I am not sure it works exactly like this. Financial organizations working with retail clients cannot reasonably expect / demand from them a high level of sophistication when it comes to online security. They may require basic things, like not sharing passwords, choosing strong passwords, but not much beyond that.
If I recall correctly, Dutch banks refunded some fraud victims who used fake links to log in. The reasoning was that the consumer could not verify if log in page was legit. I don’t think it would work in 2024 like this, you can always check security certificates of the page where you fill in log in data. But you cannot expect the consumer to be 100% sure that the computer is free from malware that logs keystrokes. There are also other hurdles: by default I cannot transfer more than EUR5000 per day from my bank account; I doubt it is easy to transfer securities to other brokerages. And most important, to log in / transfer I have to use hardware 2FA.
IBKR does not give hardware 2FA to accounts of less than 500k/1000k, you even cannot buy it from them. Why? If a hacker manages to break into your account by the means of a sophisticated attack, how would you deal with IBKR? Moreover, there are also ACATS transfers possible.
It all sounds for me as such that IBKR is not marketed for retail buy and hold investor. It is very attractive cost-wise, mainly because I can buy VT there using options, to save 0,5% per year. But it causes me warrying about security, I am not sure it is worth that money.
Sure, we must take all reasonable steps to protect our accounts. But I don’t believe in security by obscurity way of protection (it may have some value though). In this case you’re still susceptible for a SIM swap attack.
Whatever you do, you’re still vulnerable for a SIM swap attack. A hacker can install the app and use SMS for verification. Of course it assumes compromised password and a SIM swap.
Your questions go beyond my technical expertise. What I read somewhere else is that it is always possible to re-initiate IB app (key?) with an SMS. The security is thus as strong as SMS.
But then you may have another problem: your phone breaks down and you don’t have access to your account anymore. Maybe there is a way to decouple IB key from the phone, but again I am not that sophisticated with such technical details.
I don’t like the use of 2FA from IBKR. But use is not safety.
I was wondering what would happen if I forgot my pin to restore the 2FA connection with the app. Or how someone could gain access with my password and my phone. I uninstalled the app and tried to restore the connection. You have the option of re-establishing the existing connection or requesting the code again.
After a few unsuccessful attempts re-establish the connection with an incorrect code, the selection suddenly appeared where you can choose between 2FA / SMS or QR. Like naman in his screenshot. I have never seen this before. Is there any way to activate this!? Maybe it was also a bug. It would then be possible to log in with the SMS.
Now I wanted to change the code and I think the system has blocked me because of the many attempts :D. I no longer receive any SMS. Then I contacted support and received a temporary code. During this time, 2FA and SMS verification are deactivated. Only the code exists. You have to wait for 24 hours. Something like that happens if you enter the wrong password too often.
Btw. to change the 2FA access, you need a password and the phone. You will then receive an SMS with the confirmation code. Easy.
I think this is the case with all 2FA? It’s absurd that someone can access all the data.
In this case you have to call IB and you have to go through an identification process (the 3 questions + value + personal data questions). And you still have to know your password,
So, yes, you confirm then my initial point that the key security is not stronger than that of SMS.
Again, the point is not in how strong the security solution is, which is impossible to assess if you are not an expert. It is the explicit statement by IBKR that any hack of your account is at your cost.
True Wealth for example does only allow withdrawals to an account in your name, which is really, really nice. WillBe has that as well for the cash account.
I believe explicit or not, banks or brokers in general would not compensate if client’s phone is hacked or they become victim of scam.
I know some countries are thinking of building some sort of system to compensate customers in case of fraud but it’s not yet official anywhere.
However - I think we should not assume that if some bank doesn’t say „you getting hacked is your own problem“ that they would compensate us if we get hacked.
I recommend the following
use separate email for financial accounts like banking, brokerage etc
if possible use different mobile number for brokerage / banking etc
try to diversify your assets and not have everything at one broker, bank
Correct. Per post above if you get a new smartphone the transfer of IBKR MFA to the new phone is verified by sms
Link to explanatory article about SIM swap attack (I never heard about it before)
“A SIM swap scam tricks your carrier into sending your texts and calls to a scammer — including password recovery and account verification codes.”
Difference with SQ is that it is not just a trading account. It is also a bank account. So in order to act like a normal bank account, it needs to allow transfers to third party.SQ does have a physical 2FA. They send you a PDF which has a matrix with keys.
However the above info is about SQ web. I don’t know if SQ mobile needs the printed keys too or not.
I confirm that with SQ money can be transferred out to accounts in another person’s name.
To transfer SQ MFA from old smartphone to new smartphone. I needed to receive an sms, and in addition either have the old smartphone present or the piece of paper with the keys on it
I haven’t found more security than 2FA either Actually weak.
IBKR should use 2FA for all outgoing transactions. Ideally also combined with SMS/mail/app. It should be possible to add a whitelist for bank accounts. Etc. That would be good.
Not specifically IBRK related, but as a comparison: just had a pleasant call with someone at Saxo (2 minutes in waiting line):
They confirm, they do pay out only on an account in the account holder’s name: Withdrawal of funds | Saxo Bank
She openly said, there are many clients who do not like this feature, but security is important to them. Therefore, there is an extra step, if one has to transfer money to a third-party. I really, really like that!
They will check internally, if I can transfer US ETFs to them and hold it. Buying US ETF is on their agenda. I specifically asked for VTI, TQQQ and IBIT.
The US ETFs will probably be held in the US itself, she will check that as well. Nice to know, but does not change anything, since I 1) do not expect Saxo Bank Schweiz AG go bust and 2) if someone hacks my account, it does not matter where the ETFs are stored.
The adjustments in the pricing are part of a sustainable strategy by Saxo Group, they adjusted the prices globally and will not change them again in the forseeable future.
By reading and partipating to this forum, you confirm you have read and agree with the disclaimer presented on http://www.mustachianpost.com/
En lisant et participant à ce forum, tu confirmes avoir lu et être d'accord avec l'avis de dégagement de responsabilité présenté sur http://www.mustachianpost.com/fr/
Durch das Lesen und die Teilnahme an diesem Forum bestätigst du, dass du den auf http://www.mustachianpost.com/de/ dargestellten Haftungsausschluss gelesen hast und damit einverstanden bist.
Actually weak.