Security Tips for e-Services

Security Tips for e-Services
Security Tips for e-Services

    Online security of our e-Services has always been CMB Wing Lung Bank (“the Bank”)’s prime concern. A safe and secure system does not only ensure confidentiality of customers' information but more importantly, prevent unauthorized operation of customers' bank account. Apart from the security measures implemented by the Bank, you are also responsible to play an equally important role in safeguarding your personal account information. As such, important guidelines are summarized in this section for your reference. You are highly recommended to incorporate these guidelines into your habit when handling your personal account information.

    If you suspect any unauthorized use or abnormal transactions related to your e-Services account, you should contact the Bank by calling our Customer Services Hotline at (852) 230 95555 or CMB Wing Lung Credit Card Centre 24-hour Hotline at (852) 3711 7900 to request for suspension of related e-Services.

    (1) Proper Handling of Account Information
    • Do not expose your logon ID or password to any third parties (CMB Wing Lung Bank staff and Police will never ask you for your password for identity verification purposes).

    • Do not write down your password without concealing it or write it down on your Security Token.

    • Do not send your logon ID and password by email.

    • Destroy the printed copy of your password once you have memorized it.

    • Do not keep any document containing your username or password.

    • Do not log on to e-channels of CMB Wing Lung Bank from the hyperlink embedded in an unknown email / instant message (including QR Code)

    • Do not use public computer (e.g. computers at internet cafes or game rooms) or public Wi-Fi to log on to e-channels of CMB Wing Lung Bank and access personal email.

    • Avoid sharing your mobile phone with others to access e-channels of CMB Wing Lung Bank .

    • Use a screen saver with password.

    • Ensure that your screen or input cannot be viewed by any persons (or electronic appliance, such as view cam) when logging on to e-channels of CMB Wing Lung Bank for transaction or enquiry.

    • Do not disclose your personal information (e.g. HKID / passport number, address, bank account / credit card number) to any persons or websites you are suspicious of.

    • Make sure that no printed account information is left behind in the printer.

    • Shred all account information printout and dispose properly.

    • Regularly check account information (e.g. account balance and transaction history) and instantly check transaction notification message delivered by the Bank to ensure the correctness. Contact the Bank immediately should you encounter any suspicious transaction.

    (2) Password Setup
    • Do not use your name, telephone number, date of birth, identification number, etc. as password because they are easily guessed.

    • Create your alphanumeric password with upper and lower case of characters.

    • Do not use part of logon ID as password.

    • Do not use e-channels of CMB Wing Lung Bank logon ID and/or password for other internet services (e.g. internet access service, web mail, online messaging, online shopping and other internet banking services).

    • Keep your password and other devices (e.g. personal computers) in a safe and secure place, where it is unlikely to be lost or taken by others.

    • Change your password regularly, e.g. for every 3 months.

    (3) Verification Code

    In order to enhance the security level of using e-channels of CMB Wing Lung Bank, customers are required to input their logon ID, password, as well as the verification code to use certain services/functions.

    (4) Two-Factor Authentication

    As part of our on-going commitment for improving online security and protecting you, we are delighted to present you with two-factor authentication technologies “Security Token” and “OTP”, which aim to ensure a higher level of security for e-channels of CMB Wing Lung Bank.

    If customers choose to log on to any e-channels of CMB Wing Lung Bank without security token or OTP, the account may not be able to avoid the risk of unauthorized third party access effectively, including but not limited to unauthorized securities transactions.

    Two-factor authentication uses a combination of two different factors, something you know (e.g. logon ID and Password) plus something you have (e.g. digital certificate, Security Token or mobile phone) for verifying a user's identity. The Security Token and OTP offer a higher degree of protection from a large variety of online threats, including phishing, key-logging / Trojans, shoulder surfing and screen capturing.

    • What is One-Time Password?

      One-Time Password (OTP) is a single-use, time-sensitive Security Code. OTP is either generated by security token or sent in SMS format to your registered phone number by the bank. OTP is used to authenticate the identity of customers of CMB Wing Lung Bank E-channel.

    • How to use the Security Token?

      The use of Security Token is simple and convenient. When logging on e-channels of CMB Wing Lung Bank , you have to press the Security Token button once and enter the 6-digit OTP generated by the Security Token, in addition to your logon ID and password for completing the logon procedures. For certain transactions, you are required to enter OTP or “Transaction Signing Verification Code” for transaction confirmation. With the Two-Factor Authentication, your financial information is securely protected.

      Steps to use the Security Token

      GO3 / GO6 DP270 DP280
    • How to use SMS One-Time Password (OTP)?

      When initiating a request or a designated transaction on any e-channels of CMB Wing Lung Bank, an OTP in SMS format will be sent to your registered mobile phone number. Simply enter the OTP to authenticate your transaction.

    • How to activate the Security Token?

      If you have received a Security Token, please follow the steps to activate the Security Token via CMB Wing Lung NET Banking Services or CMBWLB Wintech mobile banking services.

    • What should I do for the daily maintenance of the Security Token?

      For further assistance in maintaining the operability of your Security Token, please follow the guidelines below.

      • Keep your Security Token dry and safe from acute temperature fluctuations.

      • Do not submerge your Security Token in water. The Security Token is designed to be water-resistant but not waterproof. Submerging your Security Token in water will cause its malfunction.

      • Do not expose your Security Token to extreme temperatures. Leaving your Security Token in areas with abnormally high or low temperatures (e.g. car trunk, clothes dryer, sun, etc.) may damage the plastic shell and cause problems with the Security Token itself.

      • Do not drop your Security Token from heights, step on it, or physically stress the Security Token. Your Security Token has been designed to tolerate the normal day-to-day stress levels associated with daily handling. The Security Token will be damaged if exposed to abnormal conditions.

      • Do not open your Security Token. Your Security Token has several tamper proof features. Opening the Token, removing the battery or circuit board, etc. will cause the malfunction of the Security Token.


    • What if my Security Token is not functioning or lost?

      • Upon obtaining a new Security Token, you should log on to CMB Wing Lung NET Banking Services or CMBWLB Wintech mobile banking services to activate the new Security Token following the instructions.

      • If the Security Token is malfunctioned or its battery is running low (the word "BATT" is shown), you may visit any of our branches to request for replacement.

      • Upon obtaining a new Security Token, you should logon to CMB Wing Lung NET Banking Services to activate the new Security Token following the instructions.

      • If you are abroad and unable to visit the Bank for replacement of the Security Token, or should you have any enquiries, please contact us at (852) 230 95555.

      • Customer will be liable for all losses if customer has failed to inform the Bank as soon as reasonably practicable after having found that the Security Token has been lost or stolen.

      • Customer has to return the Security Token to the Bank upon termination of CMB Wing Lung NET Banking / CMB Wing Lung Mobile Banking Services, or otherwise, the Bank has reserved the right to collect a handling fee from the customer.

    • How to safeguard my Security Token?
      • Keep your Security Token in a secure place and never leave it unattended or lend it to others.

      • Never personalize your Security Token, such as logon ID or password for identification purposes. Ensure to store your password and Security Token separately.

    • What are the important things I need to know about using an One-Time Password (OTP)?

      • If you are not able to receive an OTP, you may request a new one. Please make sure you enter the password correctly before requesting a new code.

      • If your registered mobile phone number is changed, please inform the Bank immediately by visiting any of our branches.

      • To learn more about Two-Factor Authentication (FAQ).
    (5) Logon and Logoff

    In order to ensure browsing the genuine website of the Bank, it is suggested to open a browser and type the bank website address ( yourself to log on to e-channels of CMB Wing Lung Bank, and bookmark the website address in the browser for future use; or follow the Bank’s announced method to log on.

    • Beware of any unusual login screen or process (e.g. a suspicious pop-up window or request for providing additional personal information which is not necessary) and whether anyone is trying to peek at your password. Log out immediately after use.

    • Ensure that the logon ID and password you input cannot be viewed by others.

    • Check your last logon time when you log on successfully.

    • Log off and terminate the browser properly. Never leave the window / browser / device unattended after logging on.

    • Our system will terminate the session after a specified period of inactivity.

      CMB Wing Lung Personal NET Banking / CMB Wing Lung SME NET Banking / CMB Wing Lung NET Securities / CMB Wing Lung NET Credit Card / CMB Wing Lung NET Phone Banking / CMBWLB Wintech 10 minutes
      CMB Wing Lung Corporate NET Banking Services 20 minutes
    (6) Encryption Function & e-Certificate

    When you are connecting or have connected to e-channels of CMB Wing Lung Bank , ensure that the "lock" icon on the browser is always in secure mode and then double click or left click the "lock" icon to verify the information on the e-Certificate.

      Secure Mode Non-secure Mode
    CMB Wing Lung NET Banking Services No icon
    CMB Wing Lung Mobile Banking Services
    No icon

    CMB Wing Lung Bank has been using the latest encryption security measure with the adoption of EV TLS Certificate (Extended Verification TLS Certificate). When using Microsoft Internet Explorer 7.0 or above to log on to e-channels of CMB Wing Lung Bank , URL address bar will turn into green color and the name of the certificate owner will be displayed as CMB Wing Lung Bank Ltd. This indicates the identity of the site is successfully verified. By pressing the URL address bar or secured lock icon, you can verify the Internet security certificate information including validity and information below while the display format varies for different browsers.

    CMB Wing Lung NET Banking Services

    Issued to:

    Issued by: Symantec Class 3 Extended Validation SSL SGC CA

    CMB Wing Lung NET Securities Services

    Issued to:

    Issued by: Symantec Class 3 Extended Validation SSL SGC CA

    CMBWLB Wintech Mobile Banking Services

    Issued to:

    Issued by: Symantec Class 3 Extended Validation SSL SGC CA

    (7) Other Appropriate Preventive Measures
    • Operating System Configuration / Software Installation

      • Turn off remote access control features to prevent unauthorized access to your computer.

      • Disable file and print option sharing features to prevent the access of your personal information by unauthorized persons.

      • Never install software from unknown sources.

      • Never use any jailbreak or rooted mobile device which may have security loopholes to log on to e-channels of CMB Wing Lung Bank.

      • Keep the operating system of your mobile device and app up-to-date.

      • Do not register other’s biometrics record in the device for authentication purpose.

      • Do not authorize any unnecessary access permission when installing software / apps.

    • Browser Settings

      • Use the latest recommended internet browser.

      • Do not use a browser in beta version.

      • Use the browser that supports TLS or above.

      • Clear any "cache" and "history" to prevent unauthorized access to the temporary files stored in your computer / mobile, which may contain your account information

    • Disabling the "Auto-complete" Feature

      The "auto-complete" feature will automatically complete the entries of web address, form, logon ID and password with values from previous input.

      The "auto-complete" feature will automatically complete the entries of web address, form, logon ID and password with values from previous input. When you use this function during the logon process with your computer / mobile, your logon ID and password will be recorded and stored for future auto completion. Since this function auto-completes your logon ID and password, unauthorized person can also log on to e-channels of CMB Wing Lung Bank with your computer / mobile. To keep information confidential, the auto-complete function should always be disabled.

    • ActiveX Controls

      An ActiveX control is a type of program that can take complete control of your computer. Data in your computer system may be deleted if you download an ActiveX control from a web site without ensuring its details and source.Before downloading an ActiveX control, you should:

      • Set your browser safety level to medium or above to enhance security.

      • Make sure that the source of the program is from a known publisher.

      • Read the information provided on the security certificate to ensure that it is the correct control.

      • Read any pre-installed document and make sure that you understand the impact of such installation.

      • Never download the ActiveX control if you have doubts about its source, content and impact on your system.

    • Disabling the "File and Printer Sharing" Feature on Your Operating System
      • Disable the "File and Printer Sharing" feature of your operating system to prevent illegal control or access to your computer.

    • Virus / Malicious Programs
      • Activate personal firewall to protect your computer / mobile.

      • Install and always activate anti-virus software, anti-spyware software, update the software regularly with the latest security files and patches.

      • Clear the infected files once they are discovered.

      • Do not use the computer / mobile if a virus is found until the virus is completely cleared.

      • Do not access doubtful web sites.

      • Do not download files from unknown sources.

      • Scan portable disks before using them for copying files to or from your computer.

      • Scan your computer periodically (including all local disks and all file types).

      • Regularly check the data and storage usage of your device. Uninstall any software / apps with suspicious usage immediately.

    • Email / Instant Message
      • In cases of email scam, the fraudsters usually hack into the victim's email account and check the victim's business correspondence with business partners. They then send an email to the victim using the same or similar email account of his business partner and claim that the payment bank account has been changed. They will also further request the victim to deposit the payment for goods into the fraudster's designated bank account. If you receive any suspicious emails, you should confirm the identity of the purported business partners or the authenticity of the requests by means of telephone before remittance so as to prevent from being deceived.

      • The Bank and its information provider will not embed hyperlink (including QR Code) of e-channels of CMB Wing Lung Bank in their emails.

      • Do not open email or its attachment from unknown source; or click hyperlinks in suspicious email.

      • Before processing the attachment in email, scan with anti-virus software.

      • The Banks will not ask for any sensitive personal information (including password) through emails or instant messages.

    • Others
      • Never forward the phone number used for receiving OTP via SMS to another phone number.

      • Shut down your computer when it is not in use.

      • Set a pass code for your mobile phone and activate the auto-lock function.

      • Use the latest versions of operating system, browser and mobile app. Do not jailbreak or root your mobile phone or tablet.

      • Disable any wireless network functions not in use (e.g. Wi-Fi, Bluetooth, NFC). Choose encrypted networks when using Wi-Fi and remove any unnecessary Wi-Fi connection.

      • Please inform the Bank immediately through any of the following channels if your contact information (especially mobile phone and contact numbers) is changed:
        • Visit any of our branches for updating the personal information.
        • Click here to download the form "Customer Information Amendment Form" and then return the completed form in person or by mail to any of our branches for processing.
        • Dial our Customer Services Hotline (852) 230 95555 and press 7>8>1 after selecting language and enter your facsimile number to request for the form "Customer Information Amendment Form". Then return the completed form in person or by mail to any of our branches for processing

      • Regular review and follow security tips published by us to keep yourself updated about the latest security issues.

    (8) Detecting and Reporting Abnormal Activities / Suspected Frauds / Frauds
    • Check your account balance and statement regularly, contact the Bank immediately should you encounter any abnormal transaction (do not ignore any unusual activity even if it is a minor one).

    • Check your personal profile regularly to avoid loss caused by unauthorized usage of your personal information.

    • Check the Bank’s SMS messages and other messages in a timely manner and verify your transaction records. Inform the Bank immediately in case of any suspicious situations.

    • If you suspect any online transaction case, you should suspend e-channels of CMB Wing Lung Bank immediately by logging on to your CMB Wing Lung NET Banking services and confirming the "Net Banking Service Suspension" function under "My Settings" of CMB Wing Lung NET Banking Services.

    • Before performing “e-channels of CMB Wing Lung Bank Suspension”, you should prepare for the following information:

      • Your last logon time.

      • Print / capture related screen.

    (9) Man-In-The-Browser Attack
    • Note for an online threat known as a Man-In-The-Browser (MITB) attack, where an attacker takes control over a customer's connection and transmits counterfeit screens to the customer in attempt to capture and manipulate customer data.

    • A common MITB attack scenario involves the attacker taking control over a customer's login session. The attacker sends screens similar to the online banking screens requesting the customer to wait while their details are being verified. During the period, the attacker would initiate a request for adding payee or updating personal information. An SMS containing an OTP is sent to the customer's mobile phone as part of the process. More counterfeit screens are sent to the customer to prompt the customer to key in the OTP in order for the attacker to proceed with payee addition and / or personal information update.

    • Do not proceed if you notice an unusual screen or message during your login session to e-channels of CMB Wing Lung Bank.

    • Do not act on a mobile SMS with OTP that you have not requested for.

    (10) More Security Information

    To know more about the security issue of e-Services, please click the following links:

    Search Results