lol, thanks for the hint. It's so true--are you agreeing with my change of user error, uh excuse me, user behavior part? Personally, I feel the temptation all the time, "just this one time..." Or maybe someone in your house didn't know better and used your trading PC for something it is not intended for. We can only protect so much. And we all, myself included, lost more money learning to trade or doing stupid trades than through online fraud, but that's another subject. Don't mean to take away the seriousness of the discussion
Do IB have a deadline for this thing to be implemented? I guess that if IB has (let say 50k, 100k, 200k customers) it will not be easy to implement in a few days/weeks.
Sounds great. A few rules to avoid this kind of trading (in the case our account its being hijacked or something) can increase hard the security of the account. (for instance some disabled trading permission that cannot be changed on less than 72hs).
I have worked in IT security for my enitre career over 16 years in both government and the private sector. Security is not a band aid, and unfortuantely that is mostly what this token is. It may protect against some obvious threats if you are trading from a public terminal or physical environment where you may walk away from your termnial. However IB can say to the market 'we are protecting our customers' and you cannot argue with that, but it does have the effect of sweeping many of the <b>real</b> threats under the carpet. Security of the client workstation is not IB's responisibility, however securing the network protocols between their servers and the client is their responsibilty. Securing the workstation is the end users responsibility and, no-one is there to really make this happen to the level it needs to. End users are undermined by the very OS they use and the multi-use nature that such a general environment permits opens the doors to a wide range of attacks. It is trivial to inject messages into an application, it is trivial to hijack and place a shim between any of the software that TWS uses. There are many attack vectors for accomplishing these things on a typical windows machine. Ever connected your machine to the interent, used email, a web browser, applied a software update, downloaded ANY software other than what the OS vendor provided ? Good luck, your system is insecure by default when you plugged it into the network and in all likelyhood has many unkown/undected as of yet virii, trojans and spyware. For many people they will be running TWS on a general purpose workstation, probably some variant of windows. This is not an environment that <i>should</i> be trusted for performing sensitive or any high value transcations on. You <u>have</u> to assume that such a system is compromised or very soon will be. Virus/trojan scanners and intrusion detection software does not cut it [yes I have worked for a major anti-virus intrusion-dection company - <u>definitely do not feel warm and fuzzy</u> despite what the marketing trys to tell you.] There are many other things that IB could be doing to make things safer which are in their control [if they are not already]: <li>Proactively detect fraud through analysis of trading patterns... just like credit card companies use to detect out of character transactions. <li>Monitor transaction rates and velocities. <li>Constrain withdrawals/transfers to pre authorised accounts only. <li>Define account roles and different credentials for those rolls. <li>Use variant graphical sign-in techniques to thwart simple key logging attacks. <li>Use two factor authentication using an SMS challenge response. This can be received on your mobile phone or via an online SMS service which an ATS can respond to. <b>Hint to IB: This cheaper than deploying and managing lost tokens and it supports automated traders</b>. <li>Provide a read-only bootable trader workstation image that cannot be infected. This could be based on one of the free Linux distros like Ubuntu to avoid a windows tax. It could be distributed on CDROM/DVD or USB stick. <li>Provide automoated traders with a non GUI based solution. The current TWS client GUI is heavy weight and contains a dearth of baggage unrelated to the needs of an ATS which is itself is a threat to correct operation, and extremely inconvenient to deploy with. I am currently building an ATS engine and a hardened deployment environment based on *BSD. This is a non trivial excercise despite the considerable experience I have in building FIPs approved hardware security modules and other embedded security appliances [the kind of back end gear that Visa, Mastercard, Amex and banks use for all their transactions]. When I am happy with my hardened environment I will consider opening it up if there is any interest so that other automated traders may benefit. Regards...
I suggest that there is possibility in the trading permissions to enter manually symbols or instruments to be allowed to trade. If you trade only ES and YM you would enter the symbols manually in the trading permissions and only these two symbols would be allowed to be traded. If a trader wants to add any other symbols, he would have to go to trading permissions and enter them manually. The system would then send an alert e-mail or SMS message to the trader. New symbol would be activated 24 hours after making a request.
Great idea. Before any trade on a particular underlying contract can be made, consent should be given first using a higher assurance process such as SMS or token challenge response. These positive acknowedgements should also expire if unused for some period of time and/or after a certain amount of usae (some number or trades or total volume of trades). This approach can be extended to any action which could give an attacker some advantage. There are some benefits of an SMS system which sre worth mentioning. As a user you would become aware <b>immediately</b> of any attempts at unauthorised activity because you would recieve an SMS for confirmation completely 'out of the blue'. YOU remain in total control at all times because the challenge/response occurs on an out of band channel that is so much more difficult for an attacker to subvert, even if they somehow learn your password/passphrase. The attacker would need to aquire your mobile phone (or the sim card in it) and know the unlock code to your sim card, know your IB username and login password and finally know your confirmation pin/code. Its starting to get pretty tough for a trojan or other malicous software to go undetected. An attacker in another country will still end up alerting you to the fact that some action you did not initiate is trying to be performed.
No need to panic, thats not the intention, and no one is even suggesting handcuffs or adopting any of these ideas. Hopefully some awareness of the issues and the compromises and complexities comes out of this. It would seem IB did not fully think through the impact to traders using automated systems. I would think it wise for IB to have a waiver form to opt out of any additonal security measures, that way nothing gets foisted on anyone who doesn't want or necessarily need the additional pretection. Some environments (eg hardened trading server would defineitly NOT want interactive confirmation). IT Security is a complex area and there are no magic bullets, not even the ideas I am putting forth should be consisdered 'the answer' they are just ideas to kick around. I still however maintain that more needs to be done, and that a security token does not adequetly address the major threats that traders face when using TWS on their PC.
We will allow an opt out. I think it's a terrible idea because you could lose everything and have no one to blame but yourself. Sl65, We actively watch the criteria you mentioned and freeze accounts when we notice that activity. Allowing customers to remove permissions for point 1 & 2 is a good idea. I'll look into it and come back to you. For example: 1. No orders for penny stocks (anything below some threshold I specify) 2. No orders for thinly-traded stocks
In general I would agree with this statement because most people are using insecure PCs, but for automated systems there is currently no choice but to opt out. That is why the other ideas are needed. I think there is s a good middle ground that not only improves secruity for all traders, but also offers some protection for automated trading systems . For example, an ATS administrator can log in to TWS using the token and with the additional rights the token conveys they can specify which contracts can be traded, the limits and thresholds.... basically setup a trading profile. Then the automated system can operate within that profile using the lower grade authentication. This controls risk for both automated and non automated users, and does not require a manual challenge response which is the killer for an ATS. Another option is to provide a USB based token with drivers ans software that work on a wide range of operating systems. This would allow automated systems to interface with the token. Preferably a token with open source drivers and software support would make it usable/doable for the majority of deployment targets.