disposal.
• Should you have to return your card to the bank, please cut your card through the chip and the embossed card number beforehand.

Safe Use of Overseas ATMs

• To use your BOC ATM Card to withdraw cash from an overseas ATM on the “UnionPay” network will incur a handling fee, the handling fee can be enquiry at “General Banking Service Charges”. Please visit “UnionPay” website www.unionpayintl.com/hk/ to find out more about overseas ATM locations and if ATM network(s) in your intended overseas destination can provide the cash withdrawal service you require.
• The overseas ATM daily withdrawal limit of each BOC ATM Card is preset at ‘zero’ HKD to improve its security. You must therefore activate the ATM cash withdrawal function in advance and before you leave Hong Kong by setting the daily withdrawal limit and the validity period through the relevant designated channels to enable you to enjoy cash withdrawal service outside Hong Kong. Designated channels are:
  • Internet Banking
  • Mobile Banking
  • Bank ATMs
  • 24-hour BOC ATM Card Service Hotline (852) 2691 2323

Please visit Note of Overseas ATM Cash Withdrawals Limit Setting for details.

The normal card slot of an ATM

An unusual card reader installed at the card slot

To enhance the online security level, the Company provides customers with a comprehensive range of two-factor authentication tools to safeguard the designated transactions and designated investment transactions* performed by customers via Internet/Mobile Banking. 

Types of Two-factor Authentication Tools:

“Mobile Token”

“Mobile Token” is a built-in function of BOCHK Mobile Banking. Once the “Mobile Token” is activated, you will be spared the hassle of carrying a separate physical “Security Device” to truly enjoy convenient and secure banking.

Upon activating the “Mobile Token” on compatible mobile device, you can confirm designated Mobile Banking transactions or designated investment transactions* via the preset passcode or using “Biometric Authentication”. In addition, you can also confirm designated Internet Banking transactions or designated investment transactions* by generating a one-time “Security Code”/“Transaction Confirmation Code” via the “Mobile Token”.

Features:

Biometric Authentication

You can register “Biometric Authentication” (e.g. Fingerprint, Face ID) on your mobile device for the following services when you activate the “Mobile Token”:

• Log in Mobile Banking
• Enable the “Mobile Token” to confirm designated Mobile Banking transactions or designated investment transactions*
• Enable the “Mobile Token” to generate a one-time “Security Code”/“Transaction Confirmation Code” to confirm designated Internet Banking transactions or designated investment transactions*

Activating the Mobile Token

Personal Customers:

1. Select “Mobile Token” icon on the homepage of BOCHK Mobile Banking (indicate in red circle below)	2. Select “Activate”	3. Log in to Mobile Banking
4. Register “Biometric Authentication” (Option to register later)	5. Set up “Mobile Token” Passcode	6. Follow the instructions on the page, and then you will receive an “One-Time Password” (OTP) from the mobile phone number registered with the Bank, input the OTP to complete the activation

Corporate Customers:

1. Select “Mobile Token” icon on the homepage	2. Log in Mobile Banking	3. Select “Activate”
4. Register “Biometric Authentication” (Option to register later)	5. Set up “Mobile Token” Passcode	6. Input “Security Device” one-time “Security Code”
7. You will receive an “SMS One-Time Password” (OTP) from the mobile phone number registered with the Bank, input the OTP to complete the activation

Operating system requirements and compatible mobile device:

Download Mobile Banking:

Please download BOCHK Mobile Banking now to activate the "Mobile Token"

New BOCHK Mobile Banking understands you better with its chic design and easy-to-use features. Download now iOS users         Android users    Huawei users 　　 Android users （If unable to access Google Play） Version: 7.0.38 Updated on: 16 April 2023

Points to Note for “Mobile Token”:

• For security reasons, customer can only activate “Mobile Token” on one mobile device.
• For personal customers, upon successfully activation of “Mobile Token”, the “Security Device” (if any) will be suspended. For reactivation of “Security Device”, customers are required to suspend the “Mobile Token” on your mobile device.
• Corporate customers can hold both “Mobile Token” and “Security Device” at the same time.
• Please keep your mobile device that has activated “Mobile Token” function in a safe and secure place. In case of loss or damage, please suspend the “Mobile Token” and contact us immediately.

Remarks:

• Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc.. Android, Google Play, and the Google Play logo are the registered trademarks of Google Inc.. Huawei AppGallery is provided by Huawei Services (Hong Kong) Co., Limited. HUAWEI EXPLORE IT ON AppGallery and the HUAWEI EXPLORE IT ON AppGallery logo are the registered trademarks of Huawei Technologies Co., Limited.

“Security Device”

Personal customers (except BOC Credit Card) can visit any of our branches to apply for “Security Device”. Primary Users of corporate customers can apply by submitting application form to any of our branches, or apply for Delegated Users through Corporate Internet Banking. "Security Device" with audio capability is also provided for the convenience of the visually impaired using Internet/Mobile Banking.

Points to Note for “Security Device”:

• Upon receipt of the "Security Device", please log into the Internet Banking immediately and follow the instructions to activate the "Security Device".
• Please keep your "Security Device" in a safe and secure place. Do not allow anyone to use your "Security Device" or leave it unattended. In case of loss or damage, please contact us immediately.

“e-Certificate”

Corporate customers can apply for “e-Certificate” as the two-factor authentication tool by submitting the application form to any of our branches. Upon completion of application, “e-Certificate” will be mailed to the registered correspondence address of the customers.

Below are the reminding notes for keeping your “e-Certificate” safe:

1. DO NOT disclose the passphrase to anyone (including BOCHK staff).

2. Change the passphrase of “e-Certificate” periodically.

3. Keep the “e-Certificate” in a safe place by a designated person/party to prevent unauthorized use of the device(s).

4. Keep the “e-Certificate” and the passphrase by different persons/parties.

5. Ensure the “e-Certificate” is completely unplugged/loaded off from your file transmission system after connection and keep in a safe place. DO NOT leave the “e-Certificate” unattended

6. Keep the system connect with terminal (e.g. iGTB CONNECT terminal) in a secure and safe place as well as to prevent unauthorized use.

7. If “e-Certificate” lost or suspects for any unauthorized use, please contact us immediately.

“One-Time Password”

Personal customers can receive a one-time password message through the customers’ registered mobile phone number to conduct designated investment transactions*.

• 24-hour ATM Hotline at (852) 2691 2323
• BOCHK Internet Banking Hotline at (852) 3988 2388
• CBS Online Hotline at (852) 3988 2288
• iGTB NET Hotline at (852) 3988 1333
• BOCHK Financial Institutions Online Hotline at (852) 3988 2288
• More Enquiry Hotlines
• Website www.bochk.com

• 24-hour Customer Service Hotline at (852) 2853 8828
• Website www.bochk.com/creditcard/

What is 128-bit SSL encryption?

Our Internet Services have adopted 128-bit SSL encryption, one of the online security standards for commercial application. All data transmitted via the Internet Services are protected by this technology to ensure data security.

 

What precautions should I take when I set up my password?

• Do not use your date of birth, HKID / passport number, telephone number or any combinations of your English name as your password.
• Do not use 3 or more consecutive identical alphabets or digits, e.g. "333", "bbb" etc.
• Do not use sequential alphabets or digits, e.g. "123", "abc, etc.
• Do not use your user name / login ID as your password.
• Don't use adjacent keys on the keyboard like "qwertyui".
  
   

How often should I change my password?

You are advised to change your password regularly. If you have not changed your password over certain period of time, our system will remind you automatically.

 

How can I protect my personal information?

You may be asked to provide personal information (such as your HKID / passport number and date of birth) as additional identity verification when you use the internet banking service. Be vigilant and do not casually disclose your personal information to anyone. You should also keep documents (such as letters and bank statements) which carry your personal information in a proper and secured manner.

 

Why should I update my operating systems and browsers regularly?

It helps to fix security problems of the operating systems or web browsers if you update and download "patches" provided by software vendors regularly. This helps to prevent your computer from virus attacks or unauthorised access from hackers.

 

How can I set up the security settings of Wireless LAN?

• Do not place the Access Point (“AP”) too close to doors and windows to avoid data captured and decrypted by any third party.
• Take appropriate security measures to protect the Wireless LAN. Do not disclose the security setting of your wireless network to any third party.
  
   

Precautionary measures for using internet?

• Encrypt your data if you have to keep your personal information in an electronic storage medium to prevent unauthorised access or use by third parties.
• Do not save or keep your password in your browser and disable the "Auto-Complete" setting to prevent third parties from accessing your information via the browser.
• Disable the "File and Printer Sharing" function of the Windows system and set up proper access permissions of your computer to prevent unauthorised access to your data by third parties via the network.
• Do not download or install illegal or unknown softwares to prevent infection from computer virus or Trojan programmes. Remember to scan for virus  before opening any files from external sources.
  
   

 Where can I obtain more information on precautionary measures for e-Banking services?

• Hong Kong Monetary Authority
  Personal Digital Keys / Internet Banking / ATM
• The Hong Kong Association of Banks
   "Internet Banking – Keeping your money safe"
  Please contact us for copies of this leaflet.
• Hong Kong Police
  Cyber Security and Technology Crime
• HKSAR Government – "The InfoSec Web Site"
  

How to download the BoC Pay mobile app?

BoC Pay is a one-stop local and cross-border payment mobile app, which can be downloaded from:

• Official App Stores (Google Play Store, Apple App Store and HUAWEI AppGallery): search for "BoC Pay".
• BOCHK website: Home > More > e-Banking Service > BoC Pay.

Smart tips:

• Do not download any counterfeit mobile apps to prevent your mobile devices from being infected by phishing programmes or Trojans, and to avoid fraudsters from stealing your information.
• Do not copy, install or open any mobile apps from unknown sources on your mobile devices. Do not open any suspicious files, emails, SMS, instant messaging or QR codes to prevent hacking programmes or computer viruses from stealing your information.
• If you find any suspicious apps, do not download and stop the operation immediately.
• If you find any abnormalities, such as unusual screens or slow login response, please stop the operation immediately.

Is the BoC Pay service secure?

Account and transaction security is our prime concern. We have comprehensive security control measures to protect you, which include but not limited to:

• We adopt internationally-recognised encryption technology to ensure the information security.
• Log in is always required before using the account services or performing transactions.
• To ensure your account safety, you can only log in to and use BoC Pay on one mobile device at the same time.
• Payment passcode or biometric authentication is used to authenticate transactions in BoC Pay.
• To prevent unauthorised transactions, the QR code generated with the "QR Code Payment" function will be refreshed automatically within a specified period of time.
• Upon the completion of transactions, you will receive transaction notifications from BoC Pay.

What should I be aware of when using BoC Pay?

Transaction Security

• "QR Code Payment" function should only be used at merchants who support UnionPay QR codes. Never capture the QR code and any information shown on the "QR Code Payment" page, and never send or disclose the information to others.
• When performing online transactions (including credit card transactions), carefully check the details such as the name of the merchant / recipient, transaction type, payment method (e.g. mobile number, email address, FPS ID, account number or the QR code used to request payment), transaction amount, currency, etc. to ensure the transaction is correct. If you have any doubts, please do not authenticate the transaction with payment passcode, biometric authentication or SMS one-time passwords.
• Please check your account balance and transaction records regularly. If you find any suspicious transactions, please contact us immediately.

Network / Mobile Device Security

• Avoid connecting your mobile devices to any public or unencrypted wireless network (i.e. Wi-Fi). Use an encrypted and reliable mobile network to log in and use BoC Pay.
• Disable wireless network functions (e.g. Wi-Fi, Bluetooth and NFC) and payment apps when they are not in use. Always use an encrypted wireless network and turn off the Wi-Fi auto-connection settings.
• Do not use others' mobile devices to log in to BoC Pay, and never share your mobile devices with others.
• Install and regularly update firewall and anti-virus software / mobile security apps in your mobile devices. You can visit the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) website for details: https://www.hkcert.org/en/resources/security-tools, and select appropriate apps.
• To protect your online transactions, we will check your mobile devices when you are using BOCHK apps. If your mobile devices are jailbroken or rooted, or use operating systems which do not meet the minimum security requirements, you will not be able to use BoC Pay. Please pay attention to the corresponding reminders or stay tuned to our "What's New" notices.
• You must take all reasonable and prudent measures to keep your mobile devices and SIM card secure. If you find your mobile devices have been lost or stolen, or any unauthorised transactions, please contact us immediately.

Personal Information Security

• Protect your passwords, personal information, bank account and credit card information, and hold accountabilities of these:
  • Please memorise your passwords. Do not record or write down passwords in an undisguised manner.
  • Do not use easy-to-guess characters as your passwords (e.g. name, date of birth, HKID / passport number, etc.). Avoid using the same passwords you have used for other web services.
  • Please safeguard your information. Do not disclose your passwords, Internet Banking login information and any personal information (e.g. HKID / passport number and copy, date of birth, etc.) to anyone.
  • Do not visit any website or use any mobile app that are not verified by BOCHK. Do not upload or take photos of your personal information using others' mobile devices.
  • Please change your passwords regularly.
  • If you suspect that your passwords have been stolen or you find any unauthorised transactions, please contact us immediately.
• Take all reasonable and prudent measures to securely and properly keep your passwords (including but not limited to BoC Pay payment passcode, Internet Banking password, ATM PIN and one-time passwords), which are used for binding accounts / credit cards in BoC Pay.

Smart tips:

• Please download and install the latest version of the BoC Pay mobile app, other mobile apps, operating systems and browsers regularly from the official App Stores (Google Play Store, Apple App Store and HUAWEI AppGallery) or BOCHK website. Do not install any software / mobile apps from unknown sources. If you find any suspicious mobile apps, do not download and stop the operation immediately.

What should I be aware of when using the biometric authentication function?

BoC Pay uses biometric authentication technology to verify your identity for transaction authentications with the biometric credentials specified by us, including fingerprint and Face ID. The availability of biometric authentication is subject to the brand, model and operating system version of your mobile devices. When using the biometric authentication function, you have to pay attention to the following:

• Upon successful enabling of the "Biometric Authentication" function, all fingerprint(s) or Face ID stored in your mobile devices can be used for the "Biometric Authentication" function. You must ensure that only your fingerprint(s) or Face ID is stored in your mobile devices. You must also ensure the security of the passwords that are used to store the fingerprint(s) or Face ID in your mobile devices and the payment passcode that is used to enable the "Biometric Authentication" function.
• For security reasons, do not use jailbroken or rooted mobile devices.
• You can disable the "Biometric Authentication" function at BoC Pay Menu > "Settings" > "Payment Settings" > "Touch ID" or "Face ID" (depending on your mobile devices). Follow the instructions to disable the "Biometric Authentication" function.
• We do not store your biometric credentials. The biometric credentials you registered in your mobile devices will continue be stored in the devices even after you have disabled the "Biometric Authentication" function in BoC Pay. You can consider deleting the biometric credentials at your own discretion.
• Do not use "Biometric Authentication" if you believe that other people may have identical or very similar biometric credential(s) to your own, or your biometric credential(s) can be easily compromised. For instance, do not use Face ID for authentication purpose if you have identical twin or triplet sibling.
• Do not use "Biometric Authentication" if your biometric credential(s) will be undergoing rapid development or change. For instance, do not use Face ID for authentication purpose if you are an adolescent with facial features undergoing rapid development.

What should I do if I find suspicious transactions?

If you find any suspicious credit card transactions, you should immediately call the BOC Card Customer Service Hotline on (852) 2853 8828. For suspicious Smart Account or Payment Account transactions, you should immediately call the BOCHK Personal Customer Service Hotline on (852) 3988 2388.

Where can I obtain more information on precautionary measures for mobile applications?

• Hong Kong Monetary Authority
  Internet Banking - https://www.hkma.gov.hk/eng/smart-consumers/internet-banking/
• Hong Kong Police
  Introduction to Technology Crime and Prevention Tips - https://www.police.gov.hk/ppp_en/04_crime_matters/tcd/index.html
• HKSAR Government
  The InfoSec Web Site - https://www.infosec.gov.hk/en/