Zerodha should increase awareness about the kill switch feature which disables a segment for minimum 12 hrs. The original intention may have been to help oneself to prevent over trading but it can be used to block a segment if a hacking is suspected. I suspect that only serious traders who are more technologically sophisticated read the detailed z connect articles where such initiatives as TOTP, NUDGE and KILL SWITCH are explained. In order to spread info about these features to the larger zerodha audience, Video explanations are more impactful.
On another note, I suspect that about 20% of your customers account for majority of the revenue, mostly f&o traders. Has Zerodha thought about limiting account opening to new customers as they are the ones who have very little knowledge about the entire investing/trading ecosystem, will call customer care more often and not contribute much revenue while reducing the customer care experience for the profitable clients by increasing the wait time on the call or taking more time to reply to tickets because they are preoccupied attending to queries from new investors including investors to complain to zerodha because of their think there is something wrong with the platform or some glitch whereas, the problem is that they are actually at fault as their understanding of the platform and the different order types is lacking/flawed. Any views?
From the video -
I did not understand how the 2nd hack worked. Password reset email apparently goes to another email ? How ?
Either issue at broker or email got hacked.
Looking at below link, we have option to get access to account even when you don’t have email and mobile access. Only need to fill form and send by post along with signature.
Assuming somehow demat details got leaked, perhaps at broker or cdsl or perhaps say at your CA office. signature is hardly secure, so it seems that can be a way of gaining account access too - that too within 1 day apparently.
Is this an issue ? Do you at least send some kind of verification on original email/phone ? Still can easily miss it with 1 day notice.
Does TOTP get disabled when someone uses above form ?
Also don’t understand why perpetrators don’t get easily caught here. You have to wait min 1 day for payout + hacker’s account will have bank account too so kyc done by both broker and bank.
Edit - ok saw video end, apparently some got caught. But wow promoter selling company share through hacked accounts …
We already have a process in place for this. It is the same phone number, but the call wait time on that is sub 1 min now.
Btw, we also have Kill switch that can be used by customers on their own to disable trading immediately. It wasn’t really meant for this purpose, but customers can on their disable all trading without even having to reach us.
New types of frauds are coming into the light. Sometimes, even the most technologically savvy person can end up victim to such frauds. Being updated with the latest security mechanics is the key in making sure that you are protected.
Whenever possible, can we get a reply to that from someone from Z. Is there some kind of verification against existing contact details as part of process, when changing mobile/email/bank account via postal form with only signature as proof ? Ideally we should get a call and email both and some reasonable time to respond (if call missed) along with checks at your end.
I can see why that might be needed but it also adds some risk. Some of us have most of of the net worth with Z assuming it to be safe ( and very reliable ).
From the video, it seems that some people were hacked without giving otp away and another case was mentioned where even bank account got changed and money taken out.
@nithin Till now people have been sharing their aadhar numbers quite freely until the recent government circular to only share a masked aadhar. With the rise of the SIM SWAP Fraud in India, even esign with aadhar is not as safe as one may expect. Aadhar numbers are frequently leaked at various levels. Apple, Microsoft and Google are launching a new secure login method as part of the FIDO alliance. Check out this link by Apple. This is their implementation of this technology but other companies will soon follow. Apple Developer Documentation. Apple calls this feature passkey and it will launch in 2-3 months. Also, in the meantime, can zerodha tie up with some physical security key company to issue security keys. The most popular company in this space is yubico, which makes the yubikey security keys. Can zerodha explore this as a safer way to login and update data in the future?
As your client we have only demand of trust and security. For the same I like to suggest you as follows:
Immediate action such as block of the transactions/account. There also some helpline number where emergency situation like this attended quickly. As I personally wait for long time to connect an executive.
Also, introduce a method where an user registered devices with you if any transaction order not placed without authorised devices such orders must blocked immediately and also send sms to registered mobile number/s of such login. For every device registration OTP method must be used.
For everytime login to an account sms alerts must provided from your end through sms/email.
I don’t know what time do you take to change email id & mobile number but I suggest don’t change any email id and phone number before 24 hrs. If such request made alert through sms/email. So, that user get alert of the same.
I personally use kill switch you introduced and I myself off the derivative section. I suggest you don’t ON any derivative section before 24 hrs of request made to you. Also send sms/email if such request is changed on/off everytime.
Don’t change any personal details before 48 hours from the time of request. Specifically Bank account. And also send sms/email alert of any kind of change request.
UIDAI needs to add Passphrase verification in addition to authentication OTP sent on Mobile to thwart misuse of aadhaar (the attacker now won’t be able to control aadhaar just with SIM Swap.)
I know this is not a perfect solution but might help many… This can be optional only those who would like to set this Passphrase should do it…
Investors need to be prepared to face the different kinds of fraud that take place in the market and find a way to analyse efficiently so as not to fall into trouble. It takes time and experience, keep up with the latest news to avoid losing.