Wikilix
Wikilix
brand

  • Home
  • Broker
  • Regulators
  • Learn
  • Articles
  • News
  • SpreadMeter
  • Prop
Call us123 456 7890329 Queensberry Street, North Melbourne VIC
3051, Australia.
[email protected]
Wikilix - Broker Reviews & Analysis

Your trusted platform for comprehensive broker reviews, analysis, and trading education. Making informed trading decisions through transparency and community insights.

Trusted by 50,000+ traders worldwide

Quick Links

  • About
  • Contact us
  • Regulators
  • Education
  • Privacy Policy

Resources

  • All Brokers
  • Top Brokers
  • Scam Alerts
  • News
  • Spread Meter

Connect With Us

[email protected]
[email protected]
Secure & Encrypted
Global Broker Coverage
© 2026 Wikilix. All Rights Reserved.

Trading involves risk. Please consider your investment objectives and risk tolerance before trading.

Choose Language

Select your preferred language

Language changes will apply immediately

  • Home
  • Broker
  • Regulators
  • Learn
  • Articles
  • News
  • Spread Meter
  • Prop FirmsNew
Choose Language

Select your preferred language

Language changes will apply immediately

/
/
  1. Home
  2. News
  3. Hong Kong SFC orders brokers to end OTP logins amid phishing surge
Back to News

Hong Kong SFC orders brokers to end OTP logins amid phishing surge

Hong Kong's Securities and Futures Commission has ordered internet brokers and virtual asset trading platforms to stop using one-time passwords for client logins, citing a rise in phishing attacks. Firms must move to phishing-resistant authentication such as passkeys and device binding within 12 months or sooner.

Wikilix Editorial Team

Author

July 11, 2026
2 min read
Market performance chart Q1 2026
Market performance chart Q1 2026

Hong Kong's Securities and Futures Commission (SFC) has ordered internet brokers and virtual asset trading platforms to stop using one-time passwords (OTPs) for client logins and device binding, citing a rise in phishing attacks that have led to account takeovers.

In a circular issued on Thursday, the regulator instructed firms to adopt phishing-resistant authentication measures such as passkeys and device binding for login and device registration. The SFC said OTPs sent by text message or mobile application can be relayed to attackers via fake login pages, allowing intruders to pass authentication checks in real time.

Regulatory response to phishing-driven account takeovers

The SFC linked the move to a series of account hijackings in Hong Kong's markets driven by phishing schemes that harvest client credentials. Late last year, the regulator froze about HK$91 million, roughly $11.7 million, across four brokers, including Interactive Brokers' local unit, after unauthorized trades were executed through compromised accounts.

The circular extends a campaign the SFC has pursued for more than a year as scams targeting broker clients have multiplied. According to the regulator, phishing accounted for 57% of the security incidents reported to the Hong Kong Computer Emergency Response Team Coordination Centre in 2025.

New authentication standards and implementation timeline

The SFC's order is explicit that firms must cease using OTPs for client login and device binding, noting that these methods carry heightened risks now that stronger alternatives are available. Passkeys and bound devices are intended to close the security gap by tying account access to a specific device or hardware credential, rather than to a code that clients can be tricked into entering on fraudulent sites.

Firms are required to implement the new measures as soon as practicable and no later than 12 months from the date of the circular. The regulator indicated that large internet brokers are expected to adopt phishing-resistant authentication immediately.

Broad scope and management accountability

The new rules apply broadly across Hong Kong's regulated markets. They cover licensed corporations dealing in securities, futures and leveraged foreign exchange, as well as asset managers that distribute funds through internet trading and licensed virtual asset trading platforms in the city.

The SFC emphasized that senior management remains ultimately responsible for protecting client accounts and assets. It stated that it will hold executives accountable for any client losses that result from lapses in their firms' security controls.

Share this article:
Back to All News

Comments & Reviews

0 comments

Share Your Thoughts

What do you think about this article?

Write your comment

Share your honest experience

How would you rate your experience?

0 chars

📸 Add Images (Optional)

Visual evidence makes your review more credible

Loading comments...
Contents
  • Regulatory response to phishing-driven account takeovers
  • New authentication standards and implementation timeline
  • Broad scope and management accountability
Table of Contents
  • Regulatory response to phishing-driven account takeovers
  • New authentication standards and implementation timeline
  • Broad scope and management accountability

Frequently Asked Questions

Common questions about this article

Related Articles

FCA warns on unauthorised firm behind duxtonrozequinox.cc

FCA warns on unauthorised firm behind duxtonrozequinox.cc

The Financial Conduct Authority has issued a warning about a firm operating via duxtonrozequinox.cc, stating it is not authorised in the UK. Consumers dealing with this firm are not protected by the Financial Ombudsman Service or the Financial Services Compensation Scheme.

Jul 13
2 min read
Global Regulators Flag 18 Suspect Online Trading Platforms

Global Regulators Flag 18 Suspect Online Trading Platforms

Regulators in multiple jurisdictions have issued warnings against 18 brokerage and trading firms over the past week, citing unauthorised activity and potential fraud. The actions target unlicensed, cloned and unregulated platforms that appear to be soliciting retail investors across several markets.

Jul 06
3 min read