Mobile Banking Security

Tips to help you bank
on the go with confidence

Secure access to your Mobile Banking

Secure mobile access icon
  • Customer should provide a valid mobile phone and contact number for notification purpose. If any of these numbers is changed, please notify the Bank timely.
  • Avoid sharing of your mobile phone with others. If sharing is unavoidable, remember to set restrictions on your mobile phone.
  • Do not access Mobile Banking; disclose or enter any personal information (including Username and Password), if someone else nearby can read the screen of your mobile phone.
  • Always lock your mobile phone by password or pattern when it is not in use.
  • Closing the Mobile App does not equivalent to logging out of Mobile Banking successfully. Click on the “Logoff” button and follow the log out procedures to protect your account information.
  • Regularly remove all caches and browsing history stored in your mobile phone.
  • Some mobile services might request you to scan your HKID via their mobile apps. Don’t store your HKID copy on your mobile device or share it with people that you don't trust. Don’t scan your HKID with any untrusted apps.


Safe usage of Mobile Token and Biometric Credential Authentication Service

  • Ensure that only your Mobile Token and biometric credentials are stored on your Permitted Mobile Device, your Permitted Mobile Device is secure and kept safely and any password or security code allowing access to altering or adding Mobile Token and biometric credentials on your Permitted Mobile Device is protected. The Bank will not be responsible for any losses arising out of any unauthorised transactions due to your failure to secure access to your Permitted Mobile Device;
  • Be aware that the probability of a false match of facial map is different for twins and siblings that look like you. If you are concerned about this, you may use Online Banking username and password to access our mobile banking services via our Mobile App;
  • Not avoid taking any action to disable any function provided by, and/or agreeing to any settings of, your Permitted Mobile Device that would otherwise compromise the security of the use of the Mobile Token and biometric authentication (e.g. disabling "attention-aware" feature for facial recognition);
  • Ensure that your Permitted Mobile Device is locked immediately after use and when it is not in your possession;
  • Not to disclose or share your Permitted Mobile Device passwords, Mobile Token Password or security codes to any person or allow anyone access to your Mobile Token or biometric authentication function on your Permitted Mobile Device;
  • Not to include easily accessible personal information such as date of birth, telephone number or any recognisable part of your name in setting any password, Mobile Token Password or use the same password to access any other services (for example, to connect to the Internet or to access other websites/mobile applications);
  • Not to write down or record any device passwords, Mobile Token Password or security codes without disguising them;
  • Check your surroundings before entering any passwords, Mobile Token Password or security codes on your Permitted Mobile Device, and make sure that no one sees your passwords. For security purposes, change your device, Mobile Token Password and biometric authentication access passwords regularly;
  • Change your Online Banking Password and Mobile Token Password (if applicable) immediately if you suspect that you have been deceived by a fraudulent website, mobile application, email, or SMS/WAP push message (for example, if you fail to logon the Mobile Banking after using the correct Mobile Token Password or biometric credential, with or without any alert messages);
  • Inform the Bank as soon as reasonably practicable if you find out or believe your Online Banking Password, Mobile Token Password , PINs, Permitted Mobile Device have been compromised, lost, stolen, or accessed or used without your authorisation;
  • Follow all security advice/measure/guidelines provided to you by the Bank and/or the manufacturer of your Permitted Mobile Device that apply to your use of your Permitted Mobile Device from time to time;
  • Notify the Bank without delay if you change your mobile phone number;
  • Upon termination of the use of the Mobile App for any reason, deactivate Mobile Token and remove the Mobile App from your Permitted Mobile Device; and
  • Deactivate Mobile Token and Delete the Mobile App from your Permitted Mobile Device if you change or dispose of your Permitted Mobile Device.


Protect your Mobile system

Protect mobile system icon
  • Do not hack (or 'jailbreak' or 'root') your mobile device as this can make it open to infection from a virus or spyware.
  • Disable any wireless network functions (e.g. Wi-Fi, Bluetooth, NFC) not in use. Choose encrypted networks when using Wi-Fi and remove any unnecessary Wi-Fi connection settings.
  • Set up auto-lock and passcode lock to prevent unauthorized access to your handsets and tablets
  • Do not use untrusted third party virtual keyboards


Apps safety icon
  • Download mobile applications with “China Construction Bank” as the trusted and verified developer from reputable sources only, e.g. Apple App Store, Google Play and the Bank's website.
  • Keep proper configuration on mobile devices (e.g. disallow installation of Apps from unknown source, etc.) whenever possible.
  • Install anti-virus and anti-spyware software and keep it updated where available. Use reputable brand from a mainstream supplier for installation.
  • Beware of the minimal requirement of Mobile Operating System for the Bank mobile application. Download and install the latest system and application updates and patches as soon as they become available. These include important security updates that help keep your device and data protected.
  • Examine carefully any app installation request before accepting it to make sure it’s legitimate.
  • Read permission requests carefully when installing any apps. Be wary of apps that ask for permissions that seem unusual or unnecessary or that use large amounts of data or battery life.


Safe usage of QR Code Service

  • Stay vigilant and make sure that the QR code is from a trusted source before scanning.
  • Verify the transaction details before confirming the Instruction and check your bank record when the transaction is done.
  • The QR code generated for mobile transaction services may have embedded your personal credentials. Therefore, you should only share the QR code with third party when necessary.


Beware of SIM Swap

  • Be vigilant If you find that you are not receiving any calls or SMS notifications for unusually long time.
  • Contact your mobile service provider immediate if you suspect you have fallen victim to SIM Swap scam.
  • Protect your mobile service portal access to avoid fraudsters activate SMS forwarding service or enquire SMS content.
  • Do not switch off your phone if you are receiving numerous unknown calls. This could be a ploy to get you to turn off your phone to prevent you from noticing that your connectivity has been tampered with.


Other related information

  • To learn more about the e-leaflet of "Major tips on protection of your computers and mobile phones" published by Hong Kong Monetary Authority, please click here .
  • To learn more about the publications published by The Hong Kong Association of Banks, please click here .
  • To learn more about Mobile Token and Biometric Credential Authentication Service, please click here.

Protect your Personal Digital Keys; Beware of Fraudulent Links!
Don’t be tempted by quick money! Don’t lend your account to anyone for money laundering!