This seems right. IB's protections against withdrawals are reasonable and within market best practices IMHO. (Also the RSA gadget required for > 100k.) Another risk might be an intruder trading a security at adverse prices with the intruder's other account elsewhere -- I'd imagine this would take a thinly traded security and hidden orders on an ECN somewhere.... When the RSA gadget is extended to cover normal logins, this form of attack would be better protected against.
I don;t understand what you mean by "When the RSA gadget is extended to cover normal logins, this form of attack would be better protected against".
The same time-dependent security device being used to authenticated funds transfers over 100k will shortly become an opt in feature for TWS login as I understand it.