As I have seen that most all the demat hacking is done when email is compromised. Can I request zerodha to not send email and otp for password reset on my email? I just only want otps on my mobile number not on email. Will zerodha help me in this case?
@nithin please your response needed sir. I also want to tag all the @moderators
I would like to bring to your kind attention a few security measures that are already in place.
We send a push notification and a email notification when someone tries to login from a new location or a new device after the first factor is entered before the entry of the second factor.
Further in case of password reset, the flow currently needs the user to enter his PAN (this only the user knows) and the User ID to trigger the account reset OTP. This flow currently ensures that the attacker has to know the user’s PAN and user ID details to request the OTP. There is also a account block feature that we have introduced that gives the user to get his account blocked within 15 minutes. I have explained in detail here.
While it’s true that a few cases of account hack have happened in the past due to email compromise. We have taken a few measures in this regard as well. If a email service provider doesn’t have a 2FA mandated then we have stopped linking such email ids with the Zerodha’s trading account (eg : Rediff mail). We have also added a nudge for the users to change the email ID linked to kite.
Coming to the specific request of not sending OTPs to email and only to mobile phone, we did do analysis in this regard and people mostly used email OTPs more than mobile OTPs. Also the counter argument here is that if we send OTP only to mobile and if the mobile device is lost, then the user cannot reset his password There is also the issue with compromise of SMS over the telephone network. Hence it would inconvenience a large chunk of users without really adding security.
It’s a good thing to enable 2FA on your email to prevent any of this in the first place.
PAN (which is known only to the user) is still needed.
As I said in my previous reply, if someone has a email service provider whose security measures are weak we nudge the user on the order window to switch the email service provider.
Adding to the what has been said in the previous post, we have seen that the number of fraud cases drop drastically after the mandatory 2FA implementation. Most of the account block requests that we see today are cases of mobile loss and hence sending only Mobile OTP isn’t possible.
Let me come back to you on giving the user an option to opt out of email OTP after discussing this internally.
Suppose I have sent emails with my personal informations like PAN and other details to my parents and brother. If my email got hacked then the hacker can easily get my pan. Right? So please make it possible to opt only for getting OTPs on Mobile. I will feel more comfortable and secure in getting OTPs only on Mobile number.
Thanks for your suggestion. But personally I feel it’s better to secure my demat account. And yes emails are also getting compromised even after enabling 2FA.
I am also happy if you make it possible. Only thing restrict me to invest more is this email fraud things. Please enable the option to opt out email OTP. It will be more secure to only have mobile OTP option. Yes 2FA is good but not that secure. I am saying this after watching lot of videos and many youtubers are getting hacked because their emails are compromised even they already enabled 2FA.
And yes Zerodha will be appreciated if you enable this option. Please make the facility to opt out and enable email otp whenever we want. @nithin tagging you with the hope that you will understand our fear and make it possible to make trading and investing more secure.
While I check internally on the possibility of giving an option to opt out of email OTP, just wanted to clarify that 2FA algorithms such as TOTPs are highly secure and can only be bypassed by social engineering.