deviltrader, Please PM me an example scenario. If the process can be streamlined, we're always open to making improvements.
I remember back in high school we use to infect our friend's computers with trojans all the time for pranks. Apps back then like BO had easy to use screenshot functions. If trojans back then had that kind of functionality I could only imagine what they are like today.
If the your computer is compromised the hacker could possibly use it to get at your money. The requests would be coming from the right IP address.
Unless you get a static IP addresses. Most ISP assigned dynamic IP, and yes they do change it occasionally.
I'll explore the idea with our security experts. It may be the case, and sounds like, they will decline the idea. We will look for something that accomdates API traders.
IB Salvatore, Thanks. Please keep us informed on what decisions are made regarding API users. There are plenty of ways you can make it more secure for API customers than it currently is without basically making it impossible to have a fully unattended trading machine. I could even live with if there was something you had to do once a week.. but having to manually restart daily due to the TWS having to shut down once a day is a major problem. Easiest way is to simply have API users login with a second user name that ONLY has trading access. Then tie that account down to only one machine.... several ways this can be done.. anything from hardware tokens to ip addresses.... Then have the api users sign some forms basically saying IB provided them with stronger security but we declined and take responsibility for any security breach that may result. I see no reason IB could not live with an arrangement such as this.
most dynamic IPs assigned by ISP are limited to ranges 24.53.78.* etc for specific nodes. having a specified range might be a solution. not an ideal solution for dynamic IPs, but is pretty good for people with static IPs. as for what happens if the computer with the IP assigned to it is compromised. you have the same problem if a computer using the RSA key device is compromised, a trojan could be used to control that PC to access the account through an open session of TWS. even if the user is sitting watching TWS. a script could be used to enable TWS' API sockets, and an app could be uploaded and continuously running in the background waiting for a specific time/date to pump and dump through the API. the user wouldn't be able to do anything except shut off the computer as fast as possible. and by then it would probably be too late. losing control of a machine running TWS is a problem which cant be solved easily. personally i am more worried about my login and password being recorded and then someone later using it to login to my account remotely.
I provided incorrect information, I apologize. We WILL allow an opt out. Customer can sign a waiver accepting responsibility for any security issues in their account.