You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
IB Secure Device
- Thread starter IB Salvatore
- Start date
I agree, but I'd also like to leave my home computer running to trade my ATS. That won't be possible with the Security Device.Quote from nonam:
This secure log on will make it much safer to check your positions from internet shops while travelling?At the moment this is a risky thing to do anywhere on the planet.Any thoughts on this?
I only trade a few of the most liquid instruments in the world (ES, ZN, ZB). If I had the security device to log into account admin and make withdrawals (but not for TWS) and was able to restrict my account to those instruments, I'd be 100% safe.
Already did, just flip back a few pages in the the thread. I made several posts about this on pages 8, 9, 13, and 14.Quote from Opra:
Shall we step back to square one to get a sense of risk?
What is the likelihood or probability that a new PC with XP or Vista (plus most up to date SP)...
I think this expanded security device program is a great thing, but I agree with HoundDogOne that it should not be mistaken for a substitue for "complete fraud protection". The security device won't protect against viruses or other malware taking control of the customer's computer, or perhaps hacking IB's own systems.
I also wonder if it is even realistically possible for any online brokerage to provide "complete fraud protection." How can a broker protect a customer from the customer's own negligence in failing to secure his own machine? If a theft occurs, how can a broker determine who was at fault for failed security, the customer or the broker? Where should the line be drawn?
I will note that even though E-trade claims to provide "complete fraud protection", another thread seems to allege that E-trade does not actually honor this promise in reality. See http://elitetrader.com/vb/showthread.php?threadid=90860.
I also wonder if it is even realistically possible for any online brokerage to provide "complete fraud protection." How can a broker protect a customer from the customer's own negligence in failing to secure his own machine? If a theft occurs, how can a broker determine who was at fault for failed security, the customer or the broker? Where should the line be drawn?
I will note that even though E-trade claims to provide "complete fraud protection", another thread seems to allege that E-trade does not actually honor this promise in reality. See http://elitetrader.com/vb/showthread.php?threadid=90860.
Quote from OldTrader:
Would you care to explain WHY you are making this claim? So far Hound Dog and Local Crusher have made statements that go unexplained. Perhaps you have something to say that is a little more substantial.
Still waiting.
OldTrader
I think local_crusher provided already the explanation by writing:
local_crusher:
- A trojan can modify TWS XML settings files, thus allowing local API access without the user gaining knowledge.
Next, the trojan will connect to TWS via localhost API or DDE connection.
VERY EASY TO IMPLEMENT.
All modern trojans are modular and an appropriate module would be loaded to the infiltrated victims host if someone wants to steal an IB account.
- WM_KEYDOWN / WM_KEYUP events.
As IB TWS is a Java program, there is no possibility to prevent it being remotely controlled with hostile WM_KEY** events.
API access implements a lot of exotic features. The problem is that it seams to leave the backdoor open.
Having saying that, I fully support any effort IB does to improve security.
so far it sounds like a great idea if IB allows opt-in/out of limiting add/change trading instruments with the security device.
Let's see what the response is from IB Salvatore, and maybe we should submit a feature poll.
I'd imagine this should not be very hard for IB to implement, as 'trading access' is already a account management functionality. all they need to do is to enhance it to the instrument level with the security device.
Let's see what the response is from IB Salvatore, and maybe we should submit a feature poll.
I'd imagine this should not be very hard for IB to implement, as 'trading access' is already a account management functionality. all they need to do is to enhance it to the instrument level with the security device.
Quote from NickPhil:
I think local_crusher provided already the explanation by writing:
API access implements a lot of exotic features. The problem is that it seams to leave the backdoor open.
Having saying that, I fully support any effort IB does to improve security. [/B]
Nick:
Yes, I read that explanation. But how exactly can IB ever control a trojan on an individual computer? And where is the customer's responsibility? How does a trojan "take over" your computer when your computer has routers, firewalls, antiviral software, spyware software? That combined with the security device seems to be considerable protection.
If I understand this correctly, you and others seem to be pointing at security issues that may be the responsibility of the user, and trying to make them the responsibility of IB via a "Fraud insurance" provision that would be extended by IB.
OldTrader
Quote from jimrockford:
... I also wonder if it is even realistically possible for any online brokerage to provide "complete fraud protection''...
No âcomplete fraud protectionâ but âcomplete fraud protection guaranteeâ to covers customerâs damage.
I agree it would have an additional cost for the brokerage firm. However, internet fraud is nowadays a sever problem for secure transactions. And if internet brokerage firms want to survive and expand they have to provide viable solutions.
Quote from OldTrader:
Nick:
Yes, I read that explanation. But how exactly can IB ever control a trojan on an individual computer? And where is the customer's responsibility? How does a trojan "take over" your computer when your computer has routers, firewalls, antiviral software, spyware software? That combined with the security device seems to be considerable protection.
If I understand this correctly, you and others seem to be pointing at security issues that may be the responsibility of the user, and trying to make them the responsibility of IB via a "Fraud insurance" provision that would be extended by IB.
OldTrader
OldTrader,
I also feel more confident by using routers, hardware and software firewalls, antivirus and anti-spyware software and whatever is needed to REDUCE the risk. But, because of my profession, I know (and of course many others on this forum) that the risk of having your computer hijacked can NEVER been totally eliminated. Thatâs why I think that the backdoor that API access leaves open is severe.
And after all, why non-API traders have the option to download a version of TWS without API capabilities included?
Quote from NickPhil:
OldTrader,
I also feel more confident by using routers, hardware and software firewalls, antivirus and anti-spyware software and whatever is needed to REDUCE the risk. But, because of my profession, I know (and of course many others on this forum) that the risk of having your computer hijacked can NEVER been totally eliminated. Thatâs why I think that the backdoor that API access leaves open is severe.
And after all, why non-API traders have the option to download a version of TWS without API capabilities included?
With the security device, if the only vulnerability left is with the API, then is it safe to assume that the webtrader is bullet-proof?