New cybersecurity standards will phase out one-time passwords for crypto logins.
SFC mandates phishing-resistant authentication for crypto trading platforms
Photo Credit: Unsplash/FlyD
The Hong Kong Securities and Futures Commission (SFC) on Thursday set out new rules for phishing-resistant authentication systems for Virtual Asset Trading Platforms (VATP) and online brokers in the special administrative region. Phishing-resistant authentication and binding of devices will be necessary under the new standards, whereas using one-time passwords for login via text message, email, or mobile application will be forbidden. The implementation period will not exceed 12 months. The standards suggested more secure solutions like passkeys, registered devices with crypto validation, as well as hardware keys, which are considered phishing-resistant by SFC.
The steps taken by the authority have improved the cybersecurity level in Hong Kong, as phishing and social engineering scams in the global crypto industry experienced a significant rise during the first quarter of 2026. Counterfeiting and fraud attacks comprised 57 percent of the cybersecurity incidents that were reported in 2025 to the Hong Kong Cyber Security Accident Coordination Center, according to a statement.
Ye Zhiheng, executive director of the Intermediaries Department of the China Securities Regulatory Commission, said, “To protect customer accounts from increasingly complex and changing counterfeiting and fraud attacks, comprehensive measures must be implemented in conjunction with prevention, detection, response, and education.”
Phishing attacks and social engineering scams are already part of major global challenges to the crypto industry. On Wednesday, a crypto investor lost almost $1 million (roughly Rs. 9.53 crore) due to the phishing token transaction approval on the Ethereum network, which is one of the many phishing scam losses to hit the crypto industry, amounting to $366 million (roughly Rs. 3,489 crore) in the first half of 2026.
Earlier this month, an estimated $1.65 million (roughly Rs. 16 crore) was lost in a similar situation where a wallet owner connected to a fraudulent exchange and signed a contract that gave hackers unlimited access to the money, Ryan Coleman said Friday.
The second quarter of 2026 is already the most hacked quarter on record in terms of the number of attacks, with 83 hacks of crypto protocols, per analysis from market insights provider Unfolded based on data from DefiLlama. KelpDAO's $293 million (roughly Rs. 2,793 crore) hack and Drift Protocol's $280 million (roughly Rs. 2,669 crore) exploit were the largest incidents of the quarter.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.