Comment on Updates - August 2014

novicetrader commented on 22 Aug 2014, 11:45 AM

Dear Nitin,

Please don’t get me wrong. I am just trying to help Zerodha improve their system. For me, it is important that Zerodha does well, as my hard earn money is with them. 🙂 I am having decade+ software security experience and have at-least dozen of open accounts in various banking/NBFC houses. Candidly, nowhere I found such a poor authentication mechanism(I am talking about Zerodha Back-office). Zerodha trading authentication is good, though.

The very reason for stating this as a huge security flaw –

If you see yourself there are several client IDs that you would find on Zconnect itself. Human tendency is – only passwords are to be kept secret. How many people would have seen your pan card photocopy ? Please don’t consider PAN details as something secret. PAN details are available almost everywhere e.g. salary slip, income-tax return, form-16 and on several banking applications. Don’t you think PAN details for most of corporate accounts are in pubic domain ?. Please do a google-search on PAN and check images, you would get DOB/DOI and PAN-No of thousands of entities. PAN details and client ID are constant and they don’t change during the course of life. If one is exposed to security vulnerability then do you think he should remain exposed throughout his/her life? That’s weird….There must be an option to reinstate account security which Zerodha doesn’t have at all…

Well, one can easily place at least a withdrawal request ? or change email ID and mobile no ?. Hackers and offender are smarter than a common user and Zerodha as a service provider must ensure that a common user is not vulnerable to a simplest trick that someone can use to breach the security.

What can be done –

IMO, you can improve this using very simple change – Currently, your back-office sends an email to client whenever password is reset. So, basically back-office is alerting user to check if there is an unauthorized access to his/her account. Instead, your back-office itself should reset the password and send the reset password to the user’s email address. This would ensure that nobody can access back-office with constant details like Client-Id, PAN and DOB. This is the simplest to begin with. You can also introduce compulsory change-password on the first access once password is reset.

I Hope you revisit your perspective.

Thanks,
Prashant.

P.S. : My client ID is known to only me and Zerodha. But, I still consider my account security is extremely vulnerable.

View the full comment thread »