I’m taking advantage of having your expertise here. My concern wouldn’t be that I am targeted individually but that a major financial actor had an internal (human) failure that would put my assets as well as those of all their other clients into jeopardy. It’s probably not that easy to achieve but the payout would be huge.
How high would you rate the chance of that happening? I’m usually pretty pessimistic about the ability of people to have good security hygiene at their workplace (I’ve had colleagues plugging random USB drives into their computer) and of workplaces to actually know or care about doing it right but I haven’t dealt with the inner workings of major financial actors before so I may be too pessimistic on that front.
Not sure who you are talking to. As mentioned elsewhere on this forum, I am just a dog on the Internet – see my long-standing profile pic for proof! Woof! – who has learned how to press keys on my master’s keyboard. Chat-GPT takes care of polishing things up from my pressed keys so they’re finally ready to be posted here.
Good questions. I would agree with you that people in general have a record of having poor basic security hygiene at … the computer they use and they control.
For smaller companies, that includes the PC and laptops used at said company. Not really managed, typically some – also external, not really very skilled, 3rd party cheap’ish – IT service provider looks after things, more or less.
So, them being hacked is a chance. Not super high, as most actual financial asset transfers are still measured in days, but not non-zero.
For medium sized and especially larger corporations I would claim that you – as a client/customer – being hurt is basically zero, unless you’ve sold your e-banking laptop along with your credientals and smart-phone (2nd factor) to the same person.
If a major financial actor has an internal failure, IMO, they’d cover it up. I’ll also say that I don’t think it’s very likey to happen. Technically, it’s probably not all that difficult as an insider, but there’s a gazillion of checks if you try to siphon off those funds.
I am actually not aware of anyone who has pulled this off electronically. Seems it’s easier to do this physically …
As for the threats you mention explicitly: larger organizations control all devices on their network and none will allow random USB devices to be plugged in (smaller organizations are not on top of this yet, but even their anti-malware software running on most of their devices will prevent bad outcomes)
A peasant is playing chess with his donkey. A passerby stops, stunned, and says, “Wow! Your donkey must be a genius to play chess!”
The peasant shrugs and replies, “Genius? Nah, I beat him 3 games to 2.”
Yes, you see it correctly—this is exactly my perspective. I prefer to insure against low-probability, high-impact risks, as opposed to the common habit of insuring high-probability, low-impact ones. Brokerage, as a single point of failure, falls into the former category.
In my case, the “insurance premium” for this risk is too steep, so I’m mostly with IBKR. However, I keep an eye out for signs of trouble—perhaps naively.
IBKR can be complicated as there are multiple different set-ups you can have with them. For example, they have:
A sweep program which spreads your cash balance across multiple different banks so that you can get up to $2,500,000 of FDIC insurance in addition to the $250,000 SIPC coverage for total coverage of $2,750,000.
Has anyone experience with the Security Code Card from IBKR? At least in the US this is something they offer for clients with larger accounts. Not sure they offer it for Swiss clients too.
Ja, I have it, it works. Allows a phone-less login option, but I still mostly use the IBKR App / popup Key Authentication on my phone when logging in.
The way I understand it (from this thread), if hacked, another security device can be added without the SCC so it’s not really adding to the overall security.
Apologies, I‘m a bit slow, if you are willing to share, do you think you could provide a little detail? What’s the SMS workaround? And whats the story about the second device? How does that device relate to the traditional IB Key, do they coexist? Oh and what happens if someone requests a new DSC under your name?
I haven’t done anything about it as originally I presumed that the custody in customer’s name is a decisive advantage of Swiss brokers, and the discussion was limited to this aspect. Yeah, there are some runaway discussions that I will try to organize .
Best security in offline times was digital
Best security in digital times is going offline (physical codes, hand written passwords in diaries, signatures on investment orders by going to bank) . Given the high volume of attempts to hack of phish, it’s very tough to keep up.
And not to scare anyone. But there have been incidents in US where people were stopped (forcefully) on streets to unlock their phones and financial apps. And that point there isn’t much one can do. Whatever the level of security. Since most our our life and finances now live on phone, we are more or less walking with a pot of gold all the time
Apparently this is a thing in Latin America and people are used to maintain two phones. One which is simply used outdoors and one which is only used indoors.
What I tell myself is that to do that the robbers would rack up multiple prison-worthy charges (they’d have to use violence, threats, kidnapping), and the plain fact is most of us are just not worth the trouble. Banks and brokers would probably, ultimately reverse any transfer anyway. Problems the Future of Finance doesn’t have to bother with.
A few weeks ago there was a discussion in this thread about omnibus vs. segregated accounts. Now I’ve read an article that the SEC has fined Robin Hood for not keeping the lists secure.
One of the main things that a stock brokerage firm does is keep lists. (…) You have to keep a list of your clients’ money somewhere safe; you should not accidentally delete it, or let hackers steal it. (…) Robinhood failed to maintain copies of core operational databases in a manner that ensured legally required records were protected from deletion or modification
Observe that two of the lines are IBKR LLC and IBKR UK, so the list is not complete. I asked them for the list of counter parties where client assets may be held by IBKRLLC and IBKR UK, let’s see.
Could you please share their answer?
I asked them “Is it the case that IBKR will hold the US stocks I buy directly at the DTCC? Or will it a sub-custodian?” and they gave me a non answer (“IBLLC provides custody services”).
verbatim non answer, in case you find it more convincing
My question (typoed “DTC” as “DTCC”)
Is it the case that IBKR will hold the US stocks I buy directly at the DTC? Or will it a sub-custodian?
There answer:
As an IB UK client, your assets are maintained at Interactive Brokers LLC (IBLLC). For US securities, IBLLC provides custody services with protection through SIPC up to $500,000 (with a cash sublimit of $250,000) and additional coverage through Lloyd’s of London for up to $30 million (with a cash sublimit of $900,000), subject to an aggregate limit of $150 million.
That some risk is unavoidable is correct. That it can only be mitigated by spreading between brokers is not.
Imagine “There are indeed some crypto exchange-related risks, but they are unavoidable. We can only mitigate them by spreading our assets between crypto exchanges.”
One can asses counterparty risk, legal risk etc… control their exposure and purchase additional guarantees. IBKR purports to carry a policy with “certain underwriters at Lloyd’s of London”, they are presumably not doing this in the spirit of a donation.
An American friend is using Robinhood, we talk about investment fairly often. I told him that if I were him I’d move everything to a serious asset manager. I specifically told him I was put off by the name alone. I mean, it’s called “Robinhood”, how serious could it be?
Now, a name like Stratton Oakmont just oozes confidence, whisky and cigars, Mayflower English Oak and Boston bedrock vibes.
Let’s try to give this discussion a new constructive push. What about securities custody by cantonal banks? Did anyone look at their conditions?
If you want extra safety, custody at TradeDirect by BCV is not that expensive. On the other hand, it was mentioned that custody by ZKB costs 0.3% per year for average Joes, which is too much. TrueWealth is using BLKB as one of their custodian banks.
By reading and partipating to this forum, you confirm you have read and agree with the disclaimer presented on http://www.mustachianpost.com/
En lisant et participant à ce forum, tu confirmes avoir lu et être d'accord avec l'avis de dégagement de responsabilité présenté sur http://www.mustachianpost.com/fr/
Durch das Lesen und die Teilnahme an diesem Forum bestätigst du, dass du den auf http://www.mustachianpost.com/de/ dargestellten Haftungsausschluss gelesen hast und damit einverstanden bist.
.
