The Hong Kong Monetary Authority has asked seven banks to recall or replace credit cards it said contained a security flaw that allows holders' names to be read by unauthorised sources using a mobile phone app when they make contactless payments. The authority named the seven banks as Bank of China (Hong Kong), Bank of Communications Hong Kong branch, China Citic Bank International, Dah Sing Bank, DBS Hong Kong, OCBC Wing Hang Bank and ICBC Asia. It did not say how many cards were involved. The banks have come under sharp criticism, being accused of storing an excessive amount of customer personal data on contactless cards.
The near field communication (NFC) chip in older versions of contactless credit cards often contained all three pieces of information needed for making online purchases - the cardholder's name, card number and expiry date. In most contactless credit cards issued recently, the cardholder's name has been removed from the NFC chip, which explains why not all banks in Hong Kong that issue contactless credit cards have the security flaw.
Similar measures had been taken in the United States where the problem, known as "electronic pick pocketing", was first exposed in 2013. It involves thieves stealing your credit card information without ever touching you, or your wallet electronic pick-pocketing is also known as "crowd hacking". There are growing concerns over this type of theft as high-tech thieves are using much more powerful versions of those scanners, devices they can buy cheaply and are using them to steal your credit card information right through the air.
The authority said yesterday that some of the cards issued by the seven banks did not fulfil the requirements it established in 2012 regarding contactless payments. The banks are under a duty to ensure that the data stored in the card and transferrable via contactless payment includes only information essential for a transaction, and not the user's full name. Bank of China (Hong Kong), Bank of Communications Hong Kong branch, DBS and China Citic Bank International have said they had stopped issuing new cards with contactless payment functions and would soon arrange replacements for existing customers. HSBC said it did not issue such cards. The office of the privacy commissioner is launching a compliance check on the issue.