Citibank's abuse of HKID numbers
18 December 2013
Following our criticism of China Construction Bank (Asia) Corp Ltd for using the Hong Kong Identity Numbers (HKID) as a password or authenticator, here is another example at another large local bank, Citibank (Hong Kong) Limited. Bizarrely, after logging in with a username and password, and after seeing all your account balances, credit limits and transactions, if you want to actually download a PDF statement which contains similar information then it takes you to this authentication screen:
So it sends a One-Time Passcode to your mobile phone, which you (or whoever has your phone) enters, and then it asks for part of your HKID number, which could well be a published fact. Your ID number is not a secret and is not a password. And this particular screen is pointless, because you have already logged in and seen most of the information that will be in your PDF statement anyway. We call on Citibank to stop this ridiculous practice and stop abusing HKID numbers as authenticators.
We'll post more examples as we find them. If you find any, let us know.
© Webb-site.com, 2013
Organisations in this story
Topics in this story
Sign up for our free newsletter
Recommend Webb-site to a friend
Copyright & disclaimer, Privacy policy