The Chief Executive
All Authorized Institutions issuing payment cards
Dear Sir/Madam,
Binding payment cards for contactless mobile payments
We are writing to require authorized institutions (AIs) to strengthen security controls over the binding of payment cards to contactless mobile payment services (e.g. Apple Pay, Google Pay and Samsung Pay).
The Hong Kong Monetary Authority (HKMA) has observed an increase in the number of fraud cases involving the binding of payment cards to new mobile payment services. In the first quarter of 2023, the HKMA received over 60 complaints from cardholders about unauthorized transactions being conducted over their cards after they were bound to new payment services.
While the tactics used by the fraudsters varied from case to case, the typical modus operandi of such frauds involved sending phishing emails or SMS to lure the cardholders to divulge their payment card information and, most importantly, the one-time passwords issued by the card-issuing banks for binding the payment cards to the new mobile payment services. Even though the card-issuing banks issued alerts to the cardholders to notify them of the binding of their payment cards with new payment services, these alerts were sometimes overlooked or not responded to immediately. As a result, the fraudsters were able to carry out unauthorized transactions over the accounts of the cardholders.
In the light of the latest developments and having discussed with the industry, the HKMA considers that there is a need for card-issuing AIs to strengthen security controls over the binding of payment cards to new mobile payment services. Specifically, card-issuing AIs are required to conduct additional authentication (on top of the input of correct card data and the one-time password) to confirm that the cardholders have indeed given the instructions to bind their cards with new payment services. Examples of such authentication measures include:
(a) Obtaining additional confirmation from cardholders before the binding takes effect through 2-way SMS, in-App confirmation, call back or other effective means;
(b) Requiring the cardholders to perform additional authentication (through measures similar to paragraph (a) above) before the first mobile payment transaction is conducted through the newly bound payment services; and
(c) Requiring the cardholders to activate the newly bound payment services after performing a two-factor authentication in the internet or mobile banking applications of the banks.
If AIs would like to implement other authentication measures (e.g. biometrics authentication) which they consider to be effective, they are welcome to discuss with the HKMA beforehand. AIs are expected to implement the abovementioned enhancement over the binding of cards to new payment services as soon as practicable, but in any case no later than 31 May 2023.
Should your institution have any questions about this letter, please feel free to contact Mr Tsz-Wai Chiu at 2878 1389 or Mr Kevin Yau at 2878 1044.
Yours faithfully,
Raymond Chan
Executive Director (Banking Supervision)
Comments