Receiving bank might not be checking names.
can this really be a thing?
Right. I actually asked the guy in this thread, but as he did no answer many question, he didnât answer this one either. But either way, it would be better to have a whitelist, in my opinion.
In principle it means that that bank can be taken to the court, as they did not do their due diligence.
Whitelist would be a strong security measure. However not without problems. Suppose your bank account changes, youâll need a way to change it at IBKR too, and that presents a vulnerability. If you can do it, then a hacker can do it too.
ACATS transfers is also a thing requiring attention. ACATS are initiated by the receiving broker, if you cannot forbid it at IBKR, then it is a large vulnerability.
Another vulnerability that you cannot solve in this way is fraud with over-the-counter stocks. Apparently there is a way to siphon out your capital even without transferring funds.
Probably there are many other vulnerabilities of which I am not aware of. The only ironclad security feature is when the financial institution (the broker) takes the responsibility for these risks.
I would have liked him/her to keep talking about about how the MFA was bypassed.
Even more so if he / she has hacked the real Namanâs email account & Linkedin account.
1 Like
Whilst IBKR may have a policy to only permit transfer out to accounts in your name, if they screw up I donât assume there is much legal protection for customers in case MFA and password are bypassed
If IBKR transfers funds to an account in other person name, then they will have a problem. First, it goes against the KYC / money laundering policies. Second, youâd have a case against them: funds are transferred to another person account, while they explicitly prohibit such activity. Anyway, in such a case you may be able to create a lot of bad publicity for them, if indeed you have a proof.
Still, we disassemble the ways in which things can go bad, while the best solution is when they explicitly take these risks for their own account.
No.
Looking at the Linkedin profile (500+ connections) and interactions with IBKR (ticket numbers) it seems more than likely to me than not that someone has been hacked and also that the IBKR account was compromised.
It is also possible that (for example) the entire Linkedin profile is fabricated and all the connections were accepted by those people without knowing the person⊠but what is the motivation ?
* ⊠phishy.
3 Likes
THIS!! ^^
and about the user and/or if the thing really happened given this thread, I really hardly believe it⊠
especially I doubt that any scammer managed to withdraw funds to an account NOT in the name of the owner⊠there are simply ZERO proofs of something like that happenedâŠ
Iâve sent money to Swiss IBAN accounts and European SEPA accounts when I didnât know the account holderâs proper name (think marriage gift collection, donations, or simply mistakes on my part). They went through. Some recipient banks will simply credit based on account number.
1 Like
Are you sure? I thought it works like this:
KYC and anti money laundering restrictions exist, but KYC applies to the bank holding the account for their customer and money laundering stuff wonât kick in for smaller amounts.
I.e. the bank receiving the funds transferred out from IBKR needs to know their customer, not IBKR (and in some countries, even Switzerland, KYC is sometimes stretched âŠ). Further, if you transfer out a couple ten thousand USD, nobody will check in with you.
Do I have that wrong and IBKR has more stringent terms and conditions?
Do you mean that you transferred money from your IBKR account to accounts not in your name?
Where I live transactions > 10kEuro must be reported. IBKR should be no different. Honestly I am not sure how anti laundering procedures are implemented, but I can imagine that large transactions to unknown bank accounts should raise some red flags. Theoretically.
1 Like
I think he meant he sent money from his personal bank account to other bank without specifying destinator name but only IBANâŠ
Another thing would be when IBKR sends funds to an IBAN either without specifying the account holder or as originaly wanted to say, the recipient bank accepts the payment even if the destination name is not matching (which I think could definitely be a winning case in any court, no?)
Not from IBKR, but from personal Swiss bank accounts, UBS and neon.
Obviously, the sender bank had no way to check the destination holderâs name, or even ensure the destination bank will check it before accepting.
Try it, send CHF 50 to your spouse or a friend and completely mess up the destination name. Maybe there are thresholds involved.
1 Like
It should work without problem like this at a bank. One must specify IBAN, account holder name is optional. My bank say in this case that they cannot verify account holderâs name, warn me, but still allow transaction to go.
As I see it, IBKR must not send money to accounts that it does not know. By this I mean that they would only transfer money to the IBANs from which they have received money. With incoming transfer they get IBAN data and name of the sender.
That is definitely not what IBKR is currently doing. I sent money to them only from UBS, but was able to add neon for withdrawal and it worked (with proper name, though).
I think the rule âyou can only send to yourselfâ is a rule for you, the customer, to follow. If you violate it, you broke their rule and are subject to account termination. Itâs not a guarantee they make about themselves, to you.
1 Like
Well ⊠yeah, hereâs how it works in practice:
- the regulator says what the high level rules are for the participants (e.g. a bank) in that financial market (usually not spelling out specific limit amounts or what internal procedure the bank needs to apply
- the banks interpret those regulator rules and put together internal guidelines that the staff needs to adhere to
- the bank itself chooses an auditor that the bank pays to do regular audits, as mandated by the regulator*
- the auditor ⊠well, audits, which is basically verifying what the bank stated as their procedures was actually implemented and adhered to by the bank (and that the procedures support the high level rules by the auditor). Insert lots of handwaving here as well as spot checks, but not the auditor going through every activity by the bank and making sure itâs legit
- the auditor provides a preliminary report to the bank
- if the report is fine, the preliminary report becomes the final report and is provided to the regulator. If the report contains minor issues (definition required for âminorâ âŠ), the bank fixes these and a final âcleanâ report is produced and provided to the regular
You see, lots of room for interpretation at all levels ⊠and even with this level of leeway big banks regularly get fined for having breached the rules, including large banks like Julius Baer, etc. Slap on the wrist, possibly change of management, and life goes on. 
* In case itâs not already obvious: the auditor has an incentive to produce a report that the bank likes while of course balancing this with making sure not to be blatantly turning a blind eye on the bank to ensure they continue to exist as an auditor recognized by the regulator.
Fun fact: Wirecard was audited by Big Four accounting firm EY âŠ
4 Likes
Thatâs very unsecure if it indeed works like this. A potential hacker can transfer funds to any bank account then.
1 Like