【財經評論】陳家豪:渣打信用卡集體被盜事件 [Financial Commentary] The Insight of the Standard Chartered Credit Card Incident
道高一呎魔高一丈 It takes constant vigilance to stave off evil
【財經評論】陳家豪:渣打事件 道高一呎魔高一丈
傳統信用卡甚至一般支付卡系統是在互聯網年代出現前發明及被廣泛應用在現場交易的產物。因為電子商貿普及甚至變成主流,支付服務供應商及銀行也按市場需要發展免實體卡的支付方案。由於線上交易未能以實體卡簽名覈實卡主身份,低金額的異地交易銀行一般不會再發短信甚至以電話向卡主覈實。 渣打銀行信用卡集體被盜用事件,愚公認為是黑客看中這系統缺陷,以短時間、大範圍的小額交易「快、狠、準」地成功入侵。
【事件是一面照妖鏡 凸顯通訊系統與時代脫節】
正如渣打銀行所説,信用卡有「charge back」體制,一旦發現這些也是不明交易,卡主是不需要負責。但基礎是需要卡主主動通知銀行,一來做個記錄、二來銀行可作快速應變對抗入侵。奈何渣打銀行的信用卡中心的對外通訊系統仍然「五十年不變」,只有提供香港本地號碼的 call center ,沒有利用最新的通訊科技,導致信用卡客戶需要被逼和其他銀行用戶爭奪有限資源。以愚公觀察,今次事件是信用卡中心只使用過時訊息系統,導致線上銀行系統「躺著也中招」而癱瘓的嚴重事件。
【前車可鑒 香港需要正視金融系統的根本問題】
簡單的一個信用卡攻擊事件可以發展到癱瘓整家大銀行的正常運作。香港要銳意發展成國際數字資產交易中心,目前政策局之間的分工協作到位嗎? 一家政策局要發出牌照及操作指引,有緊密和其他政策局底下的監管機構有足夠協調嗎?今日是一家銀行因為對外通訊系統落後及自身協調不足做成問題,他日會否是一個監管機構下的服務供應商出了問題而令到整個金融系統的癱瘓? 不要以為什麼也不做,麻煩就可以避免,香港過去就是什麼也不做,到知道要做的時候又不懂做,導致今日的人才、機構甚至信譽全失的局面。簡單的一個全民電子身份認證系統也欠缺的香港,可以在數字金融之路上安全地走多遠?
陳家豪
香港數字金融協會聯席會長
原文刊登於2022年12月8日明報財經
Traditional credit cards and general payment card systems were invented before the advent of the Internet and were widely used in on-site transactions. As e-commerce became popular and even mainstream, payment service providers and banks developed card-free payment solutions in response to market demand. Since online transactions do not require a physical card and signature to prove the identity of the cardholder, banks generally do not send text messages or even phone calls to the cardholder to verify the identity of the cardholder for low value off-site transactions. In the case of the Standard Chartered Bank credit card massive fraudulent transactions incident, I believe that the hackers took advantage of the system’s shortcomings and succeeded in hacking the system “quickly, viciously and accurately” with small transactions over a large area in a short period of time.
The incident is a demonoscope that highlights the disconnect between the communication system and the times.
As Standard Chartered Bank said, the credit card has a “charge back” system, once these are also found to be unidentified transactions, the card owner is not responsible. But the basis is that the card owner must take the initiative to notify the bank, in order to make a record, and the bank can quickly respond to the invasion. However, the external communication system of Standard Chartered’s credit card center remains “unchanged for 50 years”, with only a call center providing local numbers in Hong Kong, without the use of the latest communication technology, resulting in credit card customers being forced to compete with other bank users for limited resources. In my humble opinion, this is a serious incident in which the credit card center only used an outdated messaging system, resulting in the online banking system being paralyzed by not doing anything wrongly.
Hong Kong needs to face up to the fundamental problems of its financial system.
The incident shows that a simple credit card attack can paralyze the normal operations of an entire major bank. If Hong Kong is to develop into an international digital asset trading center, is the current division of labor and collaboration between policy bureaux in place? Is there sufficient coordination between a policy bureau and other regulatory bodies under the policy bureau to issue licenses and operational guidelines? Today, a bank has a problem because of its backward external communication system and its own lack of coordination, but in the future, will the whole financial system be paralyzed because of the problem of a service provider under a regulatory body? Do not think that “the less you do, the less mistakes you could make”, this misconception resulting in today’s talent, institutions and even credibility of the situation all lost in Hong Kong. How far can Hong Kong go safely on the road to digital finance on which a simple universal eID system is still lacking?
Emil Chan
Co-Chair of Hong Kong Digital Finance Association
