The Hong Kong Securities and Futures Commission's new login rule bans one-time passwords for crypto platforms and online brokers. SMS and app-based OTP are the exact mechanism SIM-swap and real-time phishing proxies exist to defeat, and the regulator has now written that fact into a mandatory circular rather than a risk advisory. The rule requires phishing-resistant authentication, in practice FIDO2 hardware keys or platform passkeys, replacing a control that has been technically obsolete since adversary-in-the-middle kits went commodity. Bitdefender and Netcraft catalogued exactly that kit class years before this circular existed.
The harder compliance question sits with Helix, the SharePoint-focused extortion group BleepingComputer detailed this week, which does not attack OTP at all. It calls the help desk, gets a device code accepted, and MFA is satisfied without a single credential touched. Hong Kong's rule fixes the login page; it says nothing about the enrollment and support channel sitting behind it. A crypto platform can pass this circular's audit and still lose its SharePoint tenant to the same voice call Helix is running against everyone else this month.