Next in our series on the abuse of HKID numbers as passwords comes stockbroker Sung Hung Kai Financial, which uses them to "secure" e-mailed statements.

SHKF's abuse of HKID numbers
19 December 2013

Following our criticism of Citibank (Hong Kong) Limited, our third article in the series takes us to stockbroker Sun Hung Kai Investment Services Ltd, trading as Sun Hung Kai Financial (SHKF). It is a 100% subsidiary of Sun Hung Kai & Co Ltd (0086), which is a 55% subsidiary of Allied Properties (H.K.) Ltd (0056), which is a 75% subsidiary of Allied Group Ltd (0373), which is 65% controlled by the family trust of Mr Lee Ming Tee.

A reader forwarded an email he had received from SHKF, to which his monthly statement was attached in PDF format. The PDF attachment is "secured" with the 6 numerals of the customer's HKID number, or failing that, 6 digits from his passport number. The customer apparently has no choice in this matter - the email does not invite the customer to change his password. See the image below:

SHKF should cease and desist abusing the HKID in this way. If they want to send secure attachments to customers then a password known only to them and the customer should be used. Better still, they should create a secure web site where the customer can log in and collect his statements. There is really no need to send them by e-mail.

Secondly, encryption is only a strong as the password you use. In practice, it only takes a few seconds on a desktop PC with a password cracker to run through all 1,000,000 combinations of 6-digit numbers, so what SHK is actually doing is sending attachments which allow anyone who accesses the e-mail to deduce the nearly complete HKID of the user, except for the first letter. Any passwords used to protect PDFs should be much longer and stronger than that. For example, an 8 digit upper-and-lower-case alphanumeric password would allow 62^8, or over 218 trillion combinations, making it about 218 million times harder to crack than SHK's little teaser.

If you find any more examples of abuse of HKID numbers as passwords, let us know.

©, 2013

Organisations in this story

Topics in this story

Sign up for our free newsletter

Recommend Webb-site to a friend

Copyright & disclaimer, Privacy policy

Back to top