HK watchdog mandates phishing-resistant authentication methods for online brokers and crypto platform operators
The Securities and Futures Commission (SFC) of Hong Kong today issued a circular requiring online brokers and virtual asset trading platform operators (VATPs) to adopt phishing-resistant authentication methods for client login and device binding.
As part of its continued efforts to combat phishing attacks and account takeover incidents targeting clients of online brokers and VATPs, the SFC is requiring them to cease using one-time passwords (OTPs) for client login and device binding, given the associated risks and the availability of stronger authentication alternatives. Passkeys and bound devices are examples of more robust, phishing-resistant authentication methods.
The SFC requires these phishing-resistant authentication measures for login and device binding to be implemented as soon as practicable but no later than 12 months from the issue of its circular. Large internet brokers are expected to adopt them immediately.
In addition to robust prevention controls, online brokers and VATPs should implement effective monitoring and surveillance measures to detect suspicious login, trading and withdrawal activities, promptly notify clients of key account events, and respond to hacking incidents in a timely manner. They should also regularly alert and remind clients of emerging phishing and other cybersecurity risks.
The SFC reminds senior management of online brokers and VATPs that they are ultimately responsible for implementing appropriate controls to protect client accounts and assets. The SFC will hold them accountable for any client losses that arise from lapses in their controls.
The regulator also reminds investors to stay vigilant in safeguarding their securities trading accounts and credentials. They should adopt prudent security measures, such as using strong and unique passwords, keeping their credentials and devices secure and up to date, and accessing their accounts only through official websites or mobile applications of their licensed corporations (LCs) and VATPs.
They should also monitor their accounts regularly and promptly review account statements, transaction records and notifications for suspicious activities. If they suspect their credentials have been compromised or identify any unauthorised transactions, they should contact their LCs or VATPs immediately, secure their accounts, and report the matter to the relevant authorities.
