IB - Why Not a USB Security Device

Quote from QuantPlus:

I think the IB Security Device is terrible.

Can someone please explain...
Why they would chose an out-dated hand held device...
Instead of a USB device like this one:

http://mktg.safenet-inc.com/mk/get/req_rm_form_shk_lp?gclid=CJbq_cnYmo4CFQM1PwodU25wXQ

And please don't give me...
That "someone will break into my office and use my trading account"...
Because that is crazy.
More...

A lot of this is conjecture since I'm not an IB customer nor have I seen their devices. However, I'm guessing that they're using RSA-style keyfobs or something simliar to it.

The IB implementation is superior from a couple of standpoints.

1) Two-factor auth. Not only do you need the keyfob but you need a PIN too. The safenet product makes no mention of this. I bet it could do it though.

2) Why require a USB connection when all you need to do is prove identity and non-repudiation? For example, a lot of mobile devices have web browsers but no USB connector (iPhone comes to mind).

3) Physical connections break. Having something that someone would repeatedly remove and insert into a USB port would increase the chances of breaking the device or USB port. Less hassle for IB this way.

The USB key's main advantage is that it's basically just storage. You could store whatever kind of certificate on there you wanted and you're not locked into RSA's program. Vendor portability is high with the USB thing. Honestly though this isn't much of a win. Most companies choose smartcards over USB keys because they can print onto the smartcard and turn it into the employee's picture badge/ID.
 
Quote from scurvy:

A lot of this is conjecture since I'm not an IB customer nor have I seen their devices. However, I'm guessing that they're using RSA-style keyfobs or something simliar to it.

The IB implementation is superior from a couple of standpoints.

1) Two-factor auth. Not only do you need the keyfob but you need a PIN too. The safenet product makes no mention of this. I bet it could do it though.

2) Why require a USB connection when all you need to do is prove identity and non-repudiation? For example, a lot of mobile devices have web browsers but no USB connector (iPhone comes to mind).

3) Physical connections break. Having something that someone would repeatedly remove and insert into a USB port would increase the chances of breaking the device or USB port. Less hassle for IB this way.

The USB key's main advantage is that it's basically just storage. You could store whatever kind of certificate on there you wanted and you're not locked into RSA's program. Vendor portability is high with the USB thing. Honestly though this isn't much of a win. Most companies choose smartcards over USB keys because they can print onto the smartcard and turn it into the employee's picture badge/ID.
More...

Thanks for your post.
The exact Security Device IB uses is the following:

http://images.google.com/imgres?img...?q=safeword+platinum&svnum=10&um=1&hl=en&sa=N

The main disadvantage...
Is that you have to enter an 8 digit code...
And then get an 8 digit alphanumeric response...
That one then enters into the TWS login screen.

This is time limited at about 20 seconds...
And after 4 incorrect tries it locks up for 2 hours.

It's harder than it sounds to do.
It would be IMPOSSIBLE for any number of disabled or sick people.

Since a brute force attack would require millions of tries...
Time limiting to 20 sec and 4 attempts is INSANE...
It just punishes the trader...
And drives up IB's Customer Service bill.

A USB device could just plug into any USB port...
And the TWS platform could scan for it.

Also...
It's hard to get good information from IB...
But after talking to about 4-5 people...
Hers are some facts:

(1) Anyone locked out can call the Hotline at (213) 618-4006...
And have your account switched over to a temporary 7 day password.

(2) Typical wait time on Hotline is < 5 minutes.

(3) You can OPT OUT of this device ** for logging in and trading **...
By filling out an OPT OUT form...
But will still need it for withdrawals.

Over and out.
 
I've never used those specific devices, but I have used the RSA versions a lot. I never really had an issue with typing in PIN + fob code -- even bleary-eyed and in the middle of the night which is when I used it most. Then again, ours were setup to use the PIN as a prefix and the fob code following. The fobs also had a countdown timer to see when the next code would rollover. Simple solution was to enter PIN then wait for the next rollover; giving you the full amount of time to enter the code and any retries.

You're right about disabled people thought. I don't think it would be the greatest thing for them to use. Especially those not using traditional keyboards.
 
I just re-read your post and now fully understand just how poor IB's implementation of this very standard security practice is.

They're doing it in a non-standard (and very flawed) way.

The industry standard, accepted way of using it is to replace (or augment) the passphrase component of a login. So you type in your username and your passphrase is a personal 4 digit PIN that you pick prepended to the random digits that show up on your fob. There isn't another challenge after that, you're in. The three-factor authentication (username, PIN, and security fob) is generally considered to be highly secure. Some places where username matches email address (thus making it kinda bunk) do four-factor: username, passphrase, PIN + fob.

From what I've read about IB and their service, this is par for the course.
 
Quote from scurvy:

I just re-read your post and now fully understand just how poor IB's implementation of this very standard security practice is.

They're doing it in a non-standard (and very flawed) way.

The industry standard, accepted way of using it is to replace (or augment) the passphrase component of a login. So you type in your username and your passphrase is a personal 4 digit PIN that you pick prepended to the random digits that show up on your fob. There isn't another challenge after that, you're in. The three-factor authentication (username, PIN, and security fob) is generally considered to be highly secure. Some places where username matches email address (thus making it kinda bunk) do four-factor: username, passphrase, PIN + fob.

From what I've read about IB and their service, this is par for the course.
More...

Very perceptive, yes.

Virtually every system designed by IB...
Is seemingly designed ** in a vacuum ** by their engineers...
Without any input from traders that would actually be using the design...
To run a million dollar business.

They then go through a long process of complaints...
Where the end users running million dollar businesses are assumed to be idiots...
Before eventually making concessions...
And perhaps arriving at a good design 1-2 years later.

It's Corporate Paternalism at it's worst...
But the commissions are so competitive...
That, overall, there is no viable alternative at the retail level.
 
Quote from QuantPlus:

This is time limited at about 20 seconds...
And after 4 incorrect tries it locks up for 2 hours.

It's harder than it sounds to do.
It would be IMPOSSIBLE for any number of disabled or sick people.
More...

I've never had any difficulty with logging in with the device in a couple of different ways. First, my usual way from my desktop, sometimes very early in the AM before my coffee, and sometimes very late at night.

The other way I log in is via my BlackBerry. Frankly, typing that quickly on the BlackBerry is no cinch, alternating letters/numbers, what with my big fingers and small keys. Had a few unsuccessful attempts, but I think it is more my problem and the device I'm using, than the system itself.

I don't think anyone "sick" would have any difficulty, although I question whether one should be trading "sick".

Disabled might have a problem, depending on the disability. And if that is the case, they can opt out.

I presume that your stance here is not that IB should design a system for a very small percentage of people.

I see next to no complaints about their ability to use the device. This leads me to believe that most have to special difficulty after a little practice. I would assume that even you could do it with some practice as well.

OldTrader
 
Quote from deepvelvet:

That's not what mine looks like. Mine has no keyboard. I press a button and a number appears, which I then enter at IB after entering my username and password.
More...

This must be new then. I think most users would prefer this approach although it is slightly less secure than the keyboard device.
 
You must log in or register to reply here.
Back
Top