We urge another bank to cease and desist from treating the HKID as a password.

Citibank's abuse of HKID numbers
18 December 2013

Following our criticism of China Construction Bank (Asia) Corp Ltd for using the Hong Kong Identity Numbers (HKID) as a password or authenticator, here is another example at another large local bank, Citibank (Hong Kong) Limited. Bizarrely, after logging in with a username and password, and after seeing all your account balances, credit limits and transactions, if you want to actually download a PDF statement which contains similar information then it takes you to this authentication screen:

So it sends a One-Time Passcode to your mobile phone, which you (or whoever has your phone) enters, and then it asks for part of your HKID number, which could well be a published fact. Your ID number is not a secret and is not a password. And this particular screen is pointless, because you have already logged in and seen most of the information that will be in your PDF statement anyway. We call on Citibank to stop this ridiculous practice and stop abusing HKID numbers as authenticators.

We'll post more examples as we find them. If you find any, let us know.

© Webb-site.com, 2013


Organisations in this story

Topics in this story


Sign up for our free newsletter

Recommend Webb-site to a friend

Copyright & disclaimer, Privacy policy

Back to top