Security Hardening

When I was wish Schwab, they gave me a debit card that I could withdraw cash out of in Switzerland. Just stick your dividend stocks into Schwab and you can access your cash balance easily this way. Not sure I’d give my kids then PIN code

IBKR offers the physical Digital Security Card+ as 2FA for free to customers with equity of $1MM+. However, as far as I know, it’s possible to (re)activate IB Key (mobile app 2FA) via SMS alone, so it’s not clear to me whether the DSC+ really increases security.

IBKR has withdrawal limits based on the 2FA method but it’s set to $1MM per day and week for IB Key (and you can’t customize that), so that doesn’t help that much unless you have many millions in the IB account. I don’t understand why IBKR doesn’t make that configurable. Being able to lower withdrawal limits would be a massive improvement, in my opinion (raising would need to have a delay of a number of days and notifications, of course).

If anyone has any tips how to harden IBKR account security, I’d certainly be interested.

https://www.ibkrguides.com/adminportal/sls/withdrawallimits.htm

On the former: I don’t think so (ra-activation of 2FA via SMS). I just explored this to check whether someone else but Yours Truly can authenticate with a second factor apart from the IBKR app. No, not even via SMS, at least through my investigations.

My longer term goal is to get the physical security card, but in the mean time I am interested in alternate 2FA auth at IBKR … my shortcut it to share my credentialed access to my smartphone to my family members, but even that seems inadequate in case I lose said device and they can’t adequately restore it without me being alive.

I’ve done this a while back. I installed the IBKR app to a new phone and ‘transferred’ the 2FA status to the new phone. Not sure what it required but it was probably just username/password and email or phone #.

After that, I decided not to bother with the DSC.

The lack of security on Schwab was even more scary! IIRC you can’t even have a password longer than 8 chars long!

Maybe the transfer-credentials-to-a-new-phone path has a loophole, but what about you and your phone disappearing from earth and your desired heirs (even just knowing of or) wanting to access your accounts managed previously solely by you?

Sorry, definitely hijacking the security hardening thread now …

I don’t see an issue with this. People die every day and I’m sure there’s a process for this. Those holding bitcoin in self-custody will have work to do.

Not a problem with many banks. I used Raiffaisen, SZKB, Wise.

I use a separate phone for all ebanking. I need to scan the qr code of my bills.

When my father died, most accounts were blocked pretty soon leaving my mom without access to joint accounts and without cash. After a couple of months the Erbschein of the Bezirksgericht stated all heirs and this paper made all banks move when the signatures of all heirs were provided

That’s great news if IB Key activation via SMS is no longer possible once you have the DSC+. I wish IBKR would clearly document that.

This is the standard procedure in Switzerland. However, I wonder how long it would take Interactive Brokers (IBKR) to complete a similar process. Considering that the majority of the assets are likely invested, it is also crucial to ensure that the heirs can access the funds relatively quickly.

I don’t know how it is with IBKR, but with Saxo it is at least the case that withdrawals can only be made to IBANs that were also used for deposits. So in the worst case, the money would end up back in your own account. That’s also what bothers me about Swissquote, as far as I know, payments can be sent to any IBAN.

This is correct. A Swissquote account is a full bank account, for better or worse.

No bank or broker will let anyone access cash or securities of a dead person unless someone shows up with a proof of who are the heirs.

A separate device is a cost effective, easy to implement solution which probably already goes a long way compared to the average user.

Don’t know if it’s been mentioned but IBKR also lets you select which IP addresses can log-in. That said, security vs. usability is a big trade off. What if you have an emergency and need to connect from abroad/on the go?

As a famous quote goes “The only safe computer is switched off, unplugged from the network, locked in a safe and buried in a bunker underground”.

So the summary is:

• @oswand recommends Linux on a USB stick, but questions whether it is worth it.
• @Helix uses a separate laptop, but also thinks that a USB stick is sufficient.
• @Your_Full_Name thinks I’m already doing more than average, which is enough.
• @stojano thinks the attack vector is me anyway.
• @PhilMongoose could imagine a setup with a Chromebook.
• @1742 thinks this is not necessary as long as I am not a high value target.
• @ChickenFat has solved this with a separate smartphone.
• @ulysses sees a second laptop as a simple solution.

OKAY, thanks for your answers!

I think I’ll add this to my notes or so (I’m good at procrastinating, but thats okay for the moment). Let’s see, maybe I’ll find a good solution for myself, or maybe everything will stay as it is.

Feel free to continue / use this thread if you want to discuss similar topics!

If you want another opinion:

SD cards can transmit malware. If you want to be same, then encode the data with a QR code and use the camera on your secure android device to read it.

Both options you mentioned are good.
I’d lean into the separate notebook / pad version, it works, it’s cheap re: cost vs problems and adverse effects. IOs is quite acceptable in terms of security.

Linux on a stick is overkill IMHO. But certainly the safest. Don’t store any BTC on it and then lose it…