Hacking of Trading Accounts: Standard Operating Procedures at All Intermediaries Needed Right Now
It is over two weeks since Zee Business channel’s investigative report titled “Operation Demat Daka” sent a chill down the spine of investors. Managing editor Anil Singhvi aired conversations and clippings over several episodes to show how the trading accounts of a few investors had been hacked to insert  trades that left clients with significant losses, while the profits were transferred out to another account. The good news is that the problem is contained and only 20 accounts with Zerodha have been hacked between 7th April and 1 July 2022. But the investigation threw up several  fault-lines in how regulators, exchanges and the broker handled the hacking. 
 
Nithin Kamath, founder and chief executive officer (CEO) of Zerodha, India’s largest brokerage firm, in a series of tweets on 2nd August (after the Demat Daka investigation was aired), said the hackers possibly exploited some vulnerability in Rediffmail and that Zerodha has repeatedly notified clients to switch to an alternative email client. “We blocked Rediff IDs on trading accounts a while ago… We also now don't send password resets to Rediff email Ids," said Mr Kamath in a tweet. 
 
The fraud is indeed miniscule. To put it in perspective, Mr Kamath tweeted, “Zerodha has over 65 lakh customers, of which there were 100 complaints of fraud last year. In most cases, investors had shared log-in credentials with someone while 20 were the affected Rediffmail accounts.”
 
We recognise that Zerodha has been an amazing disrupter in the broking space and its growth is entirely based on using its tech-prowess in the service of its customers, its ability to anticipate investors needs and make trading seamless and easy, right down to the calculation of capital gains taxes and all the reports needed for tax-filing. This time, too, after initial mis-handling, when it was clear that there was a hack, it has been supportive and proactive. 
 
This episode is a wake-up call and exposes how the regulatory system is unprepared for dealing with the potential hack. The default attitude is that the investor is always wrong. It starts with the Securities and Exchanges Board of India (SEBI) acting like a post-office when complaints are filed with its online system SCORES. For the regulator needs to issue standard operating procedures (SOPs) to ensure coordination between exchanges, clearing corporations and depositories to mitigate the hardship faced by victims, let us first understand what happened in a couple of cases.  
 
The Hack
Ranjit D’souza discovered a problem on trying to log into his account on 13th May. Despite changing his password using the ‘forgot’ option and OTP (one time password), he was logged out of his account as soon as the market opened. He saw that the hacker systematically liquidated his overnight trading position in derivatives and his long-term holdings were also liquidated to fund some derivatives trades. Each time Ranjit changed his password, the fraudster was able to override it and continued to trade. 
 
When he could finally connect to the broker’s helpline, the official initially insisted that he was conducting the trades himself. Instead of blocking his account, as requested, he was asked to download a double authenticator app with a dynamic PIN. Finally, Ranjit was logged out of his account by the fraudster, even as he was speaking to the Zerodha supervisor, which confirmed the hack. His account was then blocked, but he incurred a loss of nearly Rs2.5 lakh (including on overnight positions) and mark-to-market loss on seven long-term shareholdings. Rajesh Talekar, a salaried employee, lost Rs14 lakh to the fraud on 1st June and faced similar hardship in establishing the fraud and dealing with it
 
On the positive side, in two cases, the counterparty (presumably connected with the fraudster) had Zerodha accounts and the broker was able to block the settlement within a day of the complaint being lodged. It also asked the NSE Clearing Corporation on the very same day to withhold the payment. The Clearing Corporation insisted on a written communication from the cyber-crime cell to withhold payment, so Zerodha says it guided the investor on filing a cyber-crime complaint and helped to have such a communication generated. Copies of these were shared with Moneylife.
 
In both cases, the victims faced a harrowing time with the processes. While Zerodha certainly helped with IP addresses and logs and processes, they spent  long hours at the police station over several days even explaining trading terms and processes to the cops.
 
Ranjit and Rajesh initially filed complaints with SEBI’s SCORES, which simply forwarded the matter to the National Stock Exchange’s (NSE’s) grievance redress committee (GRC). They hit another wall because GRC only asked them to lodge a complaint with the cyber-crime cell of the Mumbai police and said that they can only get a refund from blocked counterparty accounts once the investigation is complete and the police issue instructions to refund their losses.
 
In an environment where millions of trades running into crores of rupees can be executed in micro-seconds, one can only imagine the chaos if this slow process were to be followed in a bigger hacking incident where the size of fraud or the number of victims is much larger. The need to learn from this incident is obvious.
 
One investor told Zee Business that his account was not blocked for 1.5 hours after he asked for it. Another said that he changed his password five times (while waiting for the block request to be complied with) but the hacker could change it immediately and continue to make fraudulent transactions in his account. Unlike credit card companies, brokerage firms do not have systems in place for urgent verification and blocking of accounts. So, victims of the fraud were asked to send an email from the registered ID to seek blocking.
 
When Ranjit and Rajesh reached out to Moneylife on 4th August, Zerodha, in a positive gesture, offered to refund the losses arising out of the fraudulent trades until the investigation launched by the Mumbai police’s cyber-crime cell is completed and the money blocked in counterparty accounts is allowed to be released. 
 
The Way Forward
Nithin Kamath has tweeted that the firm has introduced a ‘kill switch’ that essentially allows an investor to temporarily disable a particular trading segment without the need to call a broker helpline. This is a good move, but it is unclear if a hacker can over-ride it, like the change in password in the present hack. Also, it may still need regulatory directives to ensure coordination and communication between the broker, clearing house and depository, if counterparty funds are to be blocked. In fact, the ability to track shares as well as funds very clearly makes it far more difficult to hack a trading account, which is why the first instinct is to suspect investors of carelessness. 
 
Zerodha also wants investors to use a TOTP (time-based one time password) which it considers infallible; but, according to one of the victims, it did not work in his case. SEBI or the exchanges need to verify this independently. 
 
We need a root-cause analysis of what went wrong this time. Rediffmail in communicating to investors has refuted Zerodha’s view about the source of the vulnerability.  SEBI needs to evolve a process  to decide what is a case of hacking vis-à-vis investor negligence, without making it extremely onerous for victims. 
 
Finally, this hacking episode, however small, proves that even the best of systems is vulnerable and that investors, as victims, have the right to a proper grievance redress framework. Rajesh’s experience was that the NSE is not even clear about how the blocked transactions would be settled, even after the cyber-crime cell submits an investigation report. This too needs to be part of SEBI’s SOPs without waiting for a bigger problem to occur. 
 
That the hack happened at Zerodha is surprising  because it does have robust systems and is constantly working on improvements to protect investors, including nudging them towards less risky trading behaviour. Unlike other top brokerage firms, it does not call investors to offer trading or investment advice or wealth management services. This eliminates the possibility (rampant with other big-name brokers) of ‘relationship’ managers misleading or compromising clients or illegally obtaining their trading credentials. 
 
If it can happen in Zerodha, this may not be the first incident of fraudulent hacking and others may have been hushed up or are languishing with the police. It is all the more reason why SEBI’s SCORES needs to stop acting like a post-office and SEBI urgently needs to put in place SOPs to identify, investigate and limit the damage of fraud by hacking investor accounts.
 
 
Comments
sunilbansal27007
3 months ago
To stop this , 1) kindly transfer funds first in bank account after any transaction. 2) enable user to send only 2 or 3 ip address from which trading can be done from any other ip address trading will not be done . 3) different otp for email and mobile 4) segment activation like derivatives or commodity should happen after 24 hrs and to be intimated to client.
vidhijoshi488
4 months ago
Hey, Really it was an great article to read,Waiting for another one ,Keep it up! Flight Tickets From Delhi To Leh
nkr29
4 months ago
It's not clear whether the hacked accounts had an authenticator app used by the client (used after the password) .
nkr29
Replied to nkr29 comment 4 months ago
Also what has the mail got to do with the logging in process?
Kamal Garg
Replied to nkr29 comment 4 months ago
In fact, a top IT security expert has told me that it is very difficult (almost impossible) to break into a proper 'system' of IT architecture. It is often and only the user's fault at some loose end including some malware installed on your mobile/computer.
sjigar543
4 months ago
Madam but these online broker even share your data with telegram channels .

so u can lured by indirectly to trade in option also yongsters.

why u favour so much to online broker.it makes a huge profit also by selling this data.


in one survey online clients even dont know when buyback & right entilement trading.

all has two side of coins.

dont favours so much zeotha, in india Anything ; 'Zerotha becomes ' 0 tha ' from 'hero tha'

sarangmumbai
Replied to sjigar543 comment 4 months ago
First of all it is not clear whether the user had
1) original purchased Antivirus in the Laptop.
2) Laptop may be used for multiple individuals
3) Laptop is infected with spyware due user neglience.
4) User using China make mobile without original antivirus
RBS
Replied to sarangmumbai comment 4 months ago
I believe these are important points and they need to be investigated in full with at least 10 fraud cases which may give some clue. If possible MoneyLife should take the lead alongwith Zerodha. Left to the Sarkari Departments the matter will at the most will move very slowly and forgotten over a period of time.
vaibhavdhoka
4 months ago
Hacking is tool in the hands of cheaters,which can be accounted in 50% of complaints, but in rest it is loose supervision and broker's involvement can be traced but in any case investors are loosing end.This is my own experience dating back 2004.I had demat account and in that time only three brokerages were allowed lending and borrowing and kotak securities was one.I was approached by broker's franchisee which was illegal as per SEBI's RTI reply.Shares worth 1500000 were transferred off market,on first day shares were not accepted in DP account.Next day person contacted Kotak officer in Pune and called DP operator to accept same.The person vanished after two months.Kotak took umber age that person was not authorised.So broker's officials play big role in cheating.
Kamal Garg
4 months ago
If the hacker made trades in the customer's account through the customer's trading terminal, then, the profit/loss should also belong to the customer. What the hacker got out of this all working? Traders are executed on exchange platform and not through a ready counter-party. So if there is a loss the customer has to bear the loss and similarly if there is a profit, the customer would get the profit.
Correct my impression if it is wrong.
sucheta
Replied to Kamal Garg comment 4 months ago
I would submit these are mere impressions. They are not conclusions. The article also raises a lot of questions. It is up to the regulator to do a root cause analysis. Since it could happen to ANYBODY, any thoughtful investor would demand answers from the regulator and not the writer! The regulator alone has the power to call for data and analyse it without depending on public information. Time we understood where accountability lies and demand answers from that entity!
sarangmumbai
Replied to sucheta comment 4 months ago
First of all it is not clear whether the user had
1) original purchased Antivirus in the Laptop.
2) Laptop may be used for multiple individuals
3) Laptop is infected with spyware due user neglience.
4) User using China make mobile without original antivirus
Kamal Garg
Replied to sucheta comment 4 months ago
Ma'm, we are not pointing fingers at you/author and of course and always, the answer has to come from the regulators only.
Hacking or compromising data is a serious offence and crime and therefore it should be thoroughly investigated and culprits should be brought to book. So much so that even sharing my mobile number (which happens every day by every body and anybody who collects your mobile number including some shop keeper/mall store/parking lot care taker, etc) is an offence.
I just wanted to confirm that as long as the hacker did trades from the customer's terminal, all profit/loss belong to him and not to the hacker.
pgodbole
4 months ago
It is not always hackers.Sometimes it is brokerage!

I had closed my trading and demat account with Motilal Oswal Financial Services in June 21 (or so I thought) and transferred out all securities and cash balance to other DP/bank. I also received a confirmation to this effect from Motilal Oswal. Then 5 months later in Nov.21, a series of buy trades were executed in my account on a day. I immediately raised red flag with MOFSL and also lodged complaint with NSE and SEBI. The brokerage not only continued to execute buy trades over next 2/3 days but even asked me to square off debit balance in my account (since there was no cash balance) and threatened to liquidate the position if I did not clear debit balance! It was only after being hauled up by NSE/SEBI that they reversed the trades. Ironically, in the interim, prices of shares that had been bought without any authorization went up, so the brokerage made a neat profit on reversal, recovered their(shylokian) brokerage, leaving a paltry credit balance which they grudgingly transferred in my bank account. Strangely, even after this incident, I continue to received weekly ledger statement (Nil, of course). My mails to ACTUALLY close the account, so as not to effect any trades, remains unanswered.
sucheta
Replied to pgodbole comment 4 months ago
So is the issue finally resolved or not?
pgodbole
Replied to sucheta comment 4 months ago
Well, there are no more trades but I am not sure if the account is actually closed. I am still getting messages from NSE that my broker MOSL has reported Nil balance of securities and Nil cash balance in my account as on this date. Why should MOSL report this to NSE if my accounts (demat & trading) stand closed? Does it not suggest that in their systems, accounts are still shown as inactive, rather than closed?
parimalshah1
4 months ago
The hacking has to be with connivance and tacit understanding of some trader and /or investor who has invested in penny stocks and wants to get rid of the same.
The trading account/s where the money or the shares have gone can be traced and the guilty can be brought to book and sentenced to very harsh and exemplary punishment with summary trials in the court.
If there is a will, there is a way.
It seems some top guys with knowledge of the trading systems may be involved.
The work of the cyber-cell guys is clear cut, and they should be patted on the back for quick response after the episodes were aired.
Why not before is a question to ponder.
Ramesh Popat
4 months ago
SEBI is considering new system of trade bypassing broker channel
like ASBA, directly transfer of funds. Can it be better ?









/
Ramesh Popat
4 months ago
I have got news from a MF group that 55 cr recovered from axis nf's sacked fund managers. Is it true, and suppressed?! Kindly check up.
pkkothari
4 months ago
SEBI must introduce following:
1. Hotline number of each broker to block the trading account if call is made from the registered number.
2. Trading terminal of each client should have facility to block the terminal by the investor.
3. Each customer should have facility to block his shares for long term investment and daily turnover limits.
4. Password should be allowed to change only after OTP in email and mobile are feed in with PAN No or Date of birth or any secret question.
5. New segment should be activated only after 24 hours. All these activities must be reported thru SMS and email.
sucheta
Replied to pkkothari comment 4 months ago
Excellent suggestions! I do hope they make the effort to read
Free Helpline
Legal Credit
Feedback