IB - Why Not a USB Security Device
- Thread starter QuantPlus
- Start date
And something no one even noticed...
The IB Security Device is 6-7 year old technology at least.
My clearing firm introduced these...
And I had one... right after 9/11.
Trading firms MUST be given a choice of security options that are right for their firms...
NOT threatened with all manner of disaster if bad designs are questioned.
The next time IB develops connectivity problems due to a buggy TWS release...
Like in early 2007...
The issues with these Security Devices will probably sky-rocket.
You can't connect because of server issues...
The Security Device will time out and lock you out...
And you will be sitting on hold for 15 minutes to get a "temporary password".
What fun... when you have a high volume business to run.
And there's more...
To enter IB's "Account Management"...
One must use the Security Device TWICE.
More bad design.
And in terms of security...
IB lazily EQUATES getting a Daily Trading Report... with sending a Wire...
Which are in no way equivalent.
So if a trader wishes to download the Daily Report every day...
The Security Device must be used...
A MINIMUM of 3 times every day.
All this after 2 years of rolling out and tweaking.
The IB Security Device is 6-7 year old technology at least.
My clearing firm introduced these...
And I had one... right after 9/11.
Trading firms MUST be given a choice of security options that are right for their firms...
NOT threatened with all manner of disaster if bad designs are questioned.
The next time IB develops connectivity problems due to a buggy TWS release...
Like in early 2007...
The issues with these Security Devices will probably sky-rocket.
You can't connect because of server issues...
The Security Device will time out and lock you out...
And you will be sitting on hold for 15 minutes to get a "temporary password".
What fun... when you have a high volume business to run.
And there's more...
To enter IB's "Account Management"...
One must use the Security Device TWICE.
More bad design.
And in terms of security...
IB lazily EQUATES getting a Daily Trading Report... with sending a Wire...
Which are in no way equivalent.
So if a trader wishes to download the Daily Report every day...
The Security Device must be used...
A MINIMUM of 3 times every day.
All this after 2 years of rolling out and tweaking.
The IB Security Device (platinum version)...
Was designed by people with no understanding of the mathematics involved.
An alpha-numeric code (if you leave out the letters "O" and "I" to avoid confusion)...
Has 10 + 24 = 34 different characters...
And 34!/(8! x 26!) unique combinations = 18,156,204 possible combinations.
Even if an unbelievably sophisticated attacker tried ONE MILLION random combinations on your account...
This would give him a roughly 1 in 18 chance of getting in...
And the opportunity to MAYBE make a few trades?
Even though ONE MILLION random tries is a longshot...
IB gives you 4 tries before locking you out of YOUR account...
And, ** unbelievably **, the Security Device shuts off after exactly 15 seconds (I timed it).
The ONLY thing accomplished by the idiots who designed this...
Is abuse of the Customer...
And a device that cannot be used by many handicapped people.
This tells you a lot about how IB Management feels about it's Customers.
A mathematically RATIONAL approach...
Would be to have NO RESTRICTIONS on the Customer end.
Rather...
TWS might only give you a "challenge" ONLY once every 30 or 60 seconds...
Eliminating the possibility of automated brute force attacks.
As a software engineer with 20 years experience...
The incompetent way IB has handled the "online security" issue over the last 2-3 years is ** very worrisome **...
Since I run a million dollar trading business.
For a $10,000 account... obviously none of this matters.
Hackers are savants...
They are highly intelligent, highly motivated...
And clearly have more sense than the managers in charge of IB online security.
Was designed by people with no understanding of the mathematics involved.
An alpha-numeric code (if you leave out the letters "O" and "I" to avoid confusion)...
Has 10 + 24 = 34 different characters...
And 34!/(8! x 26!) unique combinations = 18,156,204 possible combinations.
Even if an unbelievably sophisticated attacker tried ONE MILLION random combinations on your account...
This would give him a roughly 1 in 18 chance of getting in...
And the opportunity to MAYBE make a few trades?
Even though ONE MILLION random tries is a longshot...
IB gives you 4 tries before locking you out of YOUR account...
And, ** unbelievably **, the Security Device shuts off after exactly 15 seconds (I timed it).
The ONLY thing accomplished by the idiots who designed this...
Is abuse of the Customer...
And a device that cannot be used by many handicapped people.
This tells you a lot about how IB Management feels about it's Customers.
A mathematically RATIONAL approach...
Would be to have NO RESTRICTIONS on the Customer end.
Rather...
TWS might only give you a "challenge" ONLY once every 30 or 60 seconds...
Eliminating the possibility of automated brute force attacks.
As a software engineer with 20 years experience...
The incompetent way IB has handled the "online security" issue over the last 2-3 years is ** very worrisome **...
Since I run a million dollar trading business.
For a $10,000 account... obviously none of this matters.
Hackers are savants...
They are highly intelligent, highly motivated...
And clearly have more sense than the managers in charge of IB online security.
This does not prevent password compromise attacks. Actually it's even worse in that it opens you up to a denial of service attack. I can write a script to keep trying your user name and you will never get the chance to enter your password bec my script will beat you to it every 30 seconds.
On the lock-out after four attempts -- I was not aware of that and am of mixed feelings.
Because the challenge is issued after the standard password, it does not per se open a denial of service avenue of attack.
However, it seems unnecessary and it does permits a DoS attack *after* a password compromise. Not having the lockout does not seem to reduce security. Notification of the account holder by email and/or a process to force a password change, after a one time password response and a secondary verification (email token?) would seem to be a better solution.
Eighteen million combinations? I think you need the math lesson.
A password 8 characters long using only the lower case of 26 letters in the alphabet = 208,827,064,576 combinations.
Now add the upper case and the other keyboard characters as well as the numbers and it comes to 6,634,204,312,890,625 combinations.
Max401:
The Challenge issued by the IB security server is 8 numbers and only numbers - thus, 99,999,999. If you add the 00,000,000 sequence that could also be sent there are 100 million possible challenges.
The Platinum token device is a simple (complex) cryptographic device. You input the challenge and the algorithm combines it with another set of numbers unique (hard-coded) into that device. It produces an 8 digit alpha-numeric response.
By design the response may contain only the numbers 0 through 9 as well as the letters A, C, E, F, H, and P (lowercase and uppercase are treated as being the same by the IB security server).
The alphas can appear anywhere in the string.
If the response was limited to numeric values there would be 100 million possible replies, each unique to a challenge to a specific IB customer. I'll let the more mathematically inclined (and less lazy) compute the actual number of unique replies when factoring in the 6 alpha characters that can appear anywhere (or not at all) in the response. I've actually had one completely alpha response.
Anyway, Quant+ should review the math involved.
Jack
The Challenge issued by the IB security server is 8 numbers and only numbers - thus, 99,999,999. If you add the 00,000,000 sequence that could also be sent there are 100 million possible challenges.
The Platinum token device is a simple (complex) cryptographic device. You input the challenge and the algorithm combines it with another set of numbers unique (hard-coded) into that device. It produces an 8 digit alpha-numeric response.
By design the response may contain only the numbers 0 through 9 as well as the letters A, C, E, F, H, and P (lowercase and uppercase are treated as being the same by the IB security server).
The alphas can appear anywhere in the string.
If the response was limited to numeric values there would be 100 million possible replies, each unique to a challenge to a specific IB customer. I'll let the more mathematically inclined (and less lazy) compute the actual number of unique replies when factoring in the 6 alpha characters that can appear anywhere (or not at all) in the response. I've actually had one completely alpha response.
Anyway, Quant+ should review the math involved.
Jack