• We have adopted the Transport Layer Security ("TLS") encryption to ensure the security of your data during transmission and prevent any unauthorised access by the third party to your data.
• Our web servers are protected by firewall systems to prevent any unauthorised access to our system.
• Your login attempts are recorded systematically. In the event of several consecutive login attempts with incorrect password, the related Internet Banking Services will be suspended immediately.
• Our Internet Banking Services will be automatically disconnected after remaining inactive (i.e. no operational instructions have been received) over a period of time to prevent unauthorised transaction.
• Our Internet Banking Services provide personal customers with “Mobile Token” or “Security Device” as a two-factor authentication tool, while corporate customers are offered a  “Mobile Token”, “Security Device” or an e-Certificate as the two-factor authentication tool. This advanced security measure has been adopted to further verify your identity before the “Designated Transactions” or “Designated Investment Transactions” * could be conducted via the Internet Banking Services. For details, please refer to “Two-factor Authentication Tools”.  
• During each login to Corporate Internet Banking using e-Certificate by corporate customers, our system will verify the identity of the user based on the information of the “e-Certificate”. To apply for an “e-Certificate”. Please contact your account opening branch. To learn more about its usage, please refer to the Certification Practice Statement of Digi-Sign Certification Services Limited at www.dg-sign.com.

We use Extended Validation ("EV") SSL Certificate to allow you to verify the authenticity of our websites by checking the address bar of your browser. You can also check the certification details, including the issuer and validity date of the certificate and the other information, by clicking the "security lock" icon at the login page of our Internet Banking Services. Please note that the layouts may be different for different browser versions. For details on the EV SSL Certificate, please refer to the website of DigiCert, the issuer of the certificate.  

Template:

BOCHK
Domain name issued to: "www.bochk100.com", "its.bochk.com", "cib.bochk.com" or "igtb.bochk.com"
Issued by: DigiCert SHA2 Extended Validation Server CA

The system will run a specified Java applet programme on your personal computer when "e-Certificate" is used as an authentication tool by Corporate Internet Banking customers. For the sake of online security, most of the Internet browsers will create a pop-up window showing the "e-Certificate" signing authority and related authentication information for you to verify the programme.

If you are corporate customers, you are requested to check the following information before logging into Corporate Internet Banking:

1.Distributed by: "Bank of China (Hong Kong) Limited"

2.Publisher authenticity verified by: "Thawte Consulting cc"

3.Security certificate has not expired and is still valid

To ensure customer data security, please install any of the browser versions we recommend to log in Internet Banking.

Personal Internet Banking
Microsoft Internet Explorer (Version 11 or above)
Microsoft Edge (Version 94 or above)
Mozilla Firefox (Version 91.2 or above)
Apple Safari (Version 14 or above)
Google Chrome (Version 95 or above)

iGTB NET
Microsoft Internet Explorer (Version 11 or above)
Microsoft Edge (Version 44 or above)
Mozilla Firefox (Version 62 or above)
Apple Safari (Version 12 or above)
Google Chrome (Version 70 or above)

Corporate Internet Banking
Microsoft Internet Explorer (Version 11 or above)
Mozilla Firefox (Version 78.4 or above)

1. Beware of fraudulent website
   You should be vigilant of any fraudulent websites which seek to pass off as our websites. When conducting transactions through electronic channels, you are advised to access your Internet Banking or Mobile Banking accounts by typing the website address of BOCHK (www.bochk.com) directly into the browser address bar, or through the BOCHK Mobile Application downloaded from official App stores or reliable sources. Unless you are certain that you are connected to our websites, particulars of your Internet Banking should not be provided.

    

2. Fraudulent emails/ SMS
   Please beware that viruses, Trojan software and hacker programmes can be distributed via emails. Virus like "Worms" can even reproduce and deliver infected emails to the recipients in your address book. Hence, you should not open any unknown or suspicious emails. Instead, you should delete them immediately. Please do not log in Internet Banking and provide your payment card (including credit and BOC cards) credentials through hyperlinks or QR Code embedded in any emails or SMS. You should also perform virus scanning before opening any attachment. In addition, you should pay extra care as fraudsters will perpetrate frauds using emails/ SMS.
   
   Please do not rely solely on email correspondences for any remittance transaction. You should use other channels (e.g. telephone, fax, etc.) to confirm the transaction and the beneficiary details before completing the remittance.
   
   Example 1: Commercial email scam
   A fraudster hacked into the email correspondences between a foreign buyer and its service provider over a few months. After getting to know the details of their transaction, the fraudster sent out fictitious emails at an email address very similar to that of the service provider, requesting the foreign buyer to make a remittance to a fraudulent account.
   
   Example 2: Fraudulent claims of estate email
   A fraudster claimed to be a bank staff in an email, inviting the recipient of the email to pretend to be the next-of-kin of a deceased client who has left a huge sum of unclaimed fixed deposit. Upon receiving favourable reply, the fraudster requested the recipient to pay a fee in advance for preparing the necessary documents in order to claim that estate. In the end, the email recipient was deceived.
   
   Example 3: Fraudulent claims of refund email
   A fraudster claimed to be a public service organisations/bank staff in an email, informing the recipient of a refund and inviting the recipient to click the hyperlink attached. The recipient was requested to provide personal information on a scam website, including Internet or Mobile Banking login information, and then the recipient’s funds might be transferred via Internet/Mobile Banking.
   
   Example 4: Payment card phishing emails / SMS
   Fraudsters recently sent out phishing emails or SMS messages embedded with fraudulent website hyperlinks which purported to be from Online Shopping Platform / Reward Scheme Platform / Postal Service / Courier Services / Government Departments / Banks for verification, reward redemption, refund, fee payment or information update. These phishing emails or SMS messages made different false claims such as falsely claiming that customers’ information in the platform should be updated to continue the services, or customer’s parcels could not be delivered and thus personal information should be updated or extra fee is required, or customer’s account was overcharged or automatic payment failed and thus credit card information should be provided to handle immediately, etc., and lured customers to click on the embedded hyperlinks in the messages and enter personal and payment card information.

    

3. Man in the Browser Attack
   The suspected Trojan Horse cases have been reported by few corporate customers when they used the Corporate Internet Banking. During the login process, a fake webpage was displayed requesting the customers to input their login names and passwords, as well as the one-time “Transaction Confirmation Code” generated by their Security Device.
   
   Please beware that Internet Banking login process does not require you to input the one-time “Transaction Confirmation Code” .(Please refer to the following login page)

    

   
   You should install firewall and anti-virus software in your personal computer and keep them up-to-date. You should also avoid visiting or downloading software from suspicious websites, and be wary of opening attachments in emails from unfamiliar sources.
   
   

4. Common Signs of Phishing Emails and SMS
   The “Phishing” fraudsters often send out emails or SMS purportedly from our bank/ Online Shopping Platform / Reward Scheme Platform / Postal Service / Courier Services / Government Departments / Banks in order to trick you into providing account details, passwords, personal information or payment card numbers. To stay vigilant, some common signs of phishing emails and SMS are listed below.
   • Grammatical mistakes, typos or misspelling is found in the content.
   • The hyperlinks of these fake emails / SMS messages and fraudulent websites will appear under different domain names or with slight variations from the official website addresses by adding a similar combination of letters, numbers or symbols.
   • Senders’ names appearing in the fake SMS messages may be as same as the genuine merchants, resulting in the fake SMS messages being displayed together with the previous SMS messages received from genuine merchants.
   • It usually appears as an important notification or request for personal information to verify your account details, such as notification for a huge amount of fund transfer or notification for a new security function activation, that customer is required to click the hyperlink or open an attachment.
   • Embedded hyperlink or attachment is normally found in fake email. The hyperlink looks like a genuine website address of the genuine merchants, but it refers to another website address when mouse-over it.

    

   You should access Internet Banking through the Company’s official website. Please do not log in Internet Banking through hyperlinks in any email, SMS, QR code, search engine, social networking platform or any third-party website or mobile app not authorised by us. For enquiry, please contact us immediately.

   Bank	Website
   Bank of China (Hong Kong)	https://www.bochk.com

   
   
   Personal Internet Banking login
   Please input Internet Banking number/username, password and verification code, then press “Login”

   

    

   Corporate Internet Banking "2FA Login" process (Not applicable to “e-Certificate” users)
   Please input Corporate Internet Banking number/login name, user ID and verification code, then press "2FA Login"

   

   In the "2FA Login" page, please input Corporate Internet Banking password and “Security Code"generated by the Security Device

   

    

   You can select "Basic Login" for account enquiry

   
   iGTB NET "2FA Login" process* (Not applicable to “e-Certificate” users)
   Please input iGTB number/login name, user ID, password, verification code and then press "2FA Login"

   

   In the "2FA Login" page, please input “Security Code” generated by the Security Device/Mobile Token

   

   You can select "Basic Login" for account enquiry

   
   Personal Mobile Banking login
   Please input Internet Banking number/username, password and verification code, then press “Login”

   You may choose to enable “Biometric Authentication” (e.g. fingerprint, Face ID) with Mobile Token to log in Mobile Banking.

   

    

   iGTB MOBILE login
   Please input iGTB No./login name, user ID, password and verification code, then press “Basic Login” or “2FA Login”.

   
   You may choose to enable “Biometric Authentication” (e.g. fingerprint, Face ID) with Mobile Token to log in iGTB MOBILE.

   

5. Your password and personal information should be well protected
   • Upon receipt of your password mailer, please change the password via Internet Banking immediately and destroy the password mailer.
   • Please memorise your password. Do not record password in any way without covering it.
   • Do not use easy-to-guess characters as your password (e.g. name, date of birth, HKID/passport number, etc.) and avoid selecting the same password you have used for accessing other web services.
   • Please keep your password properly. Do not disclose your Internet Banking username and password to anyone. You should also avoid disclosing your personal information to anyone (e.g. HKID/passport number and copy, date of birth, etc.). And you should not upload or capture your personal information by the use of any third-party website or mobile app not authorised by us or any electronic devices of other people.
   • Please change your password regularly.
   • You should be careful about sharing information in the social networking platform. Please prevent the disclosure of the personal information (e.g. full name, email address, date of birth, corresponding address or phone number, etc).
   • You should be responsible to take reasonable steps to securely and secretly keep any devices (e.g. personal computers, Security Devices, “e-Certificates” and identity documents), secret codes (e.g. Internet Banking password, passcode and phone banking password), or Biometric Authentication (e.g. fingerprint and Face ID) used for accessing Internet Banking and activating mobile payment app.
   • Do not forward your One-Time Password(OTP) and push notification to anyone.
   • You will be responsible for all instructions given by using your devices, secret codes, or “Biometric Authentication” to log in Internet Banking.
   • If you suspect that your password or two-factor authentication tools have been used by an unauthorised party, or find any unauthorised transactions associated with your account, please contact us immediately.
   • The one-time “Transaction Confirmation Code” generated by the Security Device or Mobile Token is only required for "designated transactions". We will not request you to input any number to your Security Device or Mobile Token to obtain “Login/Security Code”. In case of doubt, please do not follow the instructions of the suspicious web page or input any data. Please terminate the operation of Internet Banking immediately and contact us immediately.
     
   • You can choose to log in Internet Banking with Security Device or Mobile Token to enhance security.

 

6. Protect your personal computer
   • Please download and install updates and patches for your operating systems and browsers regularly
     
   • Please install firewall systems on your personal computer.
     
   • Please install anti-virus software on your personal computer. Update the virus definition file and perform virus scanning regularly.
     
   • Please set a passcode for locking devices that is difficult to guess and activate the auto-lock function.
     
   • Do not download or installing programmes from unreliable sources or opening suspicious files, emails or SMS. This helps protect your personal data against hackers' programmes or viruses.
     
   • If you access Internet Banking via wireless network, please check your network security settings to ensure the network is safe and reliable.
     
   
   
7. Take precautionary measures while you are using Internet Banking
   
   • Do not save or keep your password in a browser, and disable the "Auto-Complete" feature to prevent any third party from unauthorised access to your login information via the browser.
   • Do not access Internet Banking through a shared computer or public wireless network.
   • Only pre-set and access reliable wireless networks for internet connection.
   • You should access Internet Banking through the Company’s official website. Please do not log in Internet Banking through hyperlinks in any email, SMS, QR code, search engine, social networking platform or any third-party website or mobile app not authorised by us. For enquiry, please contact us immediately.
   • Suggest to close all other internet browsers before accessing Internet Banking. Do not open other suspicious internet browsers or visit any other websites while you are using Internet Banking.
     
   • Make sure no one can see your username and password when you log in Internet Banking.
     
   • Please check your last login and logout records every time you use Internet Banking. Always aware of our SMS and email notification and check your banking transactions regularly for any unauthorised transactions or irregularities. If you discover anything suspicious, please contact us immediately.
     
   • Click the "logout" button to exit from the system after you have finished all your online transactions. Please always clear the cache and history in your browser after using our online service.
     
   • If you have adopted secure media to store the “e-Certificates” as the two-factor authentication tools, please remove them from your computer and place them safely after completing your online transactions.
     
   • Do not leave your computer unattended before logging out Internet Banking.
     
   • To learn more about other online security measures, please click here.
     
   • If you act fraudulently or with gross negligence such as failing to properly safeguard your devices, secret codes or “Biometric Authentication” for accessing Internet Banking, you will be responsible for any direct loss suffered by you as a result of unauthorised transactions conducted through your account.
     
   • You will be liable for all losses if you have acted fraudulently. You may also be held liable for all losses if you have acted with gross negligence (this may include cases where you knowingly allow the use by others of your devices, secret codes or Biometric Authentication) or have failed to inform us as soon as reasonably practicable after you find or believe that your devices, secret codes or Biometric Authentication for accessing Internet Banking have been compromised, lost or stolen, or that unauthorised transactions have been conducted over your accounts. This may apply if you fail to follow the safeguards set out above if such failure has caused the losses.
      
     
8. Points to Notes for Corporate Internet Banking customers
   • Dual authorisation for financial transactions: To enhance security, you are advised to set up dual authorisation for financial transactions to be conducted via Corporate Internet Banking.
   • Accounts Activities Monitoring: You may set up incoming/outgoing fund notification to your mobile phone, email, inbox or app notification to keep track of any activities with your accounts.
   • Regular Backups: A good backup strategy is essential for data security. You should always classify your data into different level of importance. If your data contains sensitive information, you should encrypt the data.

 

• e-Cheque/e-CO is issued with Two Factor Authentication and digitally protected by Public Key Infrastructure (“PKI”) technology to ensure the integrity and confidentiality.
• Customer should be aware for unauthorised usage on e-Cheque/e-CO services. After is using the e-Cheque/e-CO, please check the transaction details in notification (email or SMS).
• Every e-Cheque/e-CO display the Issuer details:

Bank	Prepared by
Bank of China (Hong Kong)	Bank of China (Hong Kong) Limited



• e-Cheque/e-CO is transmitted through email. Do not open any suspicious email to avoid your computer infected by virus and do not login Internet Banking via hyperlinks or QR Code embedded in any email or SMS. Before opening any attachment in email, please use anti-virus software for scanning the attachment.