Interactive Brokers for dummies

I read the thread you linked. Man, you’re some kind of banking guru, where do you learn this stuff? A Swiss IBAN for a UK account - cool. Too bad IB did not provide me with this IBAN when I wanted to transfer my money . I put the currency and everything and I still got the GB… IBAN. I will look around the page for the Swiss IBAN you provided. Anyway, 10 CHF for transferring 50’000 is not really a lot. But of course it will be cool if I don’t have to pay it.

They actually have now published the CH IBAN - look in the beta version of account management UI, big green button “AM Beta” at the bottom of the screen

Alright, I’ll check it out for the next transfer. Thanks!

So the simple instruction for dummies of your first purchase at IB would be:

1. Transfer 10’000 CHF to IB using the CH IBAN (not GB)
2. Login to WebTrader, check that you have 10’000 CHF
3. Click on the Forex tab, enter CHF, look for the CHF.USD
4. Enter the amount 10’000 and choose the type SELL
5. You should now have 0 CHF and everything converted to USD
6. Go to Stocks tab and type in VT, select the type BUY

What I’m not so aware of: how safe it is to execute stock trades and currency conversions at market price (MKT)? Using the limit (LMT) can be confusing, especially if you sell a Forex pair. So should I manually put the ASK price for a BUY (and BID for a SELL) as limit, or is this exactly what MKT does?

By the way, they told me on the phone that IB UK is actually located in Switzerland (hence the +41 phone number). Funny huh?

I tried the IB Algo thing on my last trade and it worked quite well, I set it to normal and my market order took about an hour. It seems to be kind of a hybrid of market and limit order.

Since the beginning my account management opens in the beta version. Actually I no longer see the option to switch back to the old version. And I tried just now to create a new funding notice and the IBAN that they provide is still the GB IBAN. What am I doing wrong?

Second question: When I opened my account, I didn’t get any PDF with my contract. I also don’t see an option to print one in the account management. When I opened the account, I had to put my name in a field as a form of signature, that’s it. What proof is there that I have an account with them? What’s the best way to gather some evidence? Collect monthly statements?

Third question: For 2FA I have so far opted for the printed card with codes. What is your experience and what do you recommend as a safe option?

No idea, maybe you could ask support to clarify, but this is what i’m seeing: https://imgur.com/a/5fJ1T

Are you sure? I remember saving dozens of pdfs when I signed up

I think you should be able to find copies here:

In Account Management > Manage Account > Account Information > Details you can download a copy of your application, that plus the general terms constitute your contract

Yes keep a copy of everything you have from them, especially trade confirmations. You can configure in account management to have them automatically email them to you at the end of each day when you do a trade

I’m using their IB Key app on a permanently-offline android phone, together with all other 2FA authenticator apps and keepass database for the more sensitve passwords. Works like a charm. You can find very decent devices on second hand market for very modest prices these days, like 30-50 Fr. Heck, you can even get two for redundancy. Flash LineageOS (former CyanogenMod) and you’ll have latest android and device would be working even better than new, just beware of which exact models LineageOS supports and possible quirks with some (e.g. encryption is broken on some devices)

Sorry, I got it all confused. I thought I was in the new AM, but I was in the old one. Just the AM beta button was gone. I somehow managed to switch to the beta AM and then I saw the CH IBAN to transfer funds. Everything is fine. Just when I switch back to classic AM, I have no link to switch to beta, weird…

Regarding the PDFs, I really don’t remember having any PDFs to download. They could have emailed them to me, they didn’t. I just think it should be at least possible to download a copy of the contract. I don’t know. It feels weird to have everything done electronically and no trace of what I signed… But I guess it should not be a problem? They should be able to send me a copy of the contract…

Regarding 2FA. it’s interesting that the IB Key app works offline. Does it have all the codes saved? Does it not need to get updated sometimes? An offline android phone is not really much different from a piece of paper with the codes on it, is it? (in terms of convenience and security).

I also use a password manager, lastpass. However, IB replaces the password with a series of x’es “xxxxxxxx”. It looks like they are discouraging you from using a password manager.

Is keepass better than lastpass? I know it’s open source and your passwords are not on some server. But the convenience is really bad. You rely on a file that you have to keep offline. And if you put it on dropbox or similar, then it’s not much different from lastpass, is it?

It’s not just a list of codes and not a time-based OTP token like google authenticator, but a challenge-response calculator much like for example the login thingy from postfinance but in the form of an app. Login form gives you a challenge number, you type it and a pin code into the app, it combines them with internal state to generate response. It works offline, though for some reason for initial setup it requires (a totally uncecessary) one time internet access.

I really don’t who know in their sane mind would use a product like lastpass for anything remotely sensitive like banking passwords, or bitcoin wallet keys. Open source and your passwords not being stored on someone else’s server are not just nice-to-haves, but minimum essential security requirements to me

That’s still more secure than lastpass. With lastpass you have another attack vector - the vendor itself being malicious: like pushing an update that intentionally weakens the security to let them steal your passwords. They only need to leak, like what, 32 bytes, size of your AES key? With source being closed you have no way to verify this isn’t even happening now. People can be bought, servers can be hacked, ccleaner incident is a very recent and very real example of attacks through a vendor, can happen to anyone

Lastpass is of course a step better than reusing the same password everywhere (=revealing it to every site you use it at), but not really the last password manager you’d need

OK, I see your point. I guess I will consider ditching lastpass for keepass. But that’s what 2FA is for. Password is relatively easy to steal, so for crucial accounts there has to be the second factor.

But if you want to safely use keepass, you need to have the right approach, right? Like, not installing the freshly released version right away? It is open source, which means people can have a look into the source code. But between the release and somebody being able to verify in the thousands of lines of code, if a malicious change hasn’t been made, it will take some time. What’s your approach on this one?

And if you put your encrypted file with passwords on dropbox, is it safe? You can’t have your passwords physically around you at all times, but sometimes you may need to access your account away from home. And if you don’t store your file in the cloud, then you need to take care of backup and synchronisation. One copy on the laptop, another on the pendrive? Then after you change the password, remember to update all backups? Is this the alternative to cloud storage?

And about not trusting a proprietary company: do you run your keepass on an open source OS? Is all the software that you use open source? Do you login to your online banking and broker through an open source browser? If not, what guarantee do you have that Microsoft, Apple, Google, or that torrent app running in the background is not scanning your keyboard input? Don’t get me wrong, I’m not questioning your choices, I’m just getting a bit paranoid and trying to figure out the best approach to online security.

Like I said, I have a permanently-offline android device where all my more sensitive passwords are stored. It has no data connection after initial setup - there’s no sim, it doesn’t remember my wifi password, it’s even permanently in airplane mode, saves battery too. I transfer data to/from it via its SD card when I rarely have to do it, for backups mainly. So I don’t have to worry much about malicious software in it - it has nowhere to leak my data to. It just works, doesn’t need updates, it’ll last until the hardware dies. I also run all various authenticator apps on it (google authenticator, symantic, IB, crontosign, etc) - because they don’t need internet either and it’s an android phone, it can run them. Needless to say, the device itself is encrypted too.

On my phone and desktop I keep separate keepass databases for less sensitive stuff which I manually sync. I could put it on dropbox or something, but really syncing is not much work since I don’t create new password every day

Dropbox might get compromised, but your password database on it is still encrypted, so that’s not enough to gain access to it - the attacker would also need to get ahold of your password to it. With 2-in-1 solutions like lastpass just the lastpass itself needs to get compromised, make a maliciuous code change, push it to users or something like that and you’re owned.

I carry my android security token all the time

Hardly really remember the last time I had to change a password. When you have a unique password per website it’s not such a big concern to change them regularly. Keepass database however has a field with modification time so it can merge the changes properly on a sync, and it can also keep a history of previous passwords.

Android obviously is not exactly open source, there’s enough proprietory patent covered shit in it, even though most parts are open source, but on desktop yes run all open source. Closed source and random downloads strictly in a virtual machine.

Alright, I see. So you rely on this Android device for both passwords and 2FA. I only see a few problems:

• You need to trust the developers of LineageOS, because theoretically the OS could activate WiFi by itself and the connect to some unprotected network
• Keepass is not officially supported on Android, you need to use an unsupported port. Of course, the phone is always offline so I guess there’s not much possible harm
• You can only login to your account when you have this device with you. I assume it never leaves your home
• You need to have a backup of the passwords from the android device. Preferably more than one. How do you do it? Copy the password file to multiple SD cards?
• You need to type in the password by hand.

What’s a security token? You mean your phone or something else? It seems pretty drastic! And what if you get mugged or sth? What if you’re going to the beach or the swimming pool?

Wow you really seem to take security very seriously. I could not really ditch some proprietary software, like MS Office or some games or other apps. I guess in this case you should keep one PC just for the bank stuff, where some linux is running, and then your normal PC where you can do what you want. BTW, which distro of Linux are you running then? Trisquel?

It’s a small potential risk, yes

The Original Keepass was a Windows C# program. It has since been reimplemented numerous times, some versions even themselves got forked - like KeepassX and KeepassXC. It doesn’t really matter which fork you consider official. The important thing between all of them is just the common database format.

Exactly. It’s offline so it ain’t going to leak nothing to noone and as long as it can read/write keepass database in the format that other forks can read I don’t really care that much about the particular fork I’m using.

I carry it with me all the time in my backpack. I do have however backups of everything on it should it get lost or stolen to be able to restore everything on another device.

My permanently offline android phone

You don’t really have to do this. It’s amazing what virtualization software can do these days. You can passthrough your whole GPU to the guest OS and you’ll have like 99% native performance. You just need a decent enough CPU with vt-d support, that’s all, modern high end cpu should all have it. But if you’re not gaming and don’t need 4k, even without the relatively complicated GPU passthrough, the stuff just works amazingly fast, it’s totally possible to work all from within virtual machines these days. I have one VM for porn, one for banking, one for cryptocurrencies, a couple for web surfing, I can pop a new one by cloning a template to test out a random software download or build whenever I want, takes a just a few moments…

Debian.

You have to trust someone in the end who packages and builds your software for you and I choose to trust the biggest player there is out there. It’s also got much more polished than it used to be in recent years, for me it’s even better than Ubuntu - recent Ubuntu releases crash way too much on my machine. It also works perfectly as a rolling release with Debian Testing unlike Ubuntu which you have to reinstall every f’ing time

OK, that makes sense to me. But why do you carry that android device all the time with you? You don’t think it’s safer at home or you want to have the possibility to use it whenever you want?

I’m wondering if your strategy is not a bit of an overkill. When you type in the password, the software on your PC could log your keyboard input. Even if everything is open source, they also have security holes that some malware could exploit. And even if everything fully safe on your side, the bank/broker could do a shit job and not protect your password well enough. The whole chain is only as strong as the weakest link. You keep your password very safe, but it could get stolen by typing or directly from the server.

To have a possibility to log in from wherever I want. Also all my second factor authenticators are on it instead of my main phone and I need them regularly.

To protect against the risk of theft, I’m relying on android’s full disk encryption, lock screen and keepass manager itself asking for a password/pin on access, and I also have backups of everything from the device.

Yes, that’s why I also enable second factor everywhere it’s possible

Well that’s been an interesting discussion. Thanks. Now I will try to fall asleep without getting paranoid

As a conclusion and food for thought, I have this comic:

The only advice I can make with regards to that is to keep a low profile. If noone knows you had any wealth to begin with, it’s hard to get wrenched for it

I also don’t plan on declaring my bitcoin holdings, partly for this reason too - noone needs to know about them, even the tax people

Oh, so you also hold bitcoin? Can you share your reasons behind investing in bitcoin? Do you hold other cryptocurrencies? Do you invest a large portion your portfolio in crypto? How to buy and store bitcoin that it’s safe? How would you interpret the current $4000 price, do you think it is still undervalued in the long term? And finally, any other significant investments than the stock market and crypto? Sorry for the series of questions, I’ve been battling with the idea of bitcoin for some time and still don’t know what to think about it.

Please keep this topic on topic, and shift to another thread when needed.

Thank you,
D

I guess this is more useful if you usually set market orders? I usually set limit orders a bit below the current price.

It looks kind of like a hybrid solution to me (internally it pretty much seems to be doing what you do but readjusting to market conditions).

I am not sure if it is better or worse.