Online Security and Privacy

Customers should read the Bank's Online Security and Privacy for Online Security from time to time to ensure that adequate and appropriate measures have been taken.

Stay alert to Phishing Communications

Phishing is a cybercrime that fraudsters try to lure you into providing sensitive data such as personal information, bank account / credit card details, and login credentials, etc. The common way to do so is asking you to click on a hyperlink, scan a QR code, or open an attachment embedded in email, SMS or instant message, and the fraudsters can use the information provided by you to access your bank accounts and conduct unauthorized transactions.

China CITIC Bank International Limited (“the Bank” or “we”) would never send any SMS or emails with embedded hyperlinks, QR codes or attachments which direct customers to our websites or Apps to carry out transactions. We would not request customers to share their login credentials and / or sensitive personal information, e.g. credit card details, login passwords, PIN or OTP, etc. by phone, email or SMS (including via embedded hyperlinks).

What you can do to protect yourself?

•	Never click the hyperlink, URL or scan a QR Code in the SMS or email to login to the Bank’s i-banking, Business Internet Banking service, Corporate Online Banking service, CITICmobile (mobile browser version), inMotion or inVest (thereafter collectively as “Internet banking services”).
•	Never reveal your sensitive personal information such as credit card details (including card number, expiry date and CVV) or login credentials to anyone or websites of unknown sources.
•	Never click or install the attachments in emails.
•	Contact us to verify the SMS, email or caller authenticity via other channels (e.g. our customer service hotline published on website) if you have any queries.
•	Visit our official website at www.cncbinternational.com/en and download Apps from official sources directly.
•	Authenticate the identity of the caller or sender’s domain.

Advice from HKMA “Don't Lend/Sell Your Account”

Please refer to the website for details.

Be cautious of Stooge Account

A stooge account is either set up with false paperwork using a stolen or manipulated identity, or belongs to a legitimate customer who has allowed criminals to use their account. Criminals often target vulnerable people, i.e. those financially struggling, by tempting them with cash to permit access to their accounts.

Through telemarketing or social media platforms, criminal syndicates would offer the benefit of making quick money and lure the public into selling or lending their bank accounts, or use their personal credentials to open bank accounts. The syndicate will then use these "stooge accounts" (i.e. the accounts which is held by the account holder but manipulated by the culprit) to receive/launder fraudulent payments or other crime proceeds.

What you can do to protect yourself?

•

Never sell or lend the bank accounts/ personal credentials to others as these might be abused for unlawful purposes. Account holders should have the responsibility to understand the source of every single transaction credited into their accounts. Otherwise, they may expose themselves to the risk of committing the offence of money laundering of which the maximum penalty is a fine of HKD 5 million and imprisonment for 14 years.

Be cautious of Trojan Horse Program

Trojan Horse Program could capture your PC screen, logging keystrokes history and remote control your computer or mobile devices (smartphones or tablets) (thereafter collectively as “Devices”). It steals information like your Login ID, passwords or other personal data to proceed fraudulent or unauthorized transactions with your bank accounts. If you found any unusual circumstance when using the Bank’s Internet banking services, please immediately contact us and should also stop inputting any password or transaction.

Be cautious of Spyware

Spyware is a malicious program that is installed on the Devices without user's acknowledgement or consent, with a threat to information leakage. This program often comes from the hidden components of "free program".

Such software claims to accelerate your internet speed and protect your Devices from email virus. Once you have installed such software on your Devices, user's information and internet activities will be redirected to unauthorized organizations that allow them to store and analyze your internet activities/ information.

What you can do to protect yourself?

•	Install anti-virus or anti-spyware software programs onto your Devices before you download other programs in your Devices.
•	Do not download any freeware version of software onto the Devices that will be used to access the Bank’s Internet banking services.
•	Do not download any Point-to-Point (P2P) sharing software (e.g. WinMX, Foxy, BitTorrent…etc ) onto the Devices that will be used to access the Bank’s Internet banking services.
•	Do not install Internet Accelerator program.
•	Do not visit the Bank’s website while there is any software that has the ability to monitor the current internet session of your Devices and uninstall any suspicious software that has the ability to track your internet sessions.
•	Regularly update your anti-virus/ anti-spyware software to ensure that your Devices is installed with the latest version.
•	Do not browse suspicious websites or click on the hyperlinks and attachments in suspicious emails/SMS messages.

Verify the genuineness of the website

There are some fraudulent websites or mobile application created by Internet fraudsters that mimics the look of a particular bank's website to capture your login credentials and / or sensitive personal information such as Login ID, passwords, other personal information or transaction details etc. Some of them will attract people to their sites through scam emails. Therefore, it is crucial to make sure that you are connecting with a genuine website of the Bank.

What you can do to protect yourself?

•	Do not access the Bank’s website and Internet banking services, or provide your personal information through any hyperlinks, QR code embedded in email, pop up window and search engine.
•	You should use mobile application (App) installed in your Devices or entering the bank’s website address in the browser of your Devices directly to access the Bank’s Internet banking services.
•	Check the security certificate of the Internet banking services website that was issued to ‘ibanking.cncbinternational.com’ for Personal Internet Banking or Business Internet Banking and ‘corponline.cncbinternational.com’ for Corporate Online Banking. You can retrieve the security certificate by clicking the "padlock" icon at the top right of the Internet Explorer browser.
•	Use Microsoft Internet Explorer 11 browser version or above; Firefox 27 browser version or above; Safari 7 browser version or above (We current only support Internet Explorer 11 or above for US Stock Trading and do not support Google Chrome for internet banking temporarily.)
•	For Internet Explorer version 11 or above, please choose "Tools" on toolbar, click "Internet Options" and go to the tab "Advanced". Under the item "Security", make sure TLS 1.2 (or above version) are all activated.

Be cautious of scam voice message phone calls, SMS / instant messages and emails

Please take note that the Bank observes a well-adopted practice of not seeking personal or confidential information by voice message phone calls, SMS/instant messages and email. Fraudsters may send scam voice message phone calls, SMS/instant messages and emails purported to be from the Bank. Most of these voice message phone calls, SMS/instant messages and emails appear to come from the lawful source of a bank. These voice message phone calls, SMS/instant messages and emails will trick recipients to reveal their personal information such as your Login ID, passwords, credit card number, bank account number, one-time password, etc. In addition, some of these voice message phone calls, SMS/instant messages and emails will instruct the reader to visit the fraudulent website via a link embedded in voice message phone calls, SMS/instant messages or email and request users to input their sensitive personal and account information.

In cases of voice message phone calls, SMS/instant messages or email scam, the fraudsters could hack into the victim's computers, mobile phones, mobile devices or email account, checked the victim's business correspondence with business partners. They send voice message phone calls, SMS/instant messages or email to the victim using the same or similar contact or email account of his business partner and claim that the payment bank account had been changed and further request the victim to deposit the payment for goods into the fraudster's designated bank account or require customers to provide Internet banking login credentials or sensitive personal information (including Login ID, passwords or one-time passwords). If you receive any suspicious voice message phone calls, SMS/instant messages or emails, you should confirm the identity of the purported business partners or the authenticity of the requests by means of telephone before remittance so as to prevent from being deceived.

What you can do to protect yourself?

•	Beware that the Bank will not send voice message phone calls, SMS/instant messages or email to customers requesting for the account and personal information such as Login ID, passwords, HKID, one-time password, address, etc.
•	Beware that the Bank will not send SMS/instant messages or email to customers with embedded hyperlink or QR code which redirects to its Internet banking services.
•	Do not disclose your sensitive personal and account information via voice message phone calls, SMS/instant messages or email messages.
•	Never follow a link within SMS/instant messages or email to logon the Bank’s Internet banking services.
•	Unsolicited voice message phone calls, SMS/instant messages or emails from individuals purporting to be affiliated with the Bank proposing a private business opportunity or seeking cash transfers or account details should be ignored or reported to the Bank.
•	If in doubt about any voice message phone calls, SMS/instant messages or email or other communication that you receive which purports to be from the Bank or anyone affiliated with the Bank, please contact the Bank.

Security Measures Imposed by the Bank

We employ one of the highest levels of security to protect customer's accounts and personal data.

Here are some of the safeguards we've put in place:

Secure Socket Layer (SSL) 128-bit encryption
•	All information transmitted via the Bank’s Internet banking services is protected by VeriSign Secure Socket Layer (SSL) 128-bit encryption which could prevent unauthorized users from reading the information.

Personalized Login ID & Password
•	The only way to access your account via the Bank’s Internet banking services is to enter a correct Login ID and Password. Each Login ID is unique and multiple user logins are not allowed.
•	Following the 4^th consecutive login failure caused by incorrect password, online access of the Bank’s Internet banking services account will be suspended instantaneously.

Automatic Time out
•	To prevent any unauthorized access, the Bank’s Internet banking services will be automatically logoff after a period of inactivity.

Last Logon/ Improper Logout Information
•	To ensure highest internet security, we will provide you with Last Logon Information (last successful logon date & time) once you have logged on the Bank’s Internet banking services.
•	In case of improper logout (e.g. close the browser directly without clicking the "Logoff" button/ Internet disconnection while visiting Internet bank services’ website, etc), an alert message will be displayed in Internet banking service’ welcome page to alert user that he has not logout Internet banking service properly last time.

Use of Cookies
•	In order to improve our Internet banking services to you, the Bank may use cookies and/or other similar files or programs which may place certain information on your computer’s hard drive or on your mobile device when you visit our website or use inMotion or inVest.
•	The Bank is committed to protecting the privacy, confidentiality and security of the personal data we hold by complying with the requirements of Personal Data (Privacy) Ordinance with respect to the management of personal data. To find out more about the use of cookies and the information-collecting practices, please read the Bank’s Privacy Policy Statement.

Securities Measures Recommended to Customers

To ensure highest security while using the Bank’s Internet banking services, customers are recommended to take a number of safeguard measures for their own protection.

What you should do to protect yourself?

Secure your Login ID and Password in a proper way
•	Recommend to use a combination of numbers, upper and lower case letters for your Login ID or Password. Avoid using repetitive or consecutive digits in your password
•	Avoid using an easy-to-guess password. Do not associate your password with your personal data, such as your login ID, name, birthday or phone numbers.
•	Make it a habit to change your password periodically. We recommend our customer to change the password at least once every 6 months.
•	Keep your Login ID and password confidential at all times and never disclose to any person or web site that you do not know or cannot verify. Memorize your password and try not to write your password down anywhere.
•	Avoid using the same details that you use to access other services (e.g. ATM PIN, Phone Banking PIN, Email, etc.) to access the Bank’s Internet banking services.
•	Do not store your Login ID or Password in the browsers, in the computers or mobile device in plain sight.
•	Always log off properly when you finished using the Bank’s Internet banking services

Secure your computer or mobile devices (smartphone or tablet) (”Devices”) used for accessing the Bank’s Internet banking services
•	Install and update personal firewall and/or latest security application, anti-virus application and anti-spyware application regularly on your Devices from a trusted source.
•	Keep and safeguard your Devices properly and avoid sharing with others.
•	Avoid using any public/shared computers or devices such as those located at cyber cafes or public libraries
•	Ensure your entry of login ID, passwords, PINs or one-time password are not watched by someone standing around or behind you.
•	Do not store or keep sensitive information such as your passwords, account numbers, PINs etc. in your Devices.
•	Set a passcode for your Devices that is difficult to guess and activate the auto-lock function. Do not disclose the passcode of your Devices to anyone.
•	Don't use any Devices with any pirated hacked, fake and/or unauthorized applications or in which the software lockdown has been overridden or root access to its software operating system has been obtained (such as, but without limitation, a "jailbroken" or a "rooted" mobile devices).
•	Download and install mobile applications (e.g. inMotion / inVest etc.) from Apple App Store or Google Play.
•	Use encrypted or trusted Wi-Fi networks or service providers. Disable any wireless network functions (e.g. Wi-Fi, Bluetooth, NFC) not in use and remove any unnecessary Wi-Fi connection settings.
•	Do not leave your Devices unattended. Always log off properly when you finished using.
•	Make sure you are using supported versions of OS and applications of your mobile devices. Enable the auto-update feature to obtain and apply security patches regularly from trusted sources.

Protect yourself when logging onto the Bank’s Internet banking services
•	Always use the "Logout" button to exit instead of closing the window or mobile application directly when you finish using the Bank’s Internet banking services.
•	• Always check the date and time of your last visit to our Internet banking services.
•	Do not leave your Devices unattended before logout Internet banking services.
•	Please ensure that your entry of Login ID and Password cannot be watched by someone standing around or behind you when you login.
•	Check your account balances and statements regularly to identify any unusual transactions.
•	Beware of any unusual login screen or process (e.g. a suspicious pop-up window or request for providing additional personal information).
•	Check the Bank’s SMS message / email / notifications in a timely manner and verify your transaction records. Contact the Bank to update your contact information record immediately if have any changes.

Protect yourself when logging in by using biometric authentication login service (“Service”):
•	Do not register other people's fingerprints as part of the Touch ID or Face ID of your mobile device.
•	Do not disable the “Require Attention for Face ID” function in your mobile device settings. If it has been disabled, do not use Face ID for this Service.
•	It is not recommended to use Face ID for this Service if you have a twin sibling or siblings who look very alike as your siblings may be able to access to this Service using Face ID.
•	It is not recommended to use Face ID for this Service if you are in puberty stage or your facial features may be undergoing a rapid stage of development as you may not be able to access to this Service using Face ID.
•	Once the Service is activated, any registered fingerprint(s) / Face ID of the device can be used as an authentication mean to login inMotion / inVest.
•	Do not disclose the passcode of your mobile device to anyone.
•	When you change to a new mobile device, activate the Service on your new mobile device. The Service will be deactivated automatically on your previous mobile device.
•	Keep your mobile device properly and lock it with relatively complicated passcode.
•	Access the function in a secure place to prevent from exposing the account information to others, especially when using this Service in public area.
•	If you lose your mobile device with this activated Service, please contact us and deactivate the Service immediately.

Protect yourself when receiving or using SMS one-time password (“OTP”):
•	Ensure the accuracy of the registered information (including the mobile phone number registered for SMS OTP authentication) from time to time. Contact the bank to update immediately if you have changed your mobile phone number.
•	Ensure your mobile phone is switched on with satisfactory connection status and sufficient memory to receive SMS when receiving OTP. Please make sure your mobile phone has turned off SMS forwarding function when receiving the SMS One Time Password.
•	Do not disclose the SMS OTP to anyone
•	Verify the SMS OTP ID showing on Internet banking and your mobile phone for ensuring the transaction operating before entering the SMS OTP.
•	Check the bank SMS message in a timely manner and verify your transaction records. If you have any doubt on the SMS received, contact us immediately and should stop inputting any password or transaction.

Protect yourself when using WeChat Pay
•	Please download the WeChat Application from Apple App Store or Google Play.
•	Never use WeChat Pay in a mobile device with any pirated hacked, fake and/or unauthorized applications or in which the software lockdown has been overridden or root access to its software operating system has been obtained (such as, but without limitation, a "jailbroken" or a "rooted" mobile device).
•	Please make sure you are using supported versions of OS and applications of your mobile devices. Enable the auto-update feature to obtain and apply security patches regularly from trusted sources.
•	Set your WeChat Pay payment password that is difficult to guess and do not disclose such payment password to anyone.
•	To prevent unauthorized access to your WeChat wallet, do not leave your mobile device unattended. Always log off properly when you are finished making WeChat Pay payment.
•	Log in to your WeChat account via another mobile phone or device and initiate the unbinding in case of loss of mobile devices.

Protect yourself when using Security Device
•	Upon receipt of the "Security Device", please login to Internet banking immediately and follow our instructions to activate the "Security Device".
•	Customers are required to input specific transaction information (e.g. un-registered account number) into the "Security Device" to generate a one-time Security Code for designated transactions.
•	Please keep your "Security Device" in a safe and secure place. You should not allow anyone to use your "Security Device" or leave it unattended.
•	Never reveal the secure code generated from the Security Device

Protect yourself when logging onto our CNCBI Token:
•	Please download the FREE CNCBI Token Application from Apple App Store or Google Play.
•	Don't install apps on your mobile devices from mistrusted sources.
•	Use default browsers originally provided by the mobile devices rather than newly installed browsers downloaded from other sources.
•	Don't store your CNCBI Token password, Internet banking Login ID and Password on your mobile devices
•	Don't disclose or forward your SMS OTP for CNCBI Token activation / push notification / CNCBI Token password to anyone.
•	Avoid sharing your mobile device with others and use your own mobile device to register CNCBI Token.
•	Don't leave your mobile device unattended after logon to this app.
•	Always quit the app when you are finished CNCBI Token transactions with it.

What you can do to handle suspicious fraud?
If you find:
•	any suspicious activities or unauthorized transactions in relation to your Internet banking service; or
•	your password or PIN is compromised lost or stolen; or
•	your security device, computer, mobile devices used to access your Internet banking service is compromised, lost or stolen;
Please contact our customer hotline at (852) 2287-6767, or visit the nearest CNCBI branch immediately.

Your Responsibility
You are reminded to take security measures as recommended by the Bank from time to time. You may be held liable for all losses if they have acted fraudulently or with gross negligence or failed to follow the measures mentioned, such as allowing your Device or password to be used by others; or failed to inform the Bank as soon as reasonably practicable after you found any fraud activities over your i-banking or believed your device or password to be compromised, lost or stolen. However, unless you acts fraudulently or with gross negligence such as failing to safeguard your device or password for your i-banking access, you should not be responsible for any direct loss induced. If you have any enquiries on any dispute transactions or any complaints, you may call our customer hotline at (852) 2287-6767 for further investigation and handling. Hong Kong Monetary Authority encourages the public to study the following public educational materials and security tips on e-banking services: http://www.hkma.gov.hk/chi/key-functions/banking-stability/consumer-corner/strengthening-financial-consumer-protection/consumer-education-programme

Last updated on September 2022