← All Briefings
Briefings


The Hong Kong Securities and Futures Commission's new login rule bans one-time passwords for crypto platforms and online brokers. SMS and app-based OTP are the exact mechanism SIM-swap and real-time phishing proxies exist to defeat, and the regulator has now written that fact into a mandatory circular rather than a risk advisory. The rule requires phishing-resistant authentication, in practice FIDO2 hardware keys or platform passkeys, replacing a control that has been technically obsolete since adversary-in-the-middle kits went commodity. Bitdefender and Netcraft catalogued exactly that kit class years before this circular existed.

The harder compliance question sits with Helix, the SharePoint-focused extortion group BleepingComputer detailed this week, which does not attack OTP at all. It calls the help desk, gets a device code accepted, and MFA is satisfied without a single credential touched. Hong Kong's rule fixes the login page; it says nothing about the enrollment and support channel sitting behind it. A crypto platform can pass this circular's audit and still lose its SharePoint tenant to the same voice call Helix is running against everyone else this month.

Weak. The Helix paragraph is a second story bolted onto the SFC lede, not a compliance question raised by it. Either the piece is about the SFC rule or it is about help-desk social engineering as the live gap regulators keep missing, pick one and rebuild the other as the follow.-- WR
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.