Thank you for investing your time in such a complete response
I made 2 experiments:
If I only swipe to close the iphone IBKR app (donât log out), anyone with my iphone PIN can open the app and see my balances. No IBKR password or MFA is needed.
IBKR Password is needed if I want to make a withdrawal
If I log out of the app, IBKR password is needed to log back in and see balances. No MFA required
Personal action is to change my iphone PIN and move music streaming to the spare phone (my kids got my PIN by streaming music in the carâŠ)
Swipe to close does not log me out of IBKR app. If I do not properly go to âmenu ->log outâ then the only authentication needed is to unlock the phone
Other banking apps log me out when I swipe to close.
I have been letting my kids use my unlocked phone to stream music in the car whilst I am driving. Because the phone locks after x minutes I had typed my PIN in front of them so many times that they learned my PIN
At least for the current mobile app, if you have auto-reconnect enabled you dont need to re-authenticate on device with biometrics (faceId/fingerprint) for 45mins. So like stated, pin to open device and you are in. I turned it off for that reason. See full text in their faq https://www.interactivebrokers.co.uk/en/general/contact/ibot-container.php, search for auto-reconnect.
As always security is how painful you accept it for yourself. The basics are given - use some email alias and unique password so a breach somewhere doesnât hurt. The card is a good option and with an ETF accumulating portfolio and recurring transfer + invests, there is little reason to make access âeasyâ. Separate logons with different rights, such as withdraw rights with a special access and IP limit is an option, too. Definitely most attacks are through social engineering, malware and re-use of already breached information so cover that angle before technical barriers. At some point in future with a higher worth I might consider a dedicated invest stations - the usb stick environment or a VM running on hyperscaler with very strong access rights is a good option and accessible when traveling, too, if tech savvy.
I wish they had better support for hw authentication devices, IB key app on phone could also be better - currently it just pops up âauthorizeâ without any info (which IP, which app/browser/interface, location etc) like one is accustomed to by google or aad and similar identity solutions. Hopefully one day.
I was just reading today about a spate of ârobberiesâ. Men were targeted at a bar having their drinks spiked. Then they were taken away in a car and their accounts emptied. They suspected using face unlock to access phone and then transfer out using venmo and other tools.
At least for the current mobile app, if you have auto-reconnect enabled you dont need to re-authenticate on device with biometrics (faceId/fingerprint) for 45mins. So like stated, pin to open device and you are in. I turned it off for that reason. See full text in their faq https://www.interactivebrokers.co.uk/en/general/contact/ibot-container.php , search for auto-reconnect.
I did some tests.
First I tried to disable the auto-reconnect:
IBKR: can be disabled from the Configuration menu
IBKR Global Trader: canât find it
I thought that disabling it from IBKR would disable it at account level, but itâs not the case: with IBKR Global Trader the auto-reconnect is still workingâŠ
Not good, I donât know if you guys have a workaround to disable it everywhere
Indeed, both fingerprint and faceid can be given without your conciousness. Similarly if pressed by authorities for any reason, you canât deny access with biometrics. Forgetting a pass phrase on other hand is possible. When it comes to security, the annoying long passphrase and entering it to unlock the phone is safest.
Yeah, I believe itâs a per app setting and not (sub)account level. On phone app when deactivated, it prompts me for logon with id+pw and faceid as FA after every app closure. On web app, I think timeout is 5 or 15mins, after which it logs you out and asks for id/pw again. Dont use TWS or globaltrader myself but I guess its somewhere hidden, too. Integration with Tradingview uses settings for timeout within TV and until you delink IB there is no need to re-logon/authorize.
As I usually only lurk around here, this time I wanted to add my 2 cents as wellâŠ
Operating systems and HW devices are very important decisions and can radically improve your general security profile, and not only for accessing IBKR.
So why not considering, if speaking about mobile phones, a GrapheneOS based device (Pixel 6+)?
You could use it as a dedicated device for secure things (Finance/Private communication).
But more realistically, if it has to be an unique device you do everything with it and bring it always with you, it has one of the best feature Iâve ever seen on a mobile device: the possibility to create multiple accounts with completely separate logins and segregated memory space!
This means you could have a login/profile for finance and a separate one (or multiple ones) for your daily business and social media. Itâs basically like having multiple virtual mobile phones within one HW device, so still separated⊠also the browser that comes with GrapheneOS, Vanadium, is really really cool from a security point of view. Anyways, if you want to know more about the nitty gritty details, you find a lot of info, searching for it.
If instead you are talking about a PC or laptop: what about using immutable operating systems on it? (or I agree also with the similar mentioned topic of using USB stick)
In conclusion, I donât want to foster useless paranoia, but in general if some useful tech like the mentioned above would be more demanded and used (aka widespread), I think this would benefit everyone in return thenâŠ
How do you know this, is there a source you can provide?
Thatâs an important question. Withdrawal to a third party is normally not possible. Did IBKR approve withdrawal to a third party without your consent? Or was the attacker able to withdraw using your name to a bank that didnât verify the name?
Opening a bank account using a stolen identity might be possible but I wouldnât expect that to be easy, so this seems unlikely for a few thousand dollars. Unless Llyod has a critical weakness that makes it easy to create bank accounts without identity checks, or there are accounts where the name is not verified for incoming transfers.
For the IBKR part, my guess would be some form of phishing. Accidentally logged into a fake version of the IBKR client portal e.g. via a link in a fake email. An alternative is that the laptop was infected by malware.
The combination of a bank account opened with stolen identity and phishing email or malware would require an elaborate targeted attack, which doesnât make sense in this case. If fake Llyod accounts can quickly be opened, I suppose they could have opened that account after the successful phishing/malware attack, so it wouldnât have to be targeted.
The above is pure speculation, of course, but we donât have more information. If it was indeed phishing or malware (and not e.g. IBKR servers being hacked) and the withdrawal was sent to an account with the right name, IBKR would indeed not be responsible as I see it. That said, they could provide options to tighten security, e.g., add extra steps for adding a new withdrawal account (could be verification code via email [which must not be a new address] in addition to regular 2FA).
Sorry this happened to you. But for me there are still a lot of open questions. It seems that IB has similar security measures like a Swiss bank. I donât see much difference to ZKB for example.
Furthermore, if they really hacked IB, the damage would have been huge. So I guess they hacked your account (and as you say some few others).
So my questions:
Did you use the App IBKR Mobile for 2-FA? How was this hijacked? You have an idea? Did they intercept it? Did they have physical or digital access to your phone?
How did the hackers found out your login credentials?
How did they manage to setup a bank account in your name to transfer the funds out of IB? Or did IB allow it to some other account holder?
Were they able to trade? Did they sell your securities before transfering the money out? Did you not get an email, when this happened? If not, did they change the email address? If so, did you not get an email, when they did?
Durch das Lesen und die Teilnahme an diesem Forum bestÀtigst du, dass du den auf http://www.mustachianpost.com/de/ dargestellten Haftungsausschluss gelesen hast und damit einverstanden bist.