With the rise in cybersecurity incidents, it’s extremely important that you are aware of the risks and possible ways in which accounts can be compromised.
Firstly, any measure from our side is helpful only if the customer doesn’t willingly share account access with others by giving in to the lure of quick and easy money. As we have shared many times, fraudulent actors can create artificial losses in the customer account using penny stocks or illiquid options—read more here. The first, most basic step everyone should take is to enable 2FA on email and social media accounts & set up biometric authorisation on the mobile and most importantly ensure that login credentials aren’t shared with anyone else.
- All Zerodha accounts have a two-factor authentication (2FA) login. To log in, you need to enter your client ID and the password and then authenticate the login with a 6-digit pin. Users can also enable biometric authentication with either Fingerprint or Face ID on the Kite mobile app.
- As an added layer of security, we introduced a time-based one-time password or TOTP in 2020. TOTP is a temporary OTP that expires every 30 seconds. Users can enable TOTP as their secondary factor (2FA) to replace the 6-digit PIN.
- We have email login alerts whenever there is a log in from a different IP or address.
- We don’t have relationship managers call our customers for any reason. So this way it is tough for anyone to spoof they are from Zerodha. Neither do we call users for anything or ask for any account specific information.
For more about how we ensure the security of Zerodha accounts, see Security practices at Zerodha
TOTP for trading in penny stocks and illiquid options
From our interactions with the exchanges and our own experiences, penny stocks and illiquid options are by far the most used routes to move money. Here are the checks we have in place to prevent such instances:
- We have mandated TOTP when trading in penny stocks and illiquid options that we monitor based on open interest (OI), active market depth, and trading volumes where there could be potential trades to create artificial losses to move money. Exchange regulations require that all brokers make 2FA mandatory starting 30th September.
- For users who opened their account after 2019, (eDIS) an OTP and TPIN from CDSL are required to sell the stocks. If you opened an account before 2019, here’s how to convert the account.
- We are working on a new risk management tool that will disallow users from placing orders in illiquid option contracts at a much higher price than the theoretical price for buy orders, and vice versa for sell orders. We will share the details soon.
How are accounts typically compromised?
- By far, the most common way that trading accounts are compromised is when users share their login details with others. We’ve seen instances, not just with us but across brokers, where users share their login details with people pretending to be advisors, promising extraordinary returns in a short span of time. Once the user has shared the login details, these frauds create artificial losses through illiquid options and penny stocks to move money out of the accounts.
- Phishing attempts are quite common too. Fake websites that resemble the login pages of brokers are created to capture the login details of users. We’ve long warned against such risks.
- Using email service providers with poor security, like Rediffmail. Such email providers tend to have weak spam filters, allow weak passwords, and don’t have checks to block suspicious logins, making them vulnerable to hacks. We are stopping all Rediffmail accounts, 80% of all cases we’ve observed where people have lost money are users with Rediffmail accounts.
There has been some noise about the hacking incidents at Zerodha. Here is some data:
Out of the ~65lk customers who traded with us last year, we have ~100 complaints of fraud. ~ 80 where login details were shared willingly & ~20 where email was hacked (all Rediffmail IDs). 1/4
— Nithin Kamath (@Nithin0dha) August 2, 2022
A few common sense security best practices
- Never ever share your Zerodha account details with anyone.
- Don’t fall for sales pitches by fraudulent actors promising super high returns in a short span of time by offering to manage your account.
- We never call users asking for any account-specific information. If you get such calls, please ignore them and report them here.
- Ensure that you have TOTP enabled on your Zerodha account as well as your email.
- Stop using email service providers with poor security.
But like we mentioned in the beginning, all these measures will be moot if users are not careful in ensuring the security of their accounts.