Online Security Tips and Information

What Have We Done to Protect You

  • We have adopted the 128-bit or above Transport Layer Security ("TLS") encryption to ensure the security of your data during transmission and prevent any unauthorised access by the third party to your data.
  • Our web servers are protected by firewall systems to prevent any unauthorised access to our system.
  • Your login attempts are recorded systematically. In the event of several consecutive login attempts with incorrect password, the related Internet Banking Services will be suspended immediately.
  • Our Internet Banking Services will be automatically disconnected after remaining inactive (i.e. no operational instructions have been received) over a period of time to prevent unauthorised transaction.
  • Our Internet Banking Services (except Po Sang) provide personal customers with “Mobile Token” or “Security Device” as a two-factor authentication tool, while corporate customers are offered a “Security Device” or an e-Certificate as the two-factor authentication tool. This advanced security measure has been adopted to further verify your identity before the “Designated Transactions” or “Designated Investment Transactions” * could be conducted via the Internet Banking Services. For details, please refer to “Two-factor Authentication Tools”.  
  • During each login to Corporate Internet Banking using e-Certificate by corporate customers, our system will verify the identity of the user based on the information of the “e-Certificate”. To apply for an “e-Certificate”. Please contact your account opening branch. To learn more about its usage, please refer to the Certification Practice Statement of Digi-Sign Certification Services Limited at www.dg-sign.com.

Security Certificate

We use Extended Validation ("EV") SSL Certificate to allow you to verify the authenticity of our websites by checking the address bar of your browser. The address bar is green for browsers Microsoft Internet Explorer Version 7 or above which is one of the security features of EV SSL. For browser Microsoft Internet Explorer, you can also check the certification details, including the validity date of the certificate and the following information, by clicking the "security lock" icon at the login page of our Internet Banking Services. Please note that the layouts may be different for different browser versions. For details on the EV SSL Certificate, please refer to the website of Verisign, the issuer of the certificate.  

BOCHK
Domain name issued to: www.bochk100.com
Issued by: DigiCert SHA2 Extended Validation Server CA

BOCHK and Chiyu
Domain name issued to: its.bochk.com
Issued by: DigiCert SHA2 Extended Validation Server CA


Domain name issued to: cib.bochk.com
Issued by: DigiCert SHA2 Extended Validation Server CA

 


Domain name issued to: igtb.bochk.com
Issued by: DigiCert SHA2 Extended Validation Server CA

 

Domain name issued to: m.bochk.com
Issued by: DigiCert SHA2 Extended Validation Server CA

   

   

Po Sang

Domain name issued to: trading.posangonline.com
Issued by: DigiCert EV RSA CA G2


 

The system will run a specified Java applet programme on your personal computer when "e-Certificate" is used as an authentication tool by Corporate Internet Banking customers. For the sake of online security, most of the Internet browsers will create a pop-up window showing the "e-Certificate" signing authority and related authentication information for you to verify the programme.

If you are corporate customers, you are requested to check the following information before logging into Corporate Internet Banking:

  1. Distributed by: "Bank of China (Hong Kong) Limited"
  2. Publisher authenticity verified by: "Thawte Consulting cc"
  3. Security certificate has not expired and is still valid
     

Recommended browsers for minimum security requirements

To ensure customer data security, please install any of the browser versions we recommend to log in Internet Banking.

Personal Internet Banking
Microsoft Internet Explorer (Version 11 or above)
Mozilla Firefox (Version 78.4 or above)
Apple Safari (Version 8 or above)
Google Chrome (Version 86 or above)


iGTB NET
Microsoft Internet Explorer (Version 11 or above)
Microsoft Edge (Version 44 or above)
Mozilla Firefox (Version 62 or above)
Apple Safari (Version 12 or above)
Google Chrome (Version 70 or above)


Corporate Internet Banking
Microsoft Internet Explorer (Version 11 or above)
Mozilla Firefox (Version 78.4 or above)

Information Security Tips

  1. Beware of fraudulent website
    You should be vigilant of any fraudulent websites which seek to pass off as our websites. Unless you are certain that you are connected to our websites, particulars of your Internet Banking should not be provided.

     

  2. Fraudulent emails
    Please beware that viruses, Trojan software and hacker programmes can be distributed via emails. Virus like "Worms" can even reproduce and deliver infected emails to the recipients in your address book. Hence, you should not open any unknown or suspicious emails. Instead, you should delete them immediately. Please do not log in Internet Banking through hyperlinks or QR Code embedded in any emails or SMS. You should also perform virus scanning before opening any attachment. In addition, you should pay extra care as fraudsters will perpetrate frauds using emails.

    Please do not rely solely on email correspondences for any remittance transaction. You should use other channels (e.g. telephone, fax, etc.) to confirm the transaction and the beneficiary details before completing the remittance.

    Example 1 of fraudulent emails: Commercial email scam

    A fraudster hacked into the email correspondences between a foreign buyer and its service provider over a few months. After getting to know the details of their transaction, the fraudster sent out fictitious emails at an email address very similar to that of the service provider, requesting the foreign buyer to make a remittance to a fraudulent account.

    Example 2 of fraudulent emails: Fraudulent claims of estate

    A fraudster claimed to be a bank staff in an email, inviting the recipient of the email to pretend to be the next-of-kin of a deceased client who has left a huge sum of unclaimed fixed deposit. Upon receiving favourable reply, the fraudster requested the recipient to pay a fee in advance for preparing the necessary documents in order to claim that estate. In the end, the email recipient was deceived.

     

  3. Man in the Browser Attack
    The suspected Trojan Horse cases have been reported by few corporate customers when they used the Corporate Internet Banking. During the login process, a fake webpage was displayed requesting the customers to input their login names and passwords, as well as the one-time “Transaction Confirmation Code” https://www.bochk.com/dam/bochk/desktop/top/security_information/tick.jpggenerated by their Security Device.

    Please beware that Internet Banking login process does not require you to input the one-time “Transaction Confirmation Code” .(Please refer to the following login page)

     


    You should install firewall and anti-virus software in your personal computer and keep them up-to-date. You should also avoid visiting or downloading software from suspicious websites, and be wary of opening attachments in emails from unfamiliar sources.

  4. Common Signs of Phishing Emails and SMS
    The “Phishing” fraudsters often send out emails or SMS purportedly from our bank in order to trick you into providing account details, passwords, personal information or credit card numbers. To stay vigilant, some common signs of phishing emails and SMS are listed below.
    • Grammatical mistakes, typos or misspelling is found in the content.
    • The name of the sender shown in emails and SMS may be exactly as same as our name.
    • It usually appears as an important notification from our bank or request for personal information to verify your account details, such as notification for a huge amount of fund transfer or notification for a new security function activation, that customer is required to click the hyperlink or open an attachment.
    • Embedded hyperlink or attachment is normally found in email. The hyperlink looks like a genuine website address of our bank, but it refers to another website address when mouse-over it.

     

    You should access Internet Banking through the Company’s official website. Please do not log in Internet Banking through hyperlinks in any email, SMS, QR code, search engine, social networking platform or any third-party website or mobile app not authorised by us. For enquiry, please contact us immediately.

    Bank Website
    Bank of China (Hong Kong) https://www.bochk.com
    Chiyu Banking Corporation Limited https://www.chiyubank.com



    Personal Internet Banking login
    Please input Internet Banking number/username, password and verification code, then press “Login”

     

    Corporate Internet Banking "2FA Login" process (Not applicable to “e-Certificate” users)
    Please input Corporate Internet Banking number/login name, user ID and verification code, then press "2FA Login"


    In the "2FA Login" page, please input Corporate Internet Banking password and “Security Code"generated by the Security Device

    You can select "Basic Login" for account enquiry


    iGTB NET "2FA Login" process* (Not applicable to “e-Certificate” users)
    Please input iGTB number/login name, user ID, password, verification code and then press "2FA Login"

    In the "2FA Login" page, please input “Security Code” generated by the Security Device/Mobile Token

    You can select "Basic Login" for account enquiry


    Personal Mobile Banking login
    Please input Internet Banking number/username, password and verification code, then press “Login”

    You may choose to enable “Biometric Authentication” (e.g. fingerprint, Face ID) with Mobile Token to log in Mobile Banking.

     

    iGTB MOBILE login
    Please input iGTB No./login name, user ID, password and verification code, then press “Basic Login” or “2FA Login”.

    You may choose to enable “Biometric Authentication” (e.g. fingerprint, Face ID) with Mobile Token to log in iGTB MOBILE.

  5. Your password and personal information should be well protected
    • Upon receipt of your password mailer, please change the password via Internet Banking immediately and destroy the password mailer.
    • Please memorise your password. Do not record password in any way without covering it.
    • Do not use easy-to-guess characters as your password (e.g. name, date of birth, HKID/passport number, etc.) and avoid selecting the same password you have used for accessing other web services.
    • Please keep your password properly. Do not disclose your Internet Banking username and password to anyone. You should also avoid disclosing your personal information to anyone (e.g. HKID/passport number and date of birth, etc.).
    • Please change your password regularly.
    • You should be careful about sharing information in the social networking platform. Please prevent the disclosure of the personal information (e.g. full name, email address, date of birth, corresponding address or phone number, etc).
    • You should be responsible to take reasonable steps to securely and secretly keep any devices (e.g. personal computers, Security Devices and “e-Certificates”), secret codes (e.g. Internet Banking password, passcode and phone banking password), or Biometric Authentication (e.g. fingerprint and Face ID) used for accessing Internet Banking and activating mobile payment app.
    • Do not forward your One-Time Password(OTP) and push notification to anyone.
    • You will be responsible for all instructions given by using your devices, secret codes, or “Biometric Authentication” to log in Internet Banking.
    • If you suspect that your password or two-factor authentication tools have been used by an unauthorised party, or find any unauthorised transactions associated with your account, please contact us immediately.
    • The one-time “Transaction Confirmation Code” generated by the Security Device or Mobile Token is only required for "designated transactions". We will not request you to input any number to your Security Device or Mobile Token to obtain “Login/Security Code”. In case of doubt, please do not follow the instructions of the suspicious web page or input any data. Please terminate the operation of Internet Banking immediately and contact us immediately.
    • You can choose to log in Internet Banking with Security Device or Mobile Token to enhance security.
  6.  

  7. Protect your personal computer
    • Please download and install updates and patches for your operating systems and browsers regularly
    • Please install firewall systems on your personal computer.
    • Please install anti-virus software on your personal computer. Update the virus definition file and perform virus scanning regularly.
    • Please set a passcode for locking devices that is difficult to guess and activate the auto-lock function.
    • Do not download or installing programmes from unreliable sources or opening suspicious files, emails or SMS. This helps protect your personal data against hackers' programmes or viruses.
    • If you access Internet Banking via wireless network, please check your network security settings to ensure the network is safe and reliable.

  8. Take precautionary measures while you are using Internet Banking
    • Do not access Internet Banking through a shared computer or public wireless network.
    • Only pre-set and access reliable wireless networks for internet connection.
    • You should access Internet Banking through the Company’s official website. Please do not log in Internet Banking through hyperlinks in any email, SMS, QR code, search engine, social networking platform or any third-party website or mobile app not authorised by us. For enquiry, please contact us immediately.
    • Suggest to close all other internet browsers before accessing Internet Banking. Do not open other suspicious internet browsers or visit any other websites while you are using Internet Banking.
    • Make sure no one can see your username and password when you log in Internet Banking.
    • Please check your last login and logout records every time you use Internet Banking. Always aware of our SMS and email notification and check your banking transactions regularly for any unauthorised transactions or irregularities. If you discover anything suspicious, please contact us immediately.
    • Click the "logout" button to exit from the system after you have finished all your online transactions. Please always clear the cache and history in your browser after using our online service.
    • If you have adopted secure media to store the “e-Certificates” as the two-factor authentication tools, please remove them from your computer and place them safely after completing your online transactions.
    • Do not leave your computer unattended before logging out Internet Banking.
    • To learn more about other online security measures, please click here.
    • If you act fraudulently or with gross negligence such as failing to properly safeguard your devices, secret codes or “Biometric Authentication” for accessing Internet Banking, you will be responsible for any direct loss suffered by you as a result of unauthorised transactions conducted through your account.
    • You will be liable for all losses if you have acted fraudulently. You may also be held liable for all losses if you have acted with gross negligence (this may include cases where you knowingly allow the use by others of your devices, secret codes or Biometric Authentication) or have failed to inform us as soon as reasonably practicable after you find or believe that your devices, secret codes or Biometric Authentication for accessing Internet Banking have been compromised, lost or stolen, or that unauthorised transactions have been conducted over your accounts. This may apply if you fail to follow the safeguards set out above if such failure has caused the losses.
       
  9. Points to Notes for Corporate Internet Banking customers
    • Dual authorisation for financial transactions: To enhance security, you are advised to set up dual authorisation for financial transactions to be conducted via Corporate Internet Banking.
    • Accounts Activities Monitoring: You may set up incoming/outgoing fund notification to your mobile phone, email, inbox or app notification to keep track of any activities with your accounts.
    • Regular Backups: A good backup strategy is essential for data security. You should always classify your data into different level of importance. If your data contains sensitive information, you should encrypt the data.
  10.  

e-Cheque/e-Cashier's Order (e-CO)

  • e-Cheque/e-CO is issued with Two Factor Authentication and digitally protected by Public Key Infrastructure (“PKI”) technology to ensure the integrity and confidentiality.
  • Customer should be aware for unauthorised usage on e-Cheque/e-CO services. After is using the e-Cheque/e-CO, please check the transaction details in notification (email or SMS).
  • Every e-Cheque/e-CO display the Issuer details:
  • Bank Prepared by
    Bank of China (Hong Kong) Bank Of China (Hong Kong) Limited
    Chiyu Banking Corporation Ltd. Chiyu Banking Corporation Ltd.

  • e-Cheque/e-CO is transmitted through email. Do not open any suspicious email to avoid your computer infected by virus and do not login Internet Banking via hyperlinks or QR Code embedded in any email or SMS. Before opening any attachment in email, please use anti-virus software for scanning the attachment.

Remarks:

Designated transactions:

  • Registration of third-party accounts
  • Issuing e-cheque(s)/e-cashier's order(s)
  • Payment of bills
  • Increase transaction limit
  • Other high-risk transactions

 

Designated investment transactions:

  • Securities / Securities Margin in different markets

    • Trading
    • Monthly Stocks Savings Plan
    • eIPO – Subscription / Financing

  • Debt Securities / Certificates of Deposit

    • IPO
    • Buy / Sell

  • Funds

    • Subscribe
    • Redeem / Switch
    • Monthly Funds Savings Plan

  • Precious Metal/FX Margin

    • Market Order
    • Good-Till-Date Order (include Trading/Delete)

  • Precious Metal Passbook

    • Trading

  • Structured Investments

    • Application

  • Investment Deposit

    • Application

  • Currency Linked Investments

    • Open Dual Currency Investment
    • Open Option Linked Investment
    • Squaring Contract