URGENT, Secure Device Required for TWS

[IBj]

Quote from cstangor:

Do you have to physically press buttons on the device to log on? if so, this sucks, because I run TWS from a remote computer. Maybe MB trading will be an alterative?

The device stays with you. Yes you have to activate it to get or read the code but then you enter this into the regular TWS login screen. Think of the device as a 1-time password generator.

If you have some process that automatically logs into TWS running on a remote PC such that you never wee the login screen, this will be a problem. But, frankly, this architecture is an accident waiting to happen. For one thing, you will not see any of the warning messages we generate to alert you to possible security issues at login time. You will be able to opt-out of the security program but then any problems with your account (hacks, unauthorized withdrawals, unauthorized trading) will be fully your responsibility.

To clarify: most of the account compromises come from worms inadvertently loaded onto the users PC which carry a "payload" kestroke logger, or open firewall ports to allow malware to be loaded through a backdoor. Look up Bagle Worm on google to understand what I mean. Whenever the user enters his/her password, the logger captures it and sends the data home to the mother ship. Changing the password will not help (much) as the new password is also easily compromised.
The second common source of password compromise is as simple as the use of a computer over someone else'e network. For example, a hotel or internet cafe. I am a security extremist and I avoid these things but if you are traveling, you need to log in. If the network is run by someone with bad intent or is simply itself compromised with malware, voila, there goes your password.

Both of these scenarios are created by a failure on the client's side to confine his/her login activity to 'sterile' environments. But we live in the real world, so IB recognizes that even prudent users may still have their password compromised. If this happens, we make a judgement call based on analysis of the circumstances as to how far we will work with the compromised account to repair the damage. Clients who work to protect their own account (in other words, recognize security over convenience) are evaluated in a much more cooperative light.

You need to keep the following in mind: 99% of all account compromises (on all internet systems around the world) come from the client/account holder side. By not using the available security resources, you are effectively choosing to self-insure. The opt-out allows you to self-insure but we strongly discourage our clients from inviting such exposure. Unless you are as specialized in computing security as the hackers are in breaking past security systems, this is a game most people cannot effectively compete in, and the Security Device evens that playing field.

 

[GTS]

Quote from IBj:

The second common source of password compromise is as simple as the use of a computer over someone else'e network. For example, a hotel or internet cafe. I am a security extremist and I avoid these things but if you are traveling, you need to log in. If the network is run by someone with bad intent or is simply itself compromised with malware, voila, there goes your password.

Ummm, how would someone sniffing your network connection get your password in this case unless TWS is sending your password in the clear?

Maybe I am misunderstanding, are you talking about using your own computer on someone elses network (wired or wireless) or using someone elses computer? You said network above.

 

[cstangor]

Well, yes it's my computer (in my office) and I do see the logon screen. So I'll be able to use the local device to enter the code into the remote computer?

 

[IBj]

Quote from GTS:

Ummm, how would someone sniffing your network connection get your password in this case unless TWS is sending your password in the clear?

Maybe I am misunderstanding, are you talking about using your own computer on someone elses network (wired or wireless) or using someone elses computer? You said network above.

Passwords are sent encrypted. Sniffing would not help unless there is some serious cryptographic application studying the data stream.

The issue is when you use someone else's network, they have the ability to control the middle, intercept and replicate an SSL session. It is called a man-in-the-middle attack. Anyone who controls a proxy between you and IB could implement this. We assume hotels and the like have better things to do than set up these hacks but in countries where a $100 buys access or influence, who can say?

 

[GTS]

Quote from IBj:

Passwords are sent encrypted. Sniffing would not help unless there is some serious cryptographic application studying the data stream.

The issue is when you use someone else's network, they have the ability to control the middle, intercept and replicate an SSL session. It is called a man-in-the-middle attack. Anyone who controls a proxy between you and IB could implement this. We assume hotels and the like have better things to do than set up these hacks but in countries where a $100 buys access or influence, who can say?

Um, ok. I am familiar with man-in-the-middle attacks but for you to say that they are "The second common source of password compromise" is false as they are difficult to pull off successfully, especially if you are using an application that is properly secured.

 

[nzbryant]

Dudes

Its very simple. Security over convenience like the man said.

Make a frickin values decision. Life is full of tradeoffs. Deal with it.

 

[Stealth Trader]

Quote from IBj:

To clarify: most of the account compromises come from worms inadvertently loaded onto the users PC which carry a "payload" kestroke logger,

Roboform or any like program addresses the above without the hassle of a token device.

Next question please??

KISS!!

st

 

[GTS]

Quote from Stealth Trader:

Roboform or any like program. Addresses the above without the hassle.

Assuming that Roboform stores your passwords encrypted then I would imagine that you have to initially enter some sort of master password each time you run Roboform which the key logger would then intercept.

Once they have that master password your Roboform password file (which they can easily transfer from your PC) becomes a very convenient list of all your accounts and passwords.

If someone has loaded a trojan on your machine without your knowledge its very difficult to defend against - the best defense is to not let that happen in the first place (or to be alerted to it the second it does happen).

 

[Stealth Trader]

Quote from GTS:

Assuming that Roboform stores your passwords encrypted then I would imagine that you have to initially enter some sort of master password each time you run Roboform which the key logger would then intercept.

Once they have that master password your Roboform password file (which they can easily transfer from your PC) becomes a very convenient list of all your accounts and passwords.

If someone has loaded a trojan on your machine without your knowledge its very difficult to defend against - the best defense is to not let that happen in the first place (or to be alerted to it the second it does happen).

Once roboform is setup, you do not enter any keystrokes from that point on. I'm not saying it's Fort Knox secure, but the chances of anyone breaking through it to access the average traders account is remote. There is a difference between being paranoid and sensible.

st

 

[rayl]

Quote from Stealth Trader:

Once roboform is setup, you do not enter any keystrokes from that point on. I'm not saying it's Fort Knox secure, but the chances of anyone breaking through it to access the average traders account is remote. There is a difference between being paranoid and sensible.

st

Having helped a friend remove a macro recorder was the event that put me on the paranoid side. (Actually I wanted him to re-install his OS but he didn't want to go that far. I would have if it were my PC!)

And once a day login seems a reasonable compromise.

I'm more upset that more companies don't provide better online security practices. I can even think of a few providers who lock our your account after a few failed attempts but the reality is that just opens you up to denial of service attacks w/o increasing security.