Security Blog

HKCERT advises on the recent case of credit card information leakage

Release Date: 28 / 10 / 2015
Last Update: 28 / 10 / 2015

In mid-Oct 2015, there were news reports about data leakage arising from excessive data stored on some contactless credit cards that support Near Field Communication (NFC) technology. Fraudsters can use specific applications on an NFC-enabled mobile phone to scan and obtain information on the card, including name of cardholder, card number, expiry date and even part of the transaction records.

NFC is a wireless technology for data exchange and is now often used in debit card (such as Octopus Card) and credit card payments. Information stored inside the chip of the card can be transmitted to a receiver at a very short distance in a contactless manner to process a transaction rapidly. This definitely brings convenience to consumers.

According to the Hong Kong Monetary Authority (HKMA), out of the 11 local banks which issue contactless credit cards, 7 cannot fulfil the requirements stipulated in the Best Practice published by HKMA and Hong Kong Association of Banks in 2013. HKMA ordered the concerned banks to stop issuing problematic credit cards, notify the affected clients and make arrangement for recall and replacement of the affected credit cards as soon as possible. The public should refer to the information of HKMA to see if their contactless credit cards are affected.


HKCERT likes to advice users to protect their interests:

  1. Use SMS transaction notification service provided by credit card companies and check the transaction records regularly. Contact the credit card centre or merchants for any suspicious transaction.
  2. Use card covers with metal films or a metal card case. Wrapping a contactless credit card with aluminium/ tin foil is also an alternative.
  3. Do not place your contactless credit cards in partitions near the surface of your wallet/ purse. Do not leave them in public areas.
  4. Products and services utilizing NFC are increasingly popular. Users can refer to our “Near Field Communication Security Guidelines” for such products and security advice.