More

    Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses

    Hong Kong crypto platforms have until July 8, 2027, to ditch one-time passwords for client logins and device registration under new security rules.

    By then, licensed virtual asset service providers and internet brokers must use authentication that can resist phishing for client logins and the registration or binding of devices, according to a July 9 circular.

    The regulator said one-time passwords, or OTPs, do not meet that standard and should not be used for those two processes.

    The rule applies only when clients log in or link a new device, leaving other OTP uses unchanged.

    Firms do not have to make existing clients rebind devices that are already linked. Large internet brokers are expected to deploy the stronger methods immediately, while the broader group has a 12-month implementation period.

    Hong Kong approves 4 new crypto trading platform licenses in regulatory pushHong Kong approves 4 new crypto trading platform licenses in regulatory push
    Related Reading

    Hong Kong approves 4 new crypto trading platform licenses in regulatory push

    The licensed platforms must meet rigorous standards and undergo evaluations to ensure compliance with global security practices.

    Dec 18, 2024 · Oluwapelumi Adejumo

    Controls around those logins take effect from the outset. Firms must review and improve client notifications, account monitoring, surveillance and incident-response procedures now.

    The SFC requires firms to suspend or restrict an account as soon as they spot signs of fraud.

    A deadline with liability attached

    Timeline showing Hong Kong SFC requirements from July 9, 2026 to July 8, 2027, including immediate monitoring duties, passkeys, bound devices and senior management accountability.Timeline showing Hong Kong SFC requirements from July 9, 2026 to July 8, 2027, including immediate monitoring duties, passkeys, bound devices and senior management accountability.

    The order follows phishing campaigns reported in 2025. Fraudsters sent text messages containing links that impersonated brokers and purported to be requests from regulators or government bodies.

    Clients handed over login credentials and one-time passcodes on fake sites, giving attackers a path to hijack sessions and move funds.

    FCC robocall rule could make phone accounts a richer target for crypto attackersFCC robocall rule could make phone accounts a richer target for crypto attackers
    Related Reading

    FCC robocall rule could make phone accounts a richer target for crypto attackers

    The FCC’s robocall proposal could turn phone accounts into richer targets for SIM swaps, recovery abuse, and crypto theft.

    Jun 21, 2026 · Gino Matos

    The SFC wants firms to monitor irregular logins, new-device activity, trading that deviates from a client’s history, and fund or virtual-asset withdrawals.

    Clients should receive prompt notices of successful logins and higher-risk changes, including new devices and the creation or revocation of passkeys.

    CryptoSlate Daily Brief

    Daily signals, zero noise.

    Market-moving headlines and context delivered every morning in one tight read.