Remove All Items

Security tips for BoC Pay

How to download the BoC Pay mobile app?

BoC Pay is a one-stop local and cross-border payment mobile app, which can be downloaded from:

  • Official App stores (Google Play, App Store and HUAWEI AppGallery): search for "BoC Pay".
  • BOCHK website: Home > More > e-Banking Service > BoC Pay.

Smart tips:

  • Do not download any counterfeit mobile apps to prevent your mobile devices from being infected by phishing programmes or Trojans, and to avoid fraudsters from stealing your information.
  • Do not copy, install or open any mobile apps from unknown sources on your mobile devices. Do not open any suspicious files, emails, SMS, instant messaging or QR codes to prevent hacking programmes or computer viruses from stealing your information.
  • Only download and install mobile applications provided by trusted and verified developers from official application stores.
  • If you find any suspicious apps, do not download and stop the operation immediately.
  • If you find any abnormalities, such as unusual screens or slow login response, please stop the operation immediately.
  • Evaluate permissions requested from mobile applications carefully before installation, if suspicious permission rights are required, do not install the mobile application;
  • Maintain proper configuration of mobile devices and do not allow installation of mobile applications from unknown sources.

 

Is the BoC Pay service secure?

Account and transaction security is our prime concern. We have comprehensive security control measures to protect you, which include but not limited to:

  • We adopt internationally-recognised encryption technology to ensure the information security.
  • Log in is always required before using the account services or performing transactions.
  • To ensure your account safety, you can only log in to and use BoC Pay on one mobile device at the same time.
  • Payment passcode or biometric authentication is used to authenticate transactions in BoC Pay.
  • To prevent unauthorised transactions, the QR code generated with the "QR Code Payment" function will be refreshed automatically within a specified period of time.
  • Upon the completion of transactions, you will receive transaction notifications from BoC Pay.

 

What should I be aware of when using BoC Pay?

Transaction Security

  • "QR Code Payment" function should only be used at merchants who support UnionPay QR codes. Never capture the QR code and any information shown on the "QR Code Payment" page, and never send or disclose the information to others.
  • When performing online transactions (including credit card transactions), carefully check the details such as the name of the merchant / recipient, transaction type, payment method (e.g. mobile number, email address, FPS ID, account number or the QR code used to request payment), transaction amount, currency, etc. to ensure the transaction is correct. Do not enter your OTP recklessly. If you have any doubts, please do not authenticate the transaction with payment passcode, biometric authentication or SMS one-time passwords.
  • Please check your account balance and transaction records regularly. If you find any suspicious or unauthorized transactions, please contact us immediately.

 

Network / Mobile Device Security

  • Avoid logging in BoC Pay via wireless network (i.e. Wi-Fi) which is public or without password setting. We advise using encrypted and reliable mobile internet connection.
  • Activate the auto-lock function of your mobile devices and avoid logging in BoC Pay in a crowded area and be careful when inputting your password on mobile devices which might indirectly disclose your login information to other people.
  • Disable any wireless network functions (e.g. Wi-Fi, Bluetooth, NFC) or Payment Apps not in use. Choose encrypted networks when using Wi-Fi and disable Wi-Fi auto-connection settings.
  • Avoid using mobile devices from other to log in BoC Pay and sharing your mobile devices with others.
  • It is recommended to setup firewall and install anti-virus software / mobile security App in your mobile devices and update regularly. You can visit HKCERT website for reference: https://www.hkcert.org/mobile-security-tools, to select the appropriate Apps.
  • You should ensure that your devices for accessing BoC Pay services do not being infected by virus or unauthorised accessed by malicious, corruptive or destructive program, for the retrieval, use and change of the password, Biometric Authentication (e.g. fingerprint, Face ID) or personal information.
  • To protect your online transactions, we will check whether your mobile devices are jailbroken or rooted and with recommended operating systems for minimum security requirements upon using of the Bank's Mobile App. You may not be allowed to access BoC Pay via such devices. Please pay attention to the corresponding reminders or stay tuned to our "What's New" notices.
  • Do not click on links from suspicious SMS messages, email, attachments, websites, social media pages/posts or unknown sources. In case of doubt, please stop the operation and do not input any data. Please close the window, delete the mobile applications.
  • Please check your last login and logout records every time you use our BoC Pay. If there are suspicious transactions, please contact us immediately.
  • You must take all reasonable and prudent measures to keep your mobile devices and SIM card secure. If you find that your mobile devices have been lost or stolen or that any unauthorised transactions have occurred, you should contact us immediately.

 

Personal Information Security

  • Protect your passwords, personal information, bank account and credit card information, and hold accountabilities of these:
    • Please memorise your passwords. Do not record in any way without covering it.
    • Do not use easy-to-guess characters as your passwords (e.g. date of birth, HKID / passport number, etc.). Avoid using the same passwords you have used for other accounts, in particular those for handling private and sensitive data.
    • Please safeguard your information. Do not disclose your passwords, One-Time Password(OTP) and login information to anyone. You should also avoid disclosing your personal information to anyone (e.g. HKID/passport number and copy, date of birth, etc.).
    • We will never ask for any sensitive personal information such as bank account details, credit card number/security code, Internet Banking user name, login passwords, payment passcode and OTPs through phone calls, emails or SMS messages. Please contact us immediately if you receive such request. If you receive any suspicious SMS or email messages with embedded hyperlinks purportedly to be from the Company requesting you to input any personal information, you should be vigilant and think twice. In case of doubt, please contact the Company’s Customer Service Hotline at (852) 3988 2388.
    • The Company will not send SMS or email messages with embedded hyperlinks, QR codes or attachments directing customers to the Company’s website or mobile applications to carry out transactions. Nor will the Company ask you to provide any sensitive personal information, including bank account details, credit card number/security code, Internet Banking user name, login passwords, payment passcode and OTPs, via hyperlinks, or contact you via telephone voice messages.
    • Do not visit any website or use any mobile app that are not verified by BOCHK. You should not upload or capture your personal information by the use of any third-party website or mobile app not authorised by us or any electronic devices of other people.
    • Please change your passwords regularly.
    • You should check the security tips provided by BOCHK from time to time. If user finds or believes that their passwords or devices linked with the bank have been leaked, lost or stolen, or any unauthorised transactions have occurred, user should contact us immediately.
  • Take all reasonable and prudent measures to securely and properly keep your passwords (including but not limited to BoC Pay payment passcode, Internet Banking password, ATM PIN and one-time passwords), which are used for binding accounts / credit cards in BoC Pay.
  • You should notify us for any change of your mobile phone number or email address without delay. You are requested to remain responsible for any unauthorised use of the BoC Pay services by others before we receive your notification.
  • You should be aware of the obligations in relation to security for BoC Pay and following the relevant security measures specified from time to time by us for the protection of customers. You may bear the risk of suffering or incurring any loss if not taking the security measures that we recommend.

Smart tips:

  • Please download and install the latest version of the BoC Pay Mobile App, other Mobile Apps, operating systems and browsers regularly in the official App stores (Google Play, App Store and HUAWEI AppGallery) or our website. Do not install any software /mobile apps from mistrusted sources. If there is any suspicious App, please do not download and stop the operation immediately.

 

What should I be aware of when using the biometric authentication function?

BoC Pay uses biometric authentication technology to verify your identity for transaction authentications with the biometric credentials specified by us, including fingerprint and Face ID. The availability of biometric authentication is subject to the brand, model and operating system version of your mobile devices. When using the biometric authentication function, you have to pay attention to the following:

  • Upon successful enabling of the "Biometric Authentication" function, all fingerprint(s) or Face ID stored in your mobile devices can be used for the "Biometric Authentication" function. You must ensure that only your fingerprint(s) or Face ID is stored in your mobile devices. You must also ensure the security of the passwords that are used to store the fingerprint(s) or Face ID in your mobile devices and the payment passcode that is used to enable the "Biometric Authentication" function.
  • For security reasons, do not use jailbroken or rooted mobile devices.
  • You can disable the "Biometric Authentication" function at BoC Pay Menu > "Settings" > "Payment Settings" > "Touch ID" or "Face ID" (depending on your mobile devices). Follow the instructions to disable the "Biometric Authentication" function.
  • We do not store your biometric credentials. The biometric credentials you registered in your mobile devices will continue be stored in the devices even after you have disabled the "Biometric Authentication" function in BoC Pay. You can consider deleting the biometric credentials at your own discretion.
  • Do not use "Biometric Authentication" if you believe that other people may have identical or very similar biometric credential(s) to your own, or your biometric credential(s) can be easily compromised. For instance, do not use Face ID for authentication purpose if you have identical twin or triplet sibling.
  • Do not use "Biometric Authentication" if your biometric credential(s) will be undergoing rapid development or change. For instance, do not use Face ID for authentication purpose if you are an adolescent with facial features undergoing rapid development.

 

What should I do if I find suspicious transactions?

If you find any suspicious credit card transactions, you should immediately call the BOC Card Customer Service Hotline on (852) 2853 8828. For suspicious Smart Account or Payment Account transactions, you should immediately call the BOCHK Personal Customer Service Hotline on (852) 3988 2388.

 

Where can I obtain more information on precautionary measures for mobile applications?

  • Hong Kong Monetary Authority
    Personal Digital Keys - https://www.hkma.gov.hk/eng/smart-consumers/personal-digital-keys/
    Internet Banking - https://www.hkma.gov.hk/eng/smart-consumers/internet-banking/
  • The Hong Kong Association of Banks
    "Internet Banking – Keeping your money safe". Please contact us for copies of this leaflet.
  • Hong Kong Police
    Cyber Security and Technology Crime - https://www.police.gov.hk/ppp_en/04_crime_matters/tcd/index.html
  • HKSAR Government
    The InfoSec Web Site - https://www.infosec.gov.hk/en/