FinanceMagnets
Published on 2026-07-09 | 1 hour ago
Hong Kong Just Told Brokers Their Security Codes Aren't Enough
Hong Kong's Securities and Futures Commission (SFC) ordered internet brokers and virtual asset trading platforms to stop using one-time passwords for client logins, citing a rise in phishing attacks that hijack customer accounts. In a circular issued todat (Thuerday), the regulator told firms to adopt phishing-resistant authentication such as passkeys and device binding for login and device registration.Phishing that harvests client credentials has driven a run of account takeovers in the city's markets. Late last year, the SFC froze about HK$91 million (roughly $11.7 million) across four brokers, including Interactive Brokers' local unit, after unauthorized trades ran through compromised accounts.What the SFC Is RequiringThe order is direct: firms must cease using OTPs for client login and device binding, which the regulator said carry risks now that stronger options exist. OTPs sent by text or app can be relayed to an attacker on a fake login page, letting the intruder pass the check in real time.Passkeys and bound devices close that gap by tying access to a specific device or hardware credential rather than a code a client can be tricked into typing. Device binding registers a client's phone or computer with the trading system, which then recognizes it by securely enrolled attributes.Firms must implement the measures as soon as practicable and no later than 12 months from the circular's issue. Large internet brokers are expected to adopt them straight away, the regulator said.A Regulator Escalating on PhishingThe circular extends a campaign the SFC has run for more than a year as scams targeting broker clients multiplied. Phishing accounted for 57% of the security incidents reported to the Hong Kong Computer Emergency Response Team Coordination Centre in 2025, according to figures the regulator cited.Earlier steps tried to shore up existing channels rather than replace them. The SFC pushed brokers to enroll in an SMS Sender Registration scheme so clients could tell genuine messages from spoofed ones.It later went further and banned brokers from embedding clickable links in text messages, after fake sites mimicking licensed firms lured clients into surrendering credentials. The commission had also encouraged firms to abandon OTPs in a cybersecurity circular dated February 2025, guidance the new order now makes mandatory.Where Responsibility LandsBeyond authentication, the SFC told firms to monitor for suspicious login, trading and withdrawal activity, alert clients to key account events, and respond quickly to breaches. It also expects them to keep warning customers about emerging phishing risks, part of a wider push that has drawn in the Hong Kong Police on virtual asset oversight.Dr Eric Yip, the SFC's Executive Director of Intermediaries, said protecting accounts requires "prevention, detection, response and education" combined. Firms should "strengthen their first line of defence with robust authentication solutions," he said.The scope is broad. The rules cover licensed corporations dealing in securities, futures and leveraged foreign exchange, along with asset managers that distribute funds through internet trading and the city's licensed crypto platforms.The SFC said senior management remains ultimately responsible for protecting client accounts and assets, and that it will hold executives accountable for any client losses that stem from lapses in their controls.
This article was written by Damian Chmiel at www.financemagnates.com.
Latest News View more
NEWS BTC | Published on 2026-07-09 | 1 min ago
Bullish
ND
Bullish
Bullish
Neutral
ND
Neutral
Neutral
Bearish
ND
Bearish
Bearish
1
NEWS BTC | Published on 2026-07-09 | 1 min ago
CRYPTOBRIEFING | Published on 2026-07-09 | 4 mins ago
Bullish
ND
Bullish
Bullish
Neutral
ND
Neutral
Neutral
Bearish
ND
Bearish
Bearish
2
CRYPTOBRIEFING | Published on 2026-07-09 | 4 mins ago
CRYPTOBRIEFING | Published on 2026-07-09 | 5 mins ago
Bullish
ND
Bullish
Bullish
Neutral
ND
Neutral
Neutral
Bearish
ND
Bearish
Bearish
3
CRYPTOBRIEFING | Published on 2026-07-09 | 5 mins ago
CRYPTOBRIEFING | Published on 2026-07-09 | 5 mins ago
Bullish
ND
Bullish
Bullish
Neutral
ND
Neutral
Neutral
Bearish
ND
Bearish
Bearish
4
CRYPTOBRIEFING | Published on 2026-07-09 | 5 mins ago
CRYPTOBRIEFING | Published on 2026-07-09 | 6 mins ago
Bullish
ND
Bullish
Bullish
Neutral
ND
Neutral
Neutral
Bearish
ND
Bearish
Bearish
5
CRYPTOBRIEFING | Published on 2026-07-09 | 6 mins ago
BITCOIN.COM | Published on 2026-07-09 | 6 mins ago
Bullish
ND
Bullish
Bullish
Neutral
ND
Neutral
Neutral
Bearish
ND
Bearish
Bearish
6
BITCOIN.COM | Published on 2026-07-09 | 6 mins ago