The unauthorised transactions occurred as hackers lured the victims to disclose their email passwords. As such, cybersecurity experts have called on the bank to introduce two-factor authentication, which requires users to provide an additional piece of information besides a password. About 20 HSBC accounts with the e-wallet system had been accessed without authorisation, and transactions carried out involving USD 12,770.
The breach had been reported to police, as well as to the Hong Kong Monetary Authority. The incident happened as hackers posing as an email service provider had sent out phishing emails asking victims to submit their passwords to initiate an update to their accounts. The platform does not use a two-factor authentication, which requires information other than a password, such as a thumbprint, face scan, ID card number or passcode sent to a phone.
HSBC on Friday said PayMe itself had not suffered any breaches. However, representatives of the bank argued that they had taken immediate action to block this threat and had contacted the affected customers, who would be compensated for the unauthorised transactions.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now