Mandatory TOTP for illiquid risky contracts
There has been a sudden increase in online phishing frauds in India post the lockdown. Check this post to know more about the phishing scam you couple fall prey to when investing in the markets.
The phishing scam
Fraudsters set up phishing (fake) websites that mimic the look and feel of the login pages of the trading platform offered by large stock brokers. These websites are then sent out to unsuspecting investors via SMS messages, e-mails, and social media with contact data stolen from various sources.
Unsuspecting investors then happen to click on these links which lead to fake websites that mimic the login pages of the trading platforms they are used to, where they enter their login credentials (username, password, PIN, and other bits of information). This is captured by the fraudsters, which they then use to login to the investor’s trading account to execute buy/sell transactions on illiquid scammy penny stocks or illiquid options contracts, generating a loss on the compromised account and a profit in theirs (counterparty to the scam orders). There are also many cases where scammy penny stocks are bought in customer accounts at a high price, shares that cannot be sold on the market as there would be no buyers.
As a temporary fix, we had blocked trading by default in all illiquid risky contracts — stocks and options, and allowed trading in them only on specific instruction from the customer through the registered email address. We now have a permanent solution to this.
Mandatory TOTP when trading illiquid risky contracts
As a solution, we could potentially have made it mandatory for all our users to use a mobile or email OTP to login to Kite. But there is no guarantee that these OTPs are delivered on time. Since we’re in the business of trading where time is critical, we couldn’t take this chance, and so decided to use TOTP (explained below). Instead of asking mobile or email OTP on every login, we have made it mandatory to login using a TOTP if you want to trade in any risky scrips. We classify a scrip as “risky” if they are illiquid and can be used by fraudsters to create artificial losses in your account.
If you haven’t logged into Kite using TOTP and are trying to trade in these illiquid risky scrips, such orders will be rejected and the rejection message will ask you to set up TOTP to place the order. Setting up TOTP is a one-time task that adds security to your account. Then you simply need to login using this TOTP every day and will be allowed to place trades.
What is TOTP?
TOTP stands for “time-based one-time password”. Unlike a traditional OTP that is delivered to you via email or SMS, a TOTP is generated by a TOTP app that is already on your phone. This TOTP is valid only for a short duration (usually 30 seconds) and is regenerated every 30 seconds. Read below to learn how to set up TOTP to login on Kite.
How to setup TOTP?
Important: You will need to login on Kite web to set up TOTP. Once you set it up, you can login using this TOTP on web as well as mobile.
You can use apps like Google® Authenticator, Microsoft® Authenticator, or Authy on your mobile phone to generate 6-digit TOTPs for every login. The procedure to set it up is as follows:
- Log into Kite, and click on your client ID on the top right-hand corner of the page and select ‘My Profile’ from the drop-down.
- Click on ‘Password & Security’
- Once you do, click on ‘Enable 2-step TOTP’
- Enter the OTP received on your registered email ID.
- Install Google® Authenticator (or Microsoft® Authenticator or Authy) on your phone. You can find this on the Play Store or iOs App Store.
- Select ‘Scan a barcode’ under the add account option and click on ‘Begin’.
- Allow access to your phone camera, and scan the bar code shown on the profile page on Kite. Once you scan it, the account will be added on your authenticator app. Alternatively, you can also copy the key (available below the QR code) and use it to add your account to the authenticator app. Enter the OTP shown on the app on Kite along with your password and click on ‘Enable’.
- Once you click on ‘Enable’ you’ll get a notification confirming the TOTP set up.
- You will have to enter the TOTP shown on your authenticator app instead of PIN from the next login onward.
What if you lose your phone or TOTP app?
If you lose your phone or are unable to access your TOTP app for any reason but need to log into your account, click on the “Forgot password” or “Forgot 2FA” link on the password or TOTP entry page and reset your account by following the steps explained here. This will remove TOTP authentication for your account and you will need to set it up again to trade risky illiquid scrips.