SFC restricts clients from using one-time passwords for login and device binding and requires internet brokers and virtual asset trading platform operators (VATPs) to adopt phishing-resistant authentication methods no later than 12 months.
The measures come amid the growing threat of phishing attacks involving stolen client credentials. The SFC issued a circular on Thursday that requires internet brokers and virtual asset trading platform operators (VATPs) to adopt phishing-resistant authentication methods for client login and device binding. SFC also urged large internet brokers to adopt the methods immediately.
Given the associated risks and the availability of stronger authentication alternatives, the SFC said passkeys and bound devices are examples of more robust, phishing-resistant authentication methods.
The SFC said internet brokers and VATPs must establish effective monitoring and surveillance systems to identify suspicious logins, trades, and withdrawals. They should quickly inform clients of significant account activity and act swiftly in the event of hacking incidents. Additionally, they are advised to regularly warn and remind clients about new phishing threats and other cybersecurity risks.
Eric Yip, SFC’s executive director of intermediaries, said licensed firms should strengthen their first line of defense with robust authentication solutions, stay alert to suspicious activities, and respond swiftly before harm is done.
The SFC emphasized to senior management of internet brokers and VATPs that they bear the ultimate responsibility for implementing proper controls to safeguard client accounts and assets. It also stated that they will be held accountable for any client losses resulting from control failures.
The SFC advises investors to remain vigilant in protecting their securities trading accounts and credentials. They should implement strong security practices, such as creating unique passwords, safeguarding their credentials and devices, and only accessing accounts via official websites or mobile apps of their licensed corporations (LCs) and VATPs.
Investors should regularly monitor accounts and review statements, transaction records, and alerts for any suspicious activity, SFC said. If there is any suspicion that credentials have been compromised or unauthorized transactions are detected, investors should contact their LCs or VATPs immediately, secure their accounts, and report the issues to the authorities.