With the rise in cybersecurity incidents, it’s extremely important that you are aware of the risks and possible ways in which accounts can be compromised.
Here are some common stock market frauds, features of your Zerodha account to protect you, and what you can do to protect yourself.
Zerodha should increase awareness about the kill switch feature which disables a segment for minimum 12 hrs. The original intention may have been to help oneself to prevent over trading but it can be used to block a segment if a hacking is suspected. I suspect that only serious traders who are more technologically sophisticated read the detailed z connect articles where such initiatives as TOTP, NUDGE and KILL SWITCH are explained. In order to spread info about these features to the larger zerodha audience, Video explanations are more impactful.
On another note, I suspect that about 20% of your customers account for majority of the revenue, mostly f&o traders. Has Zerodha thought about limiting account opening to new customers as they are the ones who have very little knowledge about the entire investing/trading ecosystem, will call customer care more often and not contribute much revenue while reducing the customer care experience for the profitable clients by increasing the wait time on the call or taking more time to reply to tickets because they are preoccupied attending to queries from new investors including investors to complain to zerodha because of their think there is something wrong with the platform or some glitch whereas, the problem is that they are actually at fault as their understanding of the platform and the different order types is lacking/flawed. Any views?
This is really scary . SEBI need to take quick actions against these type of activities . Otherwise people will start loosing trust on stock market
Maybe its their plan all along ; JK
From the video -
I did not understand how the 2nd hack worked. Password reset email apparently goes to another email ? How ?
Either issue at broker or email got hacked.
@ShubhS9
Looking at below link, we have option to get access to account even when you don’t have email and mobile access. Only need to fill form and send by post along with signature.
Assuming somehow demat details got leaked, perhaps at broker or cdsl or perhaps say at your CA office. signature is hardly secure, so it seems that can be a way of gaining account access too - that too within 1 day apparently.
Is this an issue ? Do you at least send some kind of verification on original email/phone ? Still can easily miss it with 1 day notice.
Does TOTP get disabled when someone uses above form ?
Also don’t understand why perpetrators don’t get easily caught here. You have to wait min 1 day for payout + hacker’s account will have bank account too so kyc done by both broker and bank.
Edit - ok saw video end, apparently some got caught. But wow promoter selling company share through hacked accounts …
Poor guys were dilly dallied by customer care, even as they were being looted.
@nithin you may need a separate helpline for such distress calls - even if it’s automated. Something that will cease all trading in the account immediately.
We already have a process in place for this. It is the same phone number, but the call wait time on that is sub 1 min now.
Btw, we also have Kill switch that can be used by customers on their own to disable trading immediately. It wasn’t really meant for this purpose, but customers can on their disable all trading without even having to reach us.
It is useful. But it appears these hackers also change password and the customers were unable to access their accounts.
New types of frauds are coming into the light. Sometimes, even the most technologically savvy person can end up victim to such frauds. Being updated with the latest security mechanics is the key in making sure that you are protected.
What, this sound serious? Can we really just change account password just like that?
Can someone confirm this?
Also,
NSE knows who bought/sold the illiquid options and made profit right? So can’t NSE help police catch the criminals?
Also what is Zerodha fraud hotline number?
Whenever possible, can we get a reply to that from someone from Z. Is there some kind of verification against existing contact details as part of process, when changing mobile/email/bank account via postal form with only signature as proof ? Ideally we should get a call and email both and some reasonable time to respond (if call missed) along with checks at your end.
I can see why that might be needed but it also adds some risk. Some of us have most of of the net worth with Z assuming it to be safe ( and very reliable ).
From the video, it seems that some people were hacked without giving otp away and another case was mentioned where even bank account got changed and money taken out.
We mandate an esign (using aadhar) for any change of information.
Waiting for a confirmation from the customer is going to slow down the process. Let me speak to our team about it to see if there is any way to do this.
@nithin Till now people have been sharing their aadhar numbers quite freely until the recent government circular to only share a masked aadhar. With the rise of the SIM SWAP Fraud in India, even esign with aadhar is not as safe as one may expect. Aadhar numbers are frequently leaked at various levels. Apple, Microsoft and Google are launching a new secure login method as part of the FIDO alliance. Check out this link by Apple. This is their implementation of this technology but other companies will soon follow.
Apple Developer Documentation. Apple calls this feature passkey and it will launch in 2-3 months. Also, in the meantime, can zerodha tie up with some physical security key company to issue security keys. The most popular company in this space is yubico, which makes the yubikey security keys. Can zerodha explore this as a safer way to login and update data in the future?
Ah, physical security keys are going to be a challenge. But let me speak to our team. If you set up 2FA on your TOTP app, that will be as secure as possible, isn’t it?
This is good enough for me if this is applied for offline change of info too. If customer lost his mobile, he can get sim replaced and then get adhar otp.
So as long as my mobile no and email is secure there is no backdoor way of changing these via offline method below.
Beyond that you guys would know better on how to manage this. I only suggested assuming signature was the only proof required to change details in offline method below. Thanks
As your client we have only demand of trust and security. For the same I like to suggest you as follows:
Immediate action such as block of the transactions/account. There also some helpline number where emergency situation like this attended quickly. As I personally wait for long time to connect an executive.
Also, introduce a method where an user registered devices with you if any transaction order not placed without authorised devices such orders must blocked immediately and also send sms to registered mobile number/s of such login. For every device registration OTP method must be used.
For everytime login to an account sms alerts must provided from your end through sms/email.
I don’t know what time do you take to change email id & mobile number but I suggest don’t change any email id and phone number before 24 hrs. If such request made alert through sms/email. So, that user get alert of the same.
I personally use kill switch you introduced and I myself off the derivative section. I suggest you don’t ON any derivative section before 24 hrs of request made to you. Also send sms/email if such request is changed on/off everytime.
Don’t change any personal details before 48 hours from the time of request. Specifically Bank account. And also send sms/email alert of any kind of change request.
UIDAI needs to add Passphrase verification in addition to authentication OTP sent on Mobile to thwart misuse of aadhaar (the attacker now won’t be able to control aadhaar just with SIM Swap.)
I know this is not a perfect solution but might help many… This can be optional only those who would like to set this Passphrase should do it…
Investors need to be prepared to face the different kinds of fraud that take place in the market and find a way to analyse efficiently so as not to fall into trouble. It takes time and experience, keep up with the latest news to avoid losing.
