Suggestions to improve zerodha security for users

@nithin Would be great to hear your thoughts on the first 3 points and whether they can be implemented.

If someone is trying to login to a zerodha account from a new device or location then a security prompt should come on the zerodha customers phone on which the app is installed asking him if he is trying to sign in or not and to approve or deny access similar to the gmail prompts.
If a user has TOTP ENABLED, and if it is mandatory to enter TOTP before transacting in penny or suspicious stocks and illiquid options, then Zerodha should not allow the user to disable TOTP 2FA during market hrs. Disabling of TOTP should only be allowed after market closes at 15:30 and keep the window to disable TOTP open till 17:30.

This way, even if the account is hacked, then the person will not be able to transact in penny stocks or illiquid options. As soon as TOTP is disabled, the zerodha client should receive a security message informing him that TOTP has been disabled and if the client was not the one to disable TOTP, then he can reach out to the customer care immediately during working hrs. But since the markets are closed, the damage to his account will be minimal. Since most clients would not have commodity and currency segment activated, it should not be a problem.

If a client has not traded in f&o in the last 10 working days, then he should get a prompt asking for TOTP before allowing him to trade as an added security measure.

If a client has shared his client ID with someone and wants to change it, could zerodha make it happen, I would imagine that it would require a lot more work at the back end than a simple password change would.

Lastly, one needs to ensure that the email account linked to zerodha has a strong password. One can check the security settings in gmail to see all account active and logins. One should prefer Gmail and outlook to other email providers as these two have better anti spam filters and phishing attempt prevention.
Pro Tip: Do not use a 2FA app from the same company as your email provider. If you’re using gmail, then don’t use google authenticator and if your using outlook mail then don’t use Microsoft authenticator, because if your email account is compromised then it is easier to get access to the authenticator tokens linked to that account. Better to use a 2FA app from a third party like Authy by twilio or 2FAS or Bitwarden 2FA ( requires premium subscription).

Finally, if you are a desktop user, then bookmark the official zerodha kite website to the bookmarks bar so that you don’t end up googling it and ending up on some copy cat website that’s trying to steal your credentials. If you receive an email that you believe is from zerodha but are not sure, then check each character of the email address it has come from and match it with any authentic zerodha mail that you may have received in the past. Otherwise, call up zerodha helpline if there is a doubt before clicking on any links.

In closing, I really believe that the above mix of suggestions and general advise will go a long way in reducing cybercrime.

Very recently, hacking of Zerodha accounts, Selling entire portfolio and Trading in penny sticks, F&O has become a buzz on TV channels and Social Media. Zee Business has taken up the issue very seriously and continuously holding programmes with the compromised account holders of Zerodha. Its a grave concern fBut unfortunately, we don’t see any discussions on the issue of Security

Can’t complain about it as TOTP works on computer algorithum and the character used in this can be copied to another mobile authenticator and use there as secondary way to login kite if system A fails or anyother can grant access to kite if the person has password and topt source as long as time is synchonized. It would be client fault and we would jugde broker as there mistake , simple human nature.

I still trust Zerodha before and even after that incident.

The only thing I hate is zerodha’s charting platform. .

All the hacking cases we encountered last year involved Rediffmail accounts. We have stopped new users from registering using Rediffmail, and existing users can’t get reset password links to Rediffmail.

Despite, following all the security measures in place, the fraudsters could mange to hack the accounts, as being claimed by the compromised account holders on Zee business Tv programmes. Even, in case of any hacking, Zerodha customer service personnel denied to block the account through out the day, as the claimed. It’s really very much disappointing and a matter of grave concern. These persons are not at all gullible unaware persons. Some of them even software engineer as well as experienced market investors. Even after keeping TOTP activated, the accounts are getting hacked. The precautions repeatedly uttered are very common things for today’s online era. So we think besides, improvement of security and spreading awareness, Zerodha should keep some mechanisms to spot such cases and immediately block the account. Also there should be dedicated channel for reporting this kind of suspicious activities and take necessary action to stop the damage without any further delay or asking for any written correspondence from the account holder. To verify the credential of the person reporting, some kinde of security questions may be asked.