IB Security Alert EMail

H

HoundDogOne

This week I received an IB "Security Alert"...
Which reels of 6-7 total horror stories of ** only competitors ** accounts being hijacked...
And then tries to pressure you to sign up for...
A "security token"... often called a "key fob"... which is primitive 90s technology.

This "security token" will only prevent unauthorized wire transfers...
And have negligible impact on unauthorized trading.

My view:

IB has ** created ** a security nightmare...
With their online "wire request" system...
Which allows any "authorized person" to wire funds to any account anywhere...
As long as it has your name on it...
And it's ridiculously easy to create an account with ANY name on it.
(Plus the hacker must find a way to change your email address).

Simple solution:

Just allowing transfers ONLY to one bank account...
Or a short list of bank accounts that are provided by the owner...
Would make it IMPOSSIBLE to wire funds anywhere else.

But no... that is 70s common sense.

It's too "normal" for IB to even consider keeping a list of bank account(s) authorized by YOU...
And is willing to wire funds to Nigeria or Siberia...
Unless you go for this klunky, potentially problematic hardware device.

I would love to hear about any IB account hijacking experiences from others...
Because this initiative from IB, at best, solves 50% of the problem in a clumsy way...
And also offloads legal responsibility for security from IB to YOU.

What are a broker's legal responsibilities...
Under NASD Regulations in terms of account security?
Also... any creative ideas about account security beyond standard computer security?
 
It is not a new initiative. They have had this capability for some time but they probably decided to call attention to it due to the recently publicized account hijackings. It may be clunky, but it is very secure. Odds of a failure are pretty low. Odds of my misplacing the crypto key generator or using the incorrect one (you need one for each individual account) - High.

Jack
 
E Trade uses one of those too.

I like the suggestion of only having a few accounts that funds can be wired too. But that isn't really all that much more secure unless you have to wait a min. of 7 days before a newly added account can have money wired to it. And an email is sent to you letting you know a new account has been added. That way, in the event of a hack, you'd be alerted to it and would hopefully have enough time (assuming you check your email often) to react.

Same would go for your email account. You can have two. One main and one backup. You can't add anymore without deleting only one. And the new/replaced one will only become effective after 7 days.
 
You evidently don't understand how the security token works. If you did, you wouldn't have written what you did.

I've had the security token since it was originally offered a few years ago. I don't see a single way that anyone could wire funds from your account in an unauthorized way without having your security token, and without knowing your password to the security token.

Originally they required a 6+ digit account to get one of these. Perhaps they've changed it now. I didn't get the memo regarding security.

Maybe you need to update your 70's commonsense.

OldTrader
 
Quote from OldTrader:

You evidently don't understand how the security token works. If you did, you wouldn't have written what you did.

I've had the security token since it was originally offered a few years ago. I don't see a single way that anyone could wire funds from your account in an unauthorized way without having your security token, and without knowing your password to the security token.

Originally they required a 6+ digit account to get one of these. Perhaps they've changed it now. I didn't get the memo regarding security.

Maybe you need to update your 70's commonsense.

OldTrader
More...

You misunderstood my post. Perhaps finding your glasses might help.

I am a software engineer by profession...
I had a security token for years with a New York clearing firm...
And in no way did I imply that "it doesn't work"... or whatever you are talking about.

I have a 7 figure account... and wire funds to one account ONLY (for legal reasons).

Neither myself... or IB... or anyone... is authorized to wire funds to ANY other account EVER.

And for this I need a security token...
Which, in your "professional opinion" is 100% foolproof...
Never gets lost... or battery... or any other hardware/software error.

Every other broker in the world can do it...
But IB is too inflexible to allow wires to one specific bank account ONLY...
Which can ONLY be changed with WRITTEN authorization.

That is 70s, 80s, 90s, and 2000s... and 100% secure...
Unlike the theoretical 99% security... and inconvenience that comes with a security token.

IB's total reliance on the internet...
Creates ** indeterminate ** security issues... that do not exist at other firms.

In my professional opinion...
There are many examples today where human intelligence...
Is replaced by ill conceived software I call "artificial stupidity"...
Because "artificial stupidity" is MUCH cheaper than "human intelligence"....
And IB has many systems that fall into this "automate at any cost" category.
 
Quote from ddunbar:

E Trade uses one of those too.

I like the suggestion of only having a few accounts that funds can be wired too. But that isn't really all that much more secure unless you have to wait a min. of 7 days before a newly added account can have money wired to it. And an email is sent to you letting you know a new account has been added. That way, in the event of a hack, you'd be alerted to it and would hopefully have enough time (assuming you check your email often) to react.

Same would go for your email account. You can have two. One main and one backup. You can't add anymore without deleting only one. And the new/replaced one will only become effective after 7 days.
More...

ONE bank account that funds can be wired to... or a short list...

** IS 100% SECURE **...

If authorization has to be done by a signed paper document...
Examined by a clerk...
And can be verified by a phone call.

Total cost to IB... 10 minutes of a clerk's time...
They can bill me $20 or whatever if they want to.

My account with IB is the first time in 15 years that I have had concerns about security.

The security token also does not really address unauthorized trading...
And since absolutely nothing is 100% "proveable" in cyberspace transactions...
The broker can take almost any position... and just stonewall you.

Legally... the security token offloads most of the risk onto the Customer.

Does anyone know if IB or other brokers are insured...
And Customers are covered by a 3rd Party Insurer for fraudulent losses?

Since these events are quite rare... the cost of such insurance would be small.
 
Quote from HoundDogOne:

This "security token" will only prevent unauthorized wire transfers...
And have negligible impact on unauthorized trading.
More...

The security token seems pretty failsafe to me in terms of preventing the wrong people from wiring money out of your account somewhere. In order to break into your account, they would have to gain physical possession of the security token and know your password. I am not sure I agree with your main complaint about this being a huge security liability.

However, I do think that a person logging into your IB account (assuming they figured out your password) and then executing unauthorized trades could be a huge problem. Password hacking does not require the physical posession of the security token.

Even though it would be a pain, I would feel safer if I had to use the security token everytime I logged into my account.
 
HoundDogOne:
I agree with what you are saying about the one and only approved banking account method. IB has tried several times to get me to take one of their tokens; However, I do not want one. IB needs to make sure they are sending my money to me and not an impostor.
 
Quote from sprstpd:

The security token seems pretty failsafe to me in terms of preventing the wrong people from wiring money out of your account somewhere. In order to break into your account, they would have to gain physical possession of the security token and know your password. I am not sure I agree with your main complaint about this being a huge security liability.

However, I do think that a person logging into your IB account (assuming they figured out your password) and then executing unauthorized trades could be a huge problem. Password hacking does not require the physical posession of the security token.

Even though it would be a pain, I would feel safer if I had to use the security token everytime I logged into my account.
More...

100% agreed.

Yet, the new twist on stealing funds these days isn't through direct wires out...they trade some POS penny stock,in your account, pumping it up--while they're selling (dumping) it to you.
Really messy for the broker, the customer & the SEC.

This is why a log in RSA token like Etrade would be better.

I've also complained multiple times to IB, that their 8 character password is nowhere near long enough. Unauthorized wires are almost impossible--trading your account to zero is much easier.

Do note that these mom & pop retail brokers Etrade & ameritrade, etc. are now also insuring customers assets against ANY type of these frauds-100% of your account is made whole again by them. IB does not.
 
Quote from MR.NBBO:

100% agreed.

Yet, the new twist on stealing funds these days isn't through direct wires out...they trade some POS penny stock,in your account, pumping it up--while they're selling (dumping) it to you.
Really messy for the broker, the customer & the SEC.

This is why a log in RSA token like Etrade would be better.

I've also complained multiple times to IB, that their 8 character password is nowhere near long enough. Unauthorized wires are almost impossible--trading your account to zero is much easier.
More...


ETrade provides what looks like comprehensive anti-fraud insurance:

http://www.computerworld.com/securitytopics/security/story/0,10801,107865,00.html

If IB does not have similar coverage...
You really have to wonder what they are smoking.
 
You must log in or register to reply here.
Back
Top