Seven banks in Hong Kong asked to recall credit cards with security flaws

Seven banks in Hong Kong have been recall contactless credit cards after they were found to reveal too much personal information.
Seven banks in Hong Kong have been recall contactless credit cards after they were found to reveal too much personal information. PHOTO: AFP

HONG KONG - Seven banks in Hong Kong were instructed by the city's Monetary Authority to recall contactless credit cards issued by them after they were found to have a security flaw which revealed too much personal information of the cardholders to unauthorised personnel.

DBS Hong Kong, Bank of China (Hong Kong), Bank of Communications Hong Kong branch, China Citic Bank International, Dah Sing Bank, OCBC Wing Hang Bank and ICBC Asia were instructed to recall or replace these cards, with the paywave function, which included the cardholder's full name, card number and expiry date in the near field communication (NFC) chip, South China Morning Post reported.

Mr Francis Fong Po-kiu, honorary president of IT Federation of Hong Kong, said banks are to blame for security breaches as they hold too much information about the cardholder. "If you did not have all three, you couldn't make any online transaction," he said.

Older versions of these cards issued by these banks included this vital information in the chip which could be accessed by anyone using mobile apps that enabled reading of such data on contactless cards.

Recently issued cards do not have the cardholder's name in the chip, after new guidelines were put in place since 2012 require banks to include information relevant for transactions in the chips.

Similar measures had been taken in the United States where the problem, known as "electronic pickpocketing" was first exposed in 2013, Mr Fong said.

Four of the institutions - Bank of China (Hong Kong), Bank of Communications Hong Kong branch, DBS and China Citic Bank International - said they had stopped issuing new cards with contactless payment functions and would soon arrange replacements for existing customers. HSBC said it did not issue such cards.

The office of the privacy commissioner said it would launch a compliance check on the issue. Hong Kong police said they had not received any reports of losses due to such security breaches.