HSBC issues security update on e-payment app PayMe, removing function to change user phone numbers
- Expert says this is ‘interim solution’ to wider system flaw that should require two-step verification for any account changes
- Update comes after some 20 client accounts were compromised and illegal transactions made
Banking giant HSBC on Saturday issued a security update to its e-wallet app which eliminated an option for users to change the associated telephone number, two days after it was revealed that about 20 client accounts were compromised in a phishing incident.
HSBC announced the breach in its PayMe system on Thursday, with illegal transactions totalling around HK$100,000 (US$12,770).
Before Saturday’s update, users had an option to change their phone numbers while logging in, which would enable them to bypass entering a pin and instead use their email address. When PayMe was prompted to allow a phone number change, a link was then emailed to users, which opened a channel that would also allow a password change.
This weakness in the system could enable fraudsters with users’ email credentials to gain control of PayMe accounts, said Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation.
“Once your email has been compromised, [hackers] click on the link and change the PayMe account password,” Fong said.
Once your email has been compromised, [hackers] click on the link and change the PayMe account password
In the cases reported on Thursday, it was suspected that the email accounts of users were first compromised by phishing methods, where scammers posed as email service providers and sent messages prompting a change in email account passwords.
