Extra Security of Zerodha Account by Cyber Attacks

Hey @nithin What are additional security/SOP Zerodha provides it’s user to prevent Data Breach. Like you Launched Nudge to prevent customers from High Risky Trading. What are the additional security you will provide in case of these Cyber Attacks. I am curious & Afraid too as all Activities are Digital in Zerodha & also From Pan Card to KYC Details to Mobile no. to Bank Account No. they all are fragile Information of customers. After security breach in Upstox Are you Concerened too with this matter and have you passed this info to your relevant Security Department. Let me know. Here is the news article of upstox-

7 Likes

Here is the response from our tech team

  • We are extremely cautious and security as a practice is baked into our processes, when writing code and and when managing our infra. Common sense practices.

  • Regular internal and external penetration testing and audits.

  • Regular human and automated reviews of infrastructure.

  • Only things that really need to be exposed to the internet are exposed. Disconnected from the internet is the default policy for all new pieces that get added to the infra. This is reviewed regularly.

  • We have Cloudflare in front of all public endpoints that provides web app firewall, bot and DDoS protection.

  • Different systems are located on different networks to isolate them from each other.

  • All our internal employee systems are on VPN and require 2FA to access.

  • We self-host pretty much all internal/CRM systems on private networks without the involvement of any IT vendors, eliminating 3rd party maintenance and access.

  • Employees from different departments get access to different systems based on their roles.

  • This role based access is embedded as a practice into our compliance department that clears access and their processes as well.

  • No key or password based access on AWS cloud resources.

  • Developers use passwordless certificate (+2FA) based SSH logins to critical systems. Only devs who really need access to a system have access to that system.

  • Signficant majority of non-tech employee computers also run Linux to reduce the large attack surface of Windows systems.

  • For client accounts, we support real 2FA with app based TOTP (enable in Kite → Account → Password and security).

  • Instant alert for client logins from unfamiliar geographic locations.

  • All client facing apps like Kite, Coin, Console etc. use a single login (SSO) + 2FA.

  • SEBI has official cyber security guidelines that all brokers have to adhere to. Brokers get audited on this.

Being cautious of security and applying whatever possible common sense security principles is all one can do. In complex, interconnected systems, it could just be one tiny slipup, technical or a human error (often it is seemingly silly human errors), that open up the Pandora’s box.

To add some perspective, all Intel processors globally became vulnerable pretty much overnight (MELTDOWN, SPECTRE vulnerabilties) in 2018, sending the world into a tizzy. Similarly, the Heartbleed vulnerability (2014) rendered a significant majority of the internet and its security infra (SSL / TLS) vulnerable. Or the Stuxnet malware (2010) that attacked a specific nuclear powerplant that was not even connected to the internet, which shows that a powerful actor such as a state can trump even the best of security measures.

Thus, 100% security does not exist and eternal vigil, technical and otherwise, as a practice, is the best anyone can do. We do whatever we can and are always very cautious.

35 Likes

Thanks for clarifying all the points Nithin, I am glad to see that I made the right choice by choosing Zerodha after doing research.

Out of curiosity, is there a preferred Linux distribution?

1 Like

Dr K says, "Ubuntu :slight_smile: ".

Btw check this

3 Likes

Good to know.

That is one of things I checked while doing research on Zerodha, your CTO’s (Kailash Nadh) profile was the final nail in the coffin (of other brokers) and I immediately signed up for an account after that.

2 Likes

That’s why i love Zerodha. Their Response team is so great that even its founder @nithin replies me on my queries. Will never change my broker from now, i will stick to zerodha till END. Every other brokers are just increasing their market shares by spending lots on advertising which i feel basically a stupid thing. Rather spending huge in ads. spend on digital infrastructure and manpower which is what zerodha is doing right now. Ultimately if you give satisfaction and build trust from your customers then they will automatically advertise for you & that’s how you build a ecosystem of Good & Long Lasting customers. Don’t know why on twitter everyone just criticize zerodha for its customer support as i didn’t faced a single issue from it’s customer support. Though call waiting time is more but you even don’t get a single support from full time brokers & i am sure zerodha will improve this problem within sometime. Me & my family members migrated to zerodha in year 2020 & it’s exeperience is amazing it’s UI is world’s best till i know. ATLEAST 10 customers from year 2020 Added by me so far :smiley:. Thanks @nithin dr k, nithin kamath , @siva-reddy @ShubhS9 @VenuMadhav & whole zerodha team.

13 Likes

Yes response time is more than it used to be … those who criticize zerodha are fake account from other brokers

1 Like

One thing That makes Someone a Good Investor or Trader is PATIENCE. And i personally feels that every problem needs time to resolve. If you aren’t Happy with it you can’t be happy with some else Broker also. It took 2.5 months to transfer my holdings to zerodha from Old Broker. But i see someone’s post in twitter that zerodha tranferred his shares within 7 days of application. I am not disregarding old broker but the services provided by zerodha is Awesome. And those who criticize zerodha aren’t fake accounts but they are Paid Accounts backed by Full Time Brokers as their shops are getting closed with the time pasts. Every Full time brokers Ads has similar Lines that discount brokers aren’t trustworthy :joy: & we wonder why india is behind USA and China.

@nithin Have you considered a possibility of joining HackerOne bug bounty program for Zerodha? All major tech and finance companies are on such platforms and they help immensely.

We’ve had a successful bounty program running for a while. We’re structuring it and publishing it officially soon. We’ll consider Hackerone after that.

8 Likes

There seems to be login security flaw. My account is displaying holdings of some other account. Noticing this for last 4/5 days or so. I have been logging into two accounts from same laptop, one at a time after proper logout each time.

1 Like

In that case, you probably will be seeing the holdings of the other account (1 out of your 2 account).

Your user ID will be stored in a ‘cookie’ after your log in. So that it will be easy for re logging in.

To avoid this, you must clear ‘Cookies and other site data’ that zeordha stored in your computer. Alternatively you can use your browsers settings to automatically delete cookies and site data when you close the browser.

Probably this will be the cause. Also do check whether you are entering the correct User ID.
And… Have different passwords for both account and enable 2FA/TOTP if possible.

Thanks. Will look up cookies issue. Secondly, i am entering an account number at each login & not taking the automatically displayed page. Thirdly, PWs for both accounts is same but 2FA in one is numeric & the other account is via google authenticator. Finally holdings of one account are shown in the account of the other.

Is your account a “Joint account” ?

1 Like

This seems to be an issue if you are using 2 accounts on the same browser due to a recent Chrome update. We are looking in to it. In the meanwhile, please clear cookies and relogin like @TradeXMaster suggested.

4 Likes

Yes. Also you can choose to use some other browser.

Not yet, i didnt know the facility existed :grinning:, But yes i would like to access more than one one account simultaneously in one machine.

Thanks, i have started using another browser for the other account. I just wanted to bring out the issues so that security flaws could be avoided.

1 Like