the first company who did this in ch back in 2018
I like and respect your views and responses, too.
I tend to look at security threats from an attacker’s perspective – decades of déformation professionelle at work here – or at best how the service provider can protect against such attacks. Only once did I really have suffer through a victim’s response (for a corporation).
But you look at things from a potential individual victim’s perspective, totally valid, and a fresh alternative to my own well trodden paths.
I still rate the chances of you or I getting hacked as low, but I recognize that your own personal perspective is different if you’re an affected victim that should have had an only a 0.1% chance of being a victim.
<Literature and philosophical excursion>
In fact, I feel reminded of one of my favorite formative books from back in the day: Homo Faber by Max Frisch. I won’t spoil the plot – though nobody’s going to read it because of this post – but my personal take-away at the time (being a total math and physics geek, still am) was that there indeed are probabilities, and they’re true, but if you as a sample and individual fall outside of those, life can suck.
</Literature and philosophical excursion>
Anyhow, let’s both hope we don’t fall victim to any of these schemes. I feel regardless of whether you’re with IBKR – you need to prove you didn’t do anything wrong – or your nice Dutch bank – they need to prove you did something wrong (?) --, you’ll be facing fun exchanges with those companies’ lawyers …
3 Likes
I’m taking advantage of having your expertise here. My concern wouldn’t be that I am targeted individually but that a major financial actor had an internal (human) failure that would put my assets as well as those of all their other clients into jeopardy. It’s probably not that easy to achieve but the payout would be huge.
How high would you rate the chance of that happening? I’m usually pretty pessimistic about the ability of people to have good security hygiene at their workplace (I’ve had colleagues plugging random USB drives into their computer) and of workplaces to actually know or care about doing it right but I haven’t dealt with the inner workings of major financial actors before so I may be too pessimistic on that front.
Not sure who you are talking to. As mentioned elsewhere on this forum, I am just a dog on the Internet – see my long-standing profile pic for proof! Woof! – who has learned how to press keys on my master’s keyboard. Chat-GPT takes care of polishing things up from my pressed keys so they’re finally ready to be posted here.
Good questions. I would agree with you that people in general have a record of having poor basic security hygiene at … the computer they use and they control.
For smaller companies, that includes the PC and laptops used at said company. Not really managed, typically some – also external, not really very skilled, 3rd party cheap’ish – IT service provider looks after things, more or less.
So, them being hacked is a chance. Not super high, as most actual financial asset transfers are still measured in days, but not non-zero.
For medium sized and especially larger corporations I would claim that you – as a client/customer – being hurt is basically zero, unless you’ve sold your e-banking laptop along with your credientals and smart-phone (2nd factor) to the same person.
If a major financial actor has an internal failure, IMO, they’d cover it up. I’ll also say that I don’t think it’s very likey to happen. Technically, it’s probably not all that difficult as an insider, but there’s a gazillion of checks if you try to siphon off those funds.
I am actually not aware of anyone who has pulled this off electronically. Seems it’s easier to do this physically …
As for the threats you mention explicitly: larger organizations control all devices on their network and none will allow random USB devices to be plugged in (smaller organizations are not on top of this yet, but even their anti-malware software running on most of their devices will prevent bad outcomes)
3 Likes
A peasant is playing chess with his donkey. A passerby stops, stunned, and says, “Wow! Your donkey must be a genius to play chess!”
The peasant shrugs and replies, “Genius? Nah, I beat him 3 games to 2.”
2 Likes
Yes, you see it correctly—this is exactly my perspective. I prefer to insure against low-probability, high-impact risks, as opposed to the common habit of insuring high-probability, low-impact ones. Brokerage, as a single point of failure, falls into the former category.
In my case, the “insurance premium” for this risk is too steep, so I’m mostly with IBKR. However, I keep an eye out for signs of trouble—perhaps naively.
3 Likes
IBKR can be complicated as there are multiple different set-ups you can have with them. For example, they have:
A sweep program which spreads your cash balance across multiple different banks so that you can get up to $2,500,000 of FDIC insurance in addition to the $250,000 SIPC coverage for total coverage of $2,750,000.
OK. So we have our inside man. I have a friend who owns a private plane.
puts on Italian Job soundtrack
Let’s do this.
2 Likes
Has anyone experience with the Security Code Card from IBKR? At least in the US this is something they offer for clients with larger accounts. Not sure they offer it for Swiss clients too.
IBKR offers the Digital Security Card+ in Switzerland as well, yes. With equity of $1MM+ in your account, you can request it for free.
https://www.ibkrguides.com/adminportal/sls/secure-login-with-dsc+.htm
4 Likes
Ja, I have it, it works. Allows a phone-less login option, but I still mostly use the IBKR App / popup Key Authentication on my phone when logging in.
The way I understand it (from this thread), if hacked, another security device can be added without the SCC so it’s not really adding to the overall security.
That’s a pity and would obviously defeat the purpose 
2 Likes
In Security Hardening - #27 @oslasho claimed that it does increase security:
They since deleted the post but hopefully not because it’s false.
3 Likes
Apologies, I‘m a bit slow, if you are willing to share, do you think you could provide a little detail? What’s the SMS workaround? And whats the story about the second device? How does that device relate to the traditional IB Key, do they coexist? Oh and what happens if someone requests a new DSC under your name?
1 Like
I haven’t done anything about it as originally I presumed that the custody in customer’s name is a decisive advantage of Swiss brokers, and the discussion was limited to this aspect. Yeah, there are some runaway discussions that I will try to organize 
.
2 Likes
Best security in offline times was digital
Best security in digital times is going offline (physical codes, hand written passwords in diaries, signatures on investment orders by going to bank) . Given the high volume of attempts to hack of phish, it’s very tough to keep up.
And not to scare anyone. But there have been incidents in US where people were stopped (forcefully) on streets to unlock their phones and financial apps. And that point there isn’t much one can do. Whatever the level of security. Since most our our life and finances now live on phone, we are more or less walking with a pot of gold all the time 
Apparently this is a thing in Latin America and people are used to maintain two phones. One which is simply used outdoors and one which is only used indoors.
8 Likes
I think it’s been quoted on this forum before, but since this fits your description so well:
(Source)
4 Likes
What I tell myself is that to do that the robbers would rack up multiple prison-worthy charges (they’d have to use violence, threats, kidnapping), and the plain fact is most of us are just not worth the trouble. Banks and brokers would probably, ultimately reverse any transfer anyway. Problems the Future of Finance doesn’t have to bother with.
1 Like
A few weeks ago there was a discussion in this thread about omnibus vs. segregated accounts. Now I’ve read an article that the SEC has fined Robin Hood for not keeping the lists secure.
One of the main things that a stock brokerage firm does is keep lists. (…) You have to keep a list of your clients’ money somewhere safe; you should not accidentally delete it, or let hackers steal it. (…) Robinhood failed to maintain copies of core operational databases in a manner that ensured legally required records were protected from deletion or modification
Source: https://newsletterhunt.com/emails/142422 (scroll down to “Oh Robinhood”)
In other words, the backup concept was crap.
I hope that FINMA also monitor this for Swiss brokers.
1 Like
Observe that two of the lines are IBKR LLC and IBKR UK, so the list is not complete. I asked them for the list of counter parties where client assets may be held by IBKRLLC and IBKR UK, let’s see.
Could you please share their answer?
I asked them “Is it the case that IBKR will hold the US stocks I buy directly at the DTCC? Or will it a sub-custodian?” and they gave me a non answer (“IBLLC provides custody services”).
verbatim non answer, in case you find it more convincing
My question (typoed “DTC” as “DTCC”)
Is it the case that IBKR will hold the US stocks I buy directly at the DTC? Or will it a sub-custodian?
There answer:
As an IB UK client, your assets are maintained at Interactive Brokers LLC (IBLLC). For US securities, IBLLC provides custody services with protection through SIPC up to $500,000 (with a cash sublimit of $250,000) and additional coverage through Lloyd’s of London for up to $30 million (with a cash sublimit of $900,000), subject to an aggregate limit of $150 million.
That some risk is unavoidable is correct. That it can only be mitigated by spreading between brokers is not.
Imagine “There are indeed some crypto exchange-related risks, but they are unavoidable. We can only mitigate them by spreading our assets between crypto exchanges.”
One can asses counterparty risk, legal risk etc… control their exposure and purchase additional guarantees. IBKR purports to carry a policy with “certain underwriters at Lloyd’s of London”, they are presumably not doing this in the spirit of a donation.