Security tips on mobile banking and mobile payment

Security tips on mobile banking and mobile payment

Using mobile banking service with caution

Here are some suggestions for you to enhance the security of mobile devices and mobile banking:

  • Take reasonable steps to keep your devices that store digital certificates (e.g. personal computers, security devices that generate one-time passwords and smart cards) and authentication methods (e.g. passwords and one-time security codes) used for accessing Personal e-Banking
  • Destroy any printed cop(ies) of the password(s)
  • Understand the risks of using biometrics (i.e. fingerprint or face recognition), Mobile Security Key or device binding as authenticators for making payments and how to protect your devices and those authentication methods
  • Don’t write down the passwords on any device for accessing our Personal e-Banking or on anything usually kept with or near it.
  • Inform us as soon as possible if you suspect your authentication methods or devices for accessing our Personal e-Banking have been compromised, lost or stolen, or there are unauthorised transactions over your accounts
  • Ensure that you have virus detection software installed on your devices and keep it updated to ensure the best possible protection
  • Ensure you regularly check for and install security updates for your devices. For maximum protection, you can set your devices to automatically install security updates
  • Never open email attachments of unknown origin or from unreliable sources without first verifying their source and/or running anti-virus scanning software
  • Never install pirated software or software from an unknown or unreliable source
  • You should only allow people who you know and trust to use your mobile devices. Never leave your devices unattended
  • You should ensure that no unauthorised person has access to your mobile devices, especially when you are using Hang Seng Personal e-Banking or Mobile Banking app. When you finish using your mobile device, you should always log out and close the browser or mobile app. Disconnect from the internet when you are not using your mobile device
  • If possible, do not log in to Hang Seng Personal e-Banking or Mobile Banking app in a public place as this may enable unauthorised persons to see your personal and/or account information
  • Do not log in to Hang Seng Personal e-Banking or Mobile Banking app using someone else’s mobile device as this may give other people the opportunity to access or steal your personal and/or account information
  • Please close all other browser windows before logging in to Hang Seng Personal e-Banking. Do not open other browser windows or browse other websites when using Hang Seng e-Banking as this may give unauthorized persons the opportunity to log in to your Hang Seng Personal e-Banking account or access your personal and/or account information
  • To ensure that you are using the genuine Hang Seng Personal e-Banking website, please type or into the address bar of your browser window. You may then wish to bookmark the site for future use
  • When you have finished using Hang Seng Personal e-Banking or Mobile Banking app, please remember to log out and close the browser window or app
  • Please regularly review your personal and account information to ensure it is up-to-date and accurate
  • Beware of fraudulent SMS messages. We will never ask you to log in to your Hang Seng Personal e-Banking or Mobile Banking app in an SMS message
  • Please do not store your Hang Seng Personal e-Banking user name and/or password in your mobile devices without any form of encryption as this may give unauthorised persons access to your account should any of your devices be stolen or lost
  • For improved security, please use passcodes or other identity authentication locks on all your mobile devices
  • Before using Hang Seng Personal e-Banking, always confirm that the URL is correct ( or and that the browser address bar is showing the security lock’ that indicates that the connection is secure (SSL)
  • If your mobile device is idle for certain period of time while using Hang Seng Personal e-Banking, the system will automatically end your session and log you out to help protect your account.
  • You should not choose a password that can be easily guessed. Never share your device or account passwords with other people
  • You should not allow other people to store their fingerprints or other biometric authentication information in your mobile devices

Please note, you may be held liable for all losses if you have acted fraudulently or neglectfully, knowingly allow the use by others of your device or authentication methods, or failed to follow the safeguards set out above.

If you use Hang Seng Personal Banking mobile app, or other Hang Seng online apps:

  • Be sure you download them from official app stores. Please do not download from any other source
  • Never install software on or make modifications to your mobile device that may compromise its security system

You may access designated page of the Hong Kong Monetary Authority for more tips on mobile device protection.

Processing mobile payment safely

Without prejudice and in addition to the security provisions and all Terms and Conditions of any applicable credit card, ATM card or card PIN, customers are responsible to take the precautionary measures as reasonably practicable for protecting the security of your mobile device(s) and the details of any and all credit or debit cards stored on theses device. Otherwise you might be liable for the risks and consequences of any unauthorised use of your mobile device(s).

Aforementioned security suggestions on mobile banking service are also applicable to mobile payment. Besides, please consider to adopt below measure as well:

  • Register, activate and/or use your bank card for any mobile payment service in strict accordance with the instructions and designated methods of the relevant mobile payment service provider
  • Do not allow any other person to specify security information for your mobile devices or to proceed mobile payment transactions by using your mobile devices in any different ways
  • Beware of accidental or unauthorised disclosure of any of your security information, and amend it regularly or when necessary
  • Do not use any mobile device that has been modified, reprogrammed, cracked or invalidated, or on which any unauthorised or pirated software, programme or application has been installed, to register or activate your ATM card or other bank cards, including registration for mobile payment services
  • Check account transaction record as soon as reasonably practicable, and notify the Bank of any suspected unauthorised transaction or if you suspect your bank card has been used for any unauthorised purpose
  • In any or all of the following situations, delete your bank card registration(s) and all associated details from your mobile device(s) immediately according to the instructions and guidelines issued by the relevant mobile payment service provider(s):
    • before discarding any mobile device containing bank card information or temporarily handing over such mobile device to any other person (for example, for repair); or
    • the bank card is terminated by you or the Bank for any reason
  • Check latest security recommendations provided by the Bank periodically, and always follow the security procedures specified by the Bank when using bank card for mobile payment transactions
  • When conducting mobile payment transactions via QR Code:
    • ensure that the QR Code is from a trusted source before scanning the QR Code on a mobile payment device;
    • confirm that the scanned QR Code information is correct; and
    • do not disclose the QR Code generated by the mobile payment device to any other person
  • When there is an alert about the payee is related to a scam report on transfer page, you must verify the payment details and make sure the payee is trustworthy before each transfer


Beware of scams! Don't provide bank, credit card, debit card, investment, insurance and MPF accounts or other key personal information via links embedded in suspicious messages claiming to be from us.