Security Measures

As I have seen that most all the demat hacking is done when email is compromised. Can I request zerodha to not send email and otp for password reset on my email? I just only want otps on my mobile number not on email. Will zerodha help me in this case?

@nithin please your response needed sir. I also want to tag all the @moderators

1 Like

Hi @Prabhaji

I would like to bring to your kind attention a few security measures that are already in place.

We send a push notification and a email notification when someone tries to login from a new location or a new device after the first factor is entered before the entry of the second factor.

Further in case of password reset, the flow currently needs the user to enter his PAN (this only the user knows) and the User ID to trigger the account reset OTP. This flow currently ensures that the attacker has to know the user’s PAN and user ID details to request the OTP. There is also a account block feature that we have introduced that gives the user to get his account blocked within 15 minutes. I have explained in detail here.

While it’s true that a few cases of account hack have happened in the past due to email compromise. We have taken a few measures in this regard as well. If a email service provider doesn’t have a 2FA mandated then we have stopped linking such email ids with the Zerodha’s trading account (eg : Rediff mail). We have also added a nudge for the users to change the email ID linked to kite.

Coming to the specific request of not sending OTPs to email and only to mobile phone, we did do analysis in this regard and people mostly used email OTPs more than mobile OTPs. Also the counter argument here is that if we send OTP only to mobile and if the mobile device is lost, then the user cannot reset his password :slight_smile: There is also the issue with compromise of SMS over the telephone network. Hence it would inconvenience a large chunk of users without really adding security.

It’s a good thing to enable 2FA on your email to prevent any of this in the first place.

Hope this addresses your concern.

2 Likes

You also have one option to reset password which is “I don’t know user ID” and we can easily reset it without knowing user ID only with pan.

Can you please explain this?

I am asking it for myself. Is it possible to request zerodha for not sending otps on email.

PAN (which is known only to the user) is still needed.

As I said in my previous reply, if someone has a email service provider whose security measures are weak we nudge the user on the order window to switch the email service provider.

Adding to the what has been said in the previous post, we have seen that the number of fraud cases drop drastically after the mandatory 2FA implementation. Most of the account block requests that we see today are cases of mobile loss and hence sending only Mobile OTP isn’t possible.

Let me come back to you on giving the user an option to opt out of email OTP after discussing this internally.

1 Like

Yes please, I will be very thankful to you if you enable this feature. It will be a great help for many investors.

Suppose I have sent emails with my personal informations like PAN and other details to my parents and brother. If my email got hacked then the hacker can easily get my pan. Right? So please make it possible to opt only for getting OTPs on Mobile. I will feel more comfortable and secure in getting OTPs only on Mobile number.

Best is for you to not secure zerodha account, but to secure your email account properly.

You can make it 10 times more harder for someone to hack your email by enabling 2FA in gmail.

2 Likes

Thanks for your suggestion. But personally I feel it’s better to secure my demat account. And yes emails are also getting compromised even after enabling 2FA.

I am also happy if you make it possible. Only thing restrict me to invest more is this email fraud things. Please enable the option to opt out email OTP. It will be more secure to only have mobile OTP option. Yes 2FA is good but not that secure. I am saying this after watching lot of videos and many youtubers are getting hacked because their emails are compromised even they already enabled 2FA.

And yes Zerodha will be appreciated if you enable this option. Please make the facility to opt out and enable email otp whenever we want. @nithin tagging you with the hope that you will understand our fear and make it possible to make trading and investing more secure.

2 Likes

Hi @VenuMadhav sir,

Can you please consider this request and help us from fraudulent activities :pray:

While I check internally on the possibility of giving an option to opt out of email OTP, just wanted to clarify that 2FA algorithms such as TOTPs are highly secure and can only be bypassed by social engineering.

Thanks :pray:

I just don’t want any risk sir :pray:

no one without your device can hack if you enable this.

I am talking about the gmail 2FA :+1: @TitanTrader

Any update on this Sir @Shravan_B_K

Email today is way more secure than SMS. From Google AI:

SMS one-time passwords (OTPs) are not safe because they are vulnerable to a variety of attacks, including:

  • SIM swapping

Attackers can trick the user’s mobile carrier into issuing a new SIM card, giving them access to the user’s phone number and OTPs.

  • Man-in-the-middle (MITM) attacks

Attackers can intercept OTPs using malware or vulnerabilities in the SS7 protocol.

  • Social engineering

Attackers can use social engineering to bypass SMS OTP systems.

  • Replay attacks

If an OTP isn’t invalidated after first use, it can be used again in a replay attack.

  • No end-to-end encryption

SMS messages are not encrypted, so they can be intercepted at various points.

  • Delivery failures

SMS delivery is dependent on mobile network reliability, which can vary by location.

Some alternatives to SMS OTPs include:

  • Multi-factor authentication (MFA)
  • Software authentication, which requires authentication via a mobile app like Microsoft Authenticator or Google Authenticator

Thanks for your suggestions. But my query is different.