Interactive Brokers has NO respect for your privacy!

Discussion in 'Retail Brokers' started by mgregor, Jun 20, 2001.

  1. TradeX, I like IB! I don't think it would cause any problem to NOT send out e-mail account info. Eliminating a service isn't a problem for most companies. :)

    BTW My other broker (Scottrade) does the same thing and it hasn't caused a problem for me yet. When I get to over 50 million in my account I really would object strongly to an e-mail update with my current address.

    The Post Heading was alarmist though and could have been put better. (imho)
     
    #21     Jun 21, 2001
  2. def

    def Sponsor

    thanks all for being fair. I'm not asking for anything else.
    BTW, a dicussion within the legal and compliance group has already begun with positive feedback. The sticking point is that "US law requires us to send a confirmation for each trade, there is no way around this." Before that starts another 20 comments, note that encryption is an option that is being looked into.

    twabscs,
    I think the formatting issues of the statements are being addressed but I'm not sure of the time frame.
     
    #22     Jun 21, 2001
  3. I think that the point is one of a major security breach here. An account is protected by a combination of login name and password. You may be able to break one without breaking the other. If you reveal the login name, you are weakening access tremendously. A password can be cracked easily, particularly an 8-digits number as IB uses. And if you have a huge list of account logins, as someone monitoring IB's email server undoubtedly would have, running "dictionnary" password lists would yield access to many accounts, for sure. Network sniffing is easy and common. It is difficult to comprehend how IB's tech people could make such a basic security blunder.

    So the point is not to stop sending email statements. They are convenient. But please, please... Remove the full street address and login name. It is such a simple fix and the problem is so easy to understand that I cannot see what the holdup is.

    The account number is OK in the email for identifying the account, and also because it is not used for account access.

    Thanks for your time.

    ElvisOnMargin
     
    #23     May 5, 2002
  4. IB is working on the e-mail problem.
    check their forum.
     
    #24     May 5, 2002
  5. If they got your password they would then have to change your banking instructions which would have to be confirmed by an email to you which you would see in time to notify IB that something was amiss unless they could intercept and delete your confirmation email before it got to you. Is this possible?
     
    #25     May 5, 2002
  6. Sanjuro

    Sanjuro

    All brokerages are required to send their customers
    either a mail or e-mail about their daily trades.

    Since IB needs to save money to make up for the low
    commissions, we will continue to get e-mails. I don't
    understand why some people are so paranoid. Your
    password is NOT on your statement.

    I think the chance of your mailman or neighbor
    stealing your brokerage statement in your mailbox
    would be more likely than a hacker wasting their time
    to see your account balance.

    Datek does the same thing. They force you to get your
    daily trades by e-mail or else they will charge you for
    every mail they send daily.
     
    #26     May 5, 2002
  7. Good point. But it does not make me feel any better :D Say I have your account number and password: I have access to your account now. What prevents me from changing the email address that IB is going to use from now on? Nothing. And you'll never know that someone else logged in as you until it's too late. Even if I could not change the email address (but my take on it is that I could, I don't see why not), then once in possession of your password (remember, I already have your login name) I could log in as you, download TWS and trade your account. How would you like that? Lots of the so-called hackers are out there simply out to create havoc and mischief. Maybe they can't transfer the money to themselves and if they can they will, but if they can't they'll be quite happy to mess up your life. And how will you get compensation from IB? How will you prove that it was not you, but someone else that accessed your account?

    Also, think identity theft here. Even if I cannot do anything to your account , I know your name, your full address, and how much you got into your IB account. You think it's not enough? It's a good start, let me tell you.

    And something else... Do you have a large amount in your account? Like, say $1 million ++. You got children? With your name and address I could find out, you know. Now, how would you like some dirtbag out there to be privy to this information?

    Well, there is only a password between you and all that crap now. Do you use an easy to remember password? Then maybe it's easy to crack too. Capturing the email info out of the Internet traffic, that's easy for sure.

    Bottom line is that IB has a huge obvious security hole here, but it's easy to fix. I just hope that they do so before some hackers get onto it.

    ElvisOnMargin
     
    #27     May 5, 2002
  8. mgregor

    mgregor

    Sanjuro,

    Datek does NOT e-mail your statement, but rather a notification that it is available for viewing online. The e-mail contains a link to a secure website, where you must first log into your account and then view the information.

    I first complained about this security lag almost a full year ago, and IB is supposedly working on it... real nice--glad they're really concerned about the problem.

    Maybe by the year 2025 they have a grip on it!
     
    #28     May 5, 2002
  9. This sounds logical. THe thing that adds salt to the wound in this case is the level of customer service reps these places have working there. In othe words, yes I understand that your login id/pass is different from your account number. However, if someone gets your account number that is included in an unencrypted e-mail, the perp could easily call IB or whoever........let me give you a specific.......I call in to an online broker...... I give them my account number.....then the idiot person says to me oh, mr so and so......then he does not even ask me to identify myself by checking the last 4 of my social or whatever.....in other words, I do not doubt it would be very hard for a skilled individual that gets your account number to find out additional info on you.
    This is ONE time that I must praise the retail level brokers such as ML and MS.....they have a strict policy not to include any personal info whatsoever in any e-mail correspondence including account numbers, etc. Bottom line -- this is total bullcrap. They should not be putting account numbers in e-mail. Plain and simple -- if they want to obtain critical mass and achieve a high execution level in virtual commerce, then they need to adhere to the specific privacy needs and concerns of individual customers.
     
    #29     May 5, 2002
  10. I have no problem with email confirmations, only with the security and private data included in the transmission. Email statements are quite convenient. I expect only a monthly paper statement for the rest.

    With all due respect, you're dead wrong on this. I don't worry about my neighbors stealing my mail (which is delivered in a locked mailbox). Any financial institution is a prime target for hackers. And they are not out to see your account balance out of curiosity. They want access to funds or credit card numbers. You can control access to your network, but if you broadcast unencrypted sensitive access info over the internet via email, you have no control.

    ElvisOnMargin
     
    #30     May 5, 2002