Received multiple messages about Zerodha partnering with something called as “ImStrong” for offering online Yoga classes.
While such initiatives are welcome, please could Zerodha avoid allowing the authentication of such third-party logins using the standard Kite credentials?
Irrespective of all claims of safety, security and the usual blah blah…there is a high chance that some tricky websites may also start cropping up with “Login with Kite” logo and SMS messages offering some or the other free services disguised as offer by Kite/Zerodha - which will be prone to compromising the Kite logins.
Kite is a trading platform, and NOT a social media platform offering authentication like Google OpenId or FB authentication. Let Kite’s credentials remain safe and be used ONLY for Zerodha’s money-matter sites (strictly no-no for third party partner sites).
If need be, please add another separate login-password (which can be made available in profile section) for such third party authentication.
Any thoughts from other Zerodha Customers?
i hope you know how login through kite or login through Google works.
when you login from kite to any third party, they don’t get your password and id. they just get a verification that this user is legit, that’s all.
there is no chance of security breaches.
You must have seen on many sites they offer sign in using Google and after you sign in, google asks you that this site will get this information.
so don’t worry.
and I hope you have read the message properly:
That can happen with any site. it’s the responsibility of the user to make sure that site is genuine.
User can verify the SSL certificates.
I am sorry if you got offended.
As @rudy17 has pointed out, your account security isn’t compromised. Since “Login with Kite” doesn’t share your password or 2FA with the third-party, ever.
This is a serious concern but disabling “Login with Kite” will not solve this. A malicious entity can do this no matter what. However, for any authentic site using “Login with Kite”, you’ll see that the User ID, password, and 2FA are only entered on a webpage that has kite.zerodha.com in the URL. Even if you were to go to ImStrong now and click on Login with Kite, you’ll see that to be the case. Our users’ account security is of utmost importance to us, and we’ll never ask you to enter your Kite credentials on any other site.
Well, we can continue to argue about whose responsibility it is.
But the reality is that a loophole for exploitation has got created!
Also offered a proper solution - simply offer a seperate login for such third-party content.
Hope the Zerodha admins take note:
When something is implemented, it usually becomes a case of justifying it as “perfect” and “no harm” even when a problem is identified.
Yes, fair enough justification that “Zerodha” will never ask, but you never know who else can ask and how many may get trapped.
With Zerodha becoming the largest broker in India, some safety measures are expected to be put in place. Not all users are that attentive and tech savvy to pay heed to “only enter on a webpage that has kite.zerodha.com in the URL”
The real challenge is that the more number of such third-party “sessions” are enabled through Kite login, the more it will become a tendency of users to assume that everything is a genuine Kite authenticated, even when it may not be. Rest will be taken care by the social engineers, hackers and spammers. Why keep a loophole open?
The recent case of Zerodha sending SMS warning about a fishy site pretending to be Kite is a proof in itself that Zerodha customers are getting targeted and trapped.
No harm in creating a separate additional login id for third party “yoga sessions” for peaceful trading - let it remain really peaceful.
It’s money - Better Safe, than Sorry!
Possibly another reply will come still claiming “no harm” - So can’t continue arguing on this. Hope the message reaches the right ppl at Zerodha to plug a leak! @nithin
This, unfortunately, is true. And there is no way to cover for this. Even if there is a separate set of credentials, not all people will no about it. Also, when a malicious party tries to steal credentials, they simply pretend to be Kite and not an affiliate. In such cases, if the user doesn’t see the URL, there’s nothing that we can do!
All we can do is educate users and hope they do their part in securing their account. We recently sent out an SMS warning users about a phishing site that was pretending to be Kite and sending out SMS blasts to steal account credentials.
Was any action taken against them?
Yes, of course. We immediately reported the site to the relevant authorities and have had the site taken down.
@sseth get your point. We don’t just let anybody integrate Kite as login. These are mostly companies where we have an investment as well through https://rainmatter.com/. It might especially seem weird to see this integration with ImStrong, but in the current times we wanted to quickly push out something to help our customers take care of their mind and body.
@nithin - kite user-id only for transactional business, and give new user-id and password for view-only non-transactional partner services.
I think people are not getting what he is trying to say.
It’s not about how much safe these websites and services are. Or how all these websites are inhouse. etc etc.
main point is that once zerodha starts offering such services with “kite” login. Soon people will get accustomed to it. people now know that zerodha offers such services.
This can be used by fraudsters to their advantage and get people enter credentials in malicious websites like “ktie.zeroda.co”
Then everybody will be in trouble.
Better if we keep one account/passwprd as “sacred” and safe and only used for financial services only.
While offer other passwords for other initiatives.
that’s negligence on users part. what if you enter your password on faceebook.com or gmaail.com?
can Google or Facebook avoid this? NO.
That’s why phishing and many more cyber frauds are still happening.
@maddy_Des - You are abolutely correct. Everyone (including @nithin and @Matti) are giving reason to pass the responsibility to the user and digressing from the main issue.
They are not understanding that the general idea which will get formed is “Many sites are Zerodha partner and using Kite login, so OK to use Kite userid/password on any sites”
What these ppl do not want to accept is that indian people are illiterate when it comes to checking site security, and hackers can easily manipulate them to enter the kite userid/password on false sites.
better wake up zerodha ppl
Google or Facebook are not comparable with brokers platform.
Secondly there are people who don’t use fb but have accounts with brokers and are not tech savvy. That is the reason all those documents are required before opening trading account while fb account or google account can be opened instantly without any documents . There as @sseth mentioned kite should only be used for business purposes and other alternative should be provided to users for these apps.
As I said earlier : kite user-id only for transactional business, and give new user-id and password for view-only non-transactional partner services.
Who want to enter his banking login-id to attend online yoga session?
Facebook was just an example. be it any site in this world, their duplicates can be created any second. That is what i am trying to say. That’s the reason cyber fraud happens every day.
@rudy17 - u leave this matter, u r not understanding the problem.
If some normal zerodha trader receives SMS - “Get 500 Rs. cashback on Zerodha brokerage by attending Zerodha online session. Login with kite userid/password on zerodha partner site www.zrdhakite.com”
Just think how many ppl will jump into the well because they know kite userid is used on many sites. That is the main problem here.
Hey had answered earlier right?
We don’t just let anybody integrate Kite as login. These are mostly companies where we have an investment as well through https://rainmatter.com/ . It might especially seem weird to see this integration with ImStrong, but in the current times we wanted to quickly push out something to help our customers take care of their mind and body.