Another layer of security can be provided by making it nearly impossible for a criminal to profitably trade my account. If I could opt-in to certain trading rules I could prohibit pump&dump from my account while allowing my normal trading to continue unaffected. For example: 1. No orders for penny stocks (anything below some threshold I specify) 2. No orders for thinly-traded stocks 3. No more than X% of my capital in one security 4. No buys for stocks that are up more than X% (and no sells ... down Y%) With appropriate thresholds, these rules would never impede my trading and would vastly raise the effort and time required to drain my account (and the criminal would have to put significant capital at risk in the process). And to allow for my behavior to change, either: 1) Allow me to change these rules by logging into Account Management with the STP device; or, 2) For every order I place that doesn't meet the rules, require that I authenticate that order using the STP device. It's a fact that a trojan can trade my account after I log in, even if I used the STP device, so a layer of security like this is not just helpful, but necessary. I like this idea very much. How do we ask IB to consider the idea?
I suggest that there is possibility in the trading permissions to enter manually symbols or instruments to be allowed to trade. If you trade only ES and YM you would enter the symbols manually in the trading permissions and only these two symbols would be allowed to be traded. If a trader wants to add any other symbols, he would have to go to trading permissions and enter them manually. The system would then send an alert e-mail or SMS message to the trader. New symbol would be activated 24 hours after making a request. I like this idea too. How do we submit this idea to IB for their consideration?
Rockford: When you illustrate how the security of my computer is in any way similar to the levees in New Orleans,d I may take your statement more seriously. Until then, I will simply say that the statements you make concerning N.O. may well be true, but the fact that they are true, does not mean they translate to computer security, or anything else for that matter. OldTrader
The security of your account is not, in any way known to me, similar to pre-Katrina New Orleans. The relevance of New Orleans is that the psychology of denial, overconfidence, and recklessness, which blocked appropriate preventive action to protect New Orleans, is the same mental process which prevents many brokerage customers and brokerages from facing and addressing the true nature of the security risks to which they are exposed. Other examples of the same psychology leading to preventible tragedies and failures include Three Mile Island, Chernobyl, the space shuttle Challenger, the U.S. invasion of Iraq, the Vietnam conflict, the Nazi invasion of Russia (which overcommitted German forces thereby dooming the Third Reich to defeat), the 1980 corner of the silver market by the Hunts, Neiderhoffer selling premium into the 1997 financial crisis, the collapse of the Nasdaq bubble, and the coming catastrophe of global warming. The greatest threat to a brokerage account is human psychology: the inability to generate a rational assessment and response as to risks which appear remote, but which carry an intolerably high price tag if and when they do come to fruition. Many people are not functioning on the level of learning about the risks and responding rationally; they are instead trying to convince themselves that they don't need to do so.
An individual has complete control over their computing environment. No need to blame the govt. Every one of us has the ability to secure their systems to the point that virtually no hacker can compromise their systems. You don't need IB to do anything to protect yourself from a cat5 storm - take personal responsibility here. If you have a large account and/or it represents your livelihood then you should have already secured your environment long ago. You need look no further then the mirror for who to blame. Even without these new security devices the odds of your IB being hijacked today is very low. With the security devices the odds become extremely low (which is a good thing) Is it still possible that even with the security device that a hacker could still make unauthorized transactions? Yes. Is it likely? No. Asking IB to implement layers and layers of security is not reasonable. These security devices are sufficient. If you are running an ATS and have to opt out of using them then you better know how to secure your own environment. PS: I wrote a reply about your Katrina analogy but then choose to delete it because I don't want to hijack this thread with a tangent.
What would be of benefit to my case is that I would prefer to not have a physical key... However I would like to submit 25 stocks that can be traded....and no more than 3 banks whereby funds can be transferred... Would this be possible ?
Disagree that everyone has complete control or the ability to secure it. Really, how about the brick layer down the road who is investing his hard earned money and knows bricks and the odd tip he gets from his brother inlaw. What control and ability does a non security type of IT person really have ? It is non trivial. Agree with the responsibility part. Who do you go to if you don't have the skills ? Even if there is someone to go to, how do you even know that you are not buying a piece of paper with a tick and some warm fuzzies attached ? And when is it 'secure enough' ? The cost of defense needs to be measured against the potential risks and the losses you could suffer from an attack. Tomorrow a new remote hole in your favourite O/S is discovered that allows remote code execution, these occur all the time. Do you have a policy of constantly monitoring new security advisories and keeping your systems patched and up to date. How many people are this vigilant ? How vigilant and responsive is Microsoft, a major vendor which most users no doubt are using. Which study are you referring to for your odds ? Really, I don't know what yor background is but the threats are very real. I have spent a good part of my career designing and writing IT security software and systems. The IT security space is already quite large and continues to expand for very <b>real</b> reasons. Lets put it another way. If you were in the crime game, wouldn't you be targetting online traders and their brokers ? There is lots of money to be had both directly (account transfers) and indirectly (eg pump and dump). People have large parts of their savings in accounts with their brokers. Its a no brainer, they go where the money is. Lucky for you I am not in the game. But I will enlighten you to how it works. Criminals can and do invest in high yeiding attacks. All a criminal needs to do is build some very simple malware to exploit say the TWS trading software, and perhaps some other popular brokers too. The attacker then waits a few days or weeks for the next remote code vulnerability to be announced in some popular software, browser, email client, windows etc. They then use one or more attack networks (typically called bot networks) and catch a good number of people who have not kept their O/S and other software up to the very minute. Those newly compromised machines now become part of the attack network and potential victims of any new malware exploits. The attackers can then deploy their various malware packages to the network of compromised machines, to for example, subvert the IB TWS trading software. Is it possible ? Definitely undeniably so. Is it likely ? Yes. IB is spending real time and money trying to stop attackers. I am not joking. This is how it works, do not underestimate the relative ease of these attacks and the rewards attached. Yes, it is NOT IB's responsibility to secure your PC, but the devices while a good idea in principle are NOT sufficient on their own. Access controls, user roles, trading profiles, transaction velocities and limits need to be defined to limit the scope and payoff to an attacker.
I'm sorry to have to say this. I don't say it to be rude or insulting. I say it to you for your own good, and for the good of those who think like you, and for the good of others who might suffer the influence of your thinking. Everything you said in your post is based on 100% pure ignorance, irrationality, denial, overconfidence, and recklessness. I realize this is an offensive thing for me to say, but I truly believe that if I have offended you in this matter, I have done you a favor. I will leave it to other ET members, who have professional expertise in computer security, to address the technical matters which I have omitted. My goal here is to remind you of the role your own psychology plays in contributing to the security threats arrayed against you. I'm trying to give you a wake-up call.
Jim, you don't know me so it would be really hard for me to be insulted by what you think you know about me or my thought process. It sounds like you are making many incorrect assumptions which is ok, this thread isnt about you (or me). It also sounds like you are not very technically savvy and perhaps are not the best person to weigh in on this since you don't have a sound foundation to comment intelligently. Suffice it to say I don't need a wake-up call, I am in the IT security field and I stand by my statements. If you think this is a rampant problem then by all means go to town with with ten ways til Sunday of protecting yourself. I'm not saying it isnt a real threat but some of the posts in this thread are bordering on ludicrious. Please let me know the first time you hear about a custom malicious program being developed to interface with the TWS API, I won't hold my breath. In the meantime I will continue to make sure that a hacker doesn't get control of my machine in the first place rather than trying to defend against what happens after he does.