I would like:
- Login e-mail alert
- No SMS reset possibility for 2FA, better a reset code (to print out)
- Whitelist for accounts for transfers. Changes need to be confirmed with e-mail.
3 Likes
I think the whole thread here is unclear about one single important point: the fact that withdrawal is only possible towards accounts in your name, right?
The above request is basically to be able to hardcode also a list of IBANs to make this even more secure.
But again, the real fishy thing of this thread is how could it technically be that someone was able to withdraw money from IB to an account that is NOT in your name? Or are we saying the scammers managed to open a bank account in name of the scammed person while still being in control of it without problems? I would expect this close to impossible⊠maybe what happened is simply that scammers get control of both IB account AND your normal bank account, withdrawing the money from that one then⊠which is well⊠a rather big fraud while sadly realisticâŠ
Receiving bank might not be checking names.
can this really be a thing?
Right. I actually asked the guy in this thread, but as he did no answer many question, he didnât answer this one either. But either way, it would be better to have a whitelist, in my opinion.
In principle it means that that bank can be taken to the court, as they did not do their due diligence.
Whitelist would be a strong security measure. However not without problems. Suppose your bank account changes, youâll need a way to change it at IBKR too, and that presents a vulnerability. If you can do it, then a hacker can do it too.
ACATS transfers is also a thing requiring attention. ACATS are initiated by the receiving broker, if you cannot forbid it at IBKR, then it is a large vulnerability.
Another vulnerability that you cannot solve in this way is fraud with over-the-counter stocks. Apparently there is a way to siphon out your capital even without transferring funds.
Probably there are many other vulnerabilities of which I am not aware of. The only ironclad security feature is when the financial institution (the broker) takes the responsibility for these risks.
I would have liked him/her to keep talking about about how the MFA was bypassed.
Even more so if he / she has hacked the real Namanâs email account & Linkedin account.
1 Like
Whilst IBKR may have a policy to only permit transfer out to accounts in your name, if they screw up I donât assume there is much legal protection for customers in case MFA and password are bypassed
If IBKR transfers funds to an account in other person name, then they will have a problem. First, it goes against the KYC / money laundering policies. Second, youâd have a case against them: funds are transferred to another person account, while they explicitly prohibit such activity. Anyway, in such a case you may be able to create a lot of bad publicity for them, if indeed you have a proof.
Still, we disassemble the ways in which things can go bad, while the best solution is when they explicitly take these risks for their own account.
No.
Looking at the Linkedin profile (500+ connections) and interactions with IBKR (ticket numbers) it seems more than likely to me than not that someone has been hacked and also that the IBKR account was compromised.
It is also possible that (for example) the entire Linkedin profile is fabricated and all the connections were accepted by those people without knowing the person⊠but what is the motivation ?
* ⊠phishy.
3 Likes
THIS!! ^^
and about the user and/or if the thing really happened given this thread, I really hardly believe it⊠
especially I doubt that any scammer managed to withdraw funds to an account NOT in the name of the owner⊠there are simply ZERO proofs of something like that happenedâŠ
Iâve sent money to Swiss IBAN accounts and European SEPA accounts when I didnât know the account holderâs proper name (think marriage gift collection, donations, or simply mistakes on my part). They went through. Some recipient banks will simply credit based on account number.
1 Like
Are you sure? I thought it works like this:
KYC and anti money laundering restrictions exist, but KYC applies to the bank holding the account for their customer and money laundering stuff wonât kick in for smaller amounts.
I.e. the bank receiving the funds transferred out from IBKR needs to know their customer, not IBKR (and in some countries, even Switzerland, KYC is sometimes stretched âŠ). Further, if you transfer out a couple ten thousand USD, nobody will check in with you.
Do I have that wrong and IBKR has more stringent terms and conditions?
Do you mean that you transferred money from your IBKR account to accounts not in your name?
Where I live transactions > 10kEuro must be reported. IBKR should be no different. Honestly I am not sure how anti laundering procedures are implemented, but I can imagine that large transactions to unknown bank accounts should raise some red flags. Theoretically.
1 Like
I think he meant he sent money from his personal bank account to other bank without specifying destinator name but only IBANâŠ
Another thing would be when IBKR sends funds to an IBAN either without specifying the account holder or as originaly wanted to say, the recipient bank accepts the payment even if the destination name is not matching (which I think could definitely be a winning case in any court, no?)
Not from IBKR, but from personal Swiss bank accounts, UBS and neon.
Obviously, the sender bank had no way to check the destination holderâs name, or even ensure the destination bank will check it before accepting.
Try it, send CHF 50 to your spouse or a friend and completely mess up the destination name. Maybe there are thresholds involved.
1 Like
It should work without problem like this at a bank. One must specify IBAN, account holder name is optional. My bank say in this case that they cannot verify account holderâs name, warn me, but still allow transaction to go.
As I see it, IBKR must not send money to accounts that it does not know. By this I mean that they would only transfer money to the IBANs from which they have received money. With incoming transfer they get IBAN data and name of the sender.
That is definitely not what IBKR is currently doing. I sent money to them only from UBS, but was able to add neon for withdrawal and it worked (with proper name, though).
I think the rule âyou can only send to yourselfâ is a rule for you, the customer, to follow. If you violate it, you broke their rule and are subject to account termination. Itâs not a guarantee they make about themselves, to you.
1 Like
