The password reset flow that is being used is a robust one, and we haven’t come across cases where someone has lost access to their account because the flow is simple. PAN number, email ID, and mobile number are personal to a certain individual, and the chances of a third party having access to all of these or either of these is very low. We also send an email and a mobile app push notification to alert the user of a password change.
The money and securities can only be moved to the user’s bank account and Demat account, respectively, and can’t be moved to any fraudster’s account.
Further,
Having said that, we’ll certainly look into what can be done better here, but as of now, this is a robust process that has stood the test of time.