Security at Interactive Brokers

I have seen this post on Linkedin, which made me a bit worried.
What are the securities which can be activated (or you are using) to secure your IBKR account ? and limit unauthorized transfer ?

1 Like

What was mentioned in the comments? I thought withdrawals are only possible to accounts in own name?

Link to the LinkedIn Post including fairly swift answers from IBKR’s LinkedIn company account.

I haven’t heard of an IBKR breach (which doesn’t mean much, of course, though I watch the security space and companies getting hacked pretty closely).

My personal experience of transferring funds and securities from my IBKR account even to my son’s also IBKR account required him and me authenticating to IBKR via passport, signed forms, a multi week review by their backend team, etc (all of this additonally just to authenticate and authorize the transaction after both IBKR accounts had already been set up by each of us with usual procedure of identifying via passport copies, etc etc).

2 Likes

Waiting to see the reply on this from IBKR but I’m spooked and questioning if / when I need to get my assets out of IBKR. If something like this happens I want my bank on the phone daily and not have to send tickets into an echo chamber

EDIT: I just changed my password, not sure whether it will help or not

1 Like

I could not find any information online about a supposed leak on November 22, 2023.

If something like that would have happened, shouldn’t have been more than a single complaint?

Here are some tips on how you can secure your account on IB: How We Protect Your Account - Strength and Security | Interactive Brokers LLC

If your net worth is >$1M, then you can even request a pysical security card, didn’t know that… Secure Login with the Digital Security Card+

4 Likes

This is serious . I am wondering how is it possible to transfer funds to another bank account when MFA was activated.

I see following possibility.

  1. Account hacked
  2. Money transferred to IBKR from fake bank account (hacker’s account) which was created in name of person whose account was hacked
  3. Stocks sold
  4. Money transferred to the hackers account (#2)

This would need quick large scam. But I believe it is technically possible.

I am not sure how does IBKR check if account used for money transferred into IB is indeed an account from user

1 Like

Wouldn’t one get a notification on the mobile aop, when there is a correct login with your username and password? I always have to confirm the login attempt in the app. How can a hacker fake this 2nd authentification?

Yeah this is something I don’t understand. This is only possible if IBKR was compromised and hackers were able to bypass their security process and hence also MFA.

I was more thinking about what happens after the account was hacked in terms of money transfer. Since they only transfer to your own bank account, one needs to engineer that part as well.

I get emails when I transfer money (in or out). But I suppose once hacked in, the email can be changed.

Also cash settlement should take 2-3 days when you sell securities but it could be picked up only if you receive app or email alerts.
Diversifying brokers could lower the risk of losing lifetime saving.

1 Like

Applying Occam’s razor I would suggest a simpler explanation: the person got phished (including MFA) and that this is how the transfer was initiated. Even simpler: the claim is made up.

Couple of other things that don’t make sense to me:

  • person claims multiple “user accounts” including his were compromised: how does he know of the other accounts that were supposedly compromised?
  • why wait 100 days to follow up (as he claims the incident took place in November 2023)
    a) via an IBKR ticket (the one referenced in the screenshot seems to be dated March 4 2024)
    b) via LinkedIn a couple of days later (why not pick up the phone with IBKR?)

Anyhow, we can only speculate, but I’m not holding my breath that this is an IBKR compromise.

9 Likes

That was my first thought. Phished or scammed. Probably sent the MFA codes or had his MFA device hacked.

Probably worthwhile to consider whether you want your day to day phone as MFA to your IBKR account…

On the other hand, you get informed immediately, when there is a login attempt, when you have it on your main phone.

Well you can always carry both phones…

  • Safe passwords, managed in an offline password manager
  • Physical security device for main accounts
  • IBKR app for MFA on other accounts, but no live access or passwords stored on phone
  • Separation of trading access and access to withdraw funds
  • I get an email when there’s a withdrawal request from the accounts
  • and of course the general common sense when downloading files or opening mails

Errors and phishing could always happen.

What worries me is the apparent lack of urgency. My own experience with IB customer service is that my questions have been left answered on more than one occasion

Watching to see if the linked in post is updated tomorrow

He asks for an update in Dec which implies he followed up before then. I suspect the amount may not be large. Regardless I would expect my bank to update me on such a Q as a priority.

1 Like

How do you implement this on IBKR?

1 Like

Advisor accounts cannot access withdrawal for clients.
For clients, you can set the trading permissions.

It’s not mostly a security feature, but the nature of this account setup

In an Individual Account (and probably everywhere else) you can add users and give them roles with granular permissions.

Would you or any security experts have advice for the forum how to secure our IBKR accounts?

I access my account via the IBKR iphone App or the web interface. I have 2 Factor Authorization (password and phone). I have fingerprint ID enabled on my phone. I also have a level 3 card saved in a safe location.

I wonder how safe the fingerprint ID is

Digital Security Card+ is referenced above but from an internet search I am not sure that it provides additional security

p.s. still no response from IBKR to the Linkedin post…