I process my statements against my execution reports daily, in a semi-automated fashion. It is not simply enough to look at the exec reports. The statements are generated by the clearing process (i.e. the back office) at IB, and may contain things that are not in the exec reports, like trades that didn't get reported to the TWS, busts/adjusts, misc debits/credits, etc. The statement is the "truth" if there is a discrepancy. In thinking about it, I personally don't care how they get to my computer, as long as they get there. Perhaps IB can ditch the emails and build a facility into TWS to download the statements to a user-specified directory when available (configurable, of course). This would seem to be relatively simple, and should solve people's security concerns. Compared to other solutions, development time, additional tech support, additional work for the trader would all seem to be minimal. (I'm posting this on IB also)
"Although IB may not be by itself in there response. Wonder how other OLB's would respond? " ---------------------- Almost the same fraud was run on me at Waterhouse a week ago, where I had a small, $10k account holding an orphaned mutual fund left over from the days when the firm was Jack White. Someone tried to have my account balance transferred to theirs through a Letter of Instructions. A copy of the letter was sent to me, requesting that I sign it, get it notarized, and return it. When I immediately phoned them saying that I didn't initiate the transfer, they shrugged and said: "Don't get excited. There's no problem. The money is still in your account." "No harm, no foul" doesn't cut it with me, so I closed the account, as well as went on a security sweep, changing and cleaning up everything I could think off on on my end. When I called back a couple days later, asking what was being done on their end about investigating the fraud, a couple more reps again gave me a runaround, getting names, dates, amounts, and facts wrong, like they were trying to cover up something. My best guess is that they have security problems they aren't admitting to and, worse, don't care about, but they seem to be the exception, from my experiences with other brokers, banks, investment companies, all of whom I deal with online. Charlie
DEF, I am completely happy with IB...they have been good to me...I really don't have any complaints at all. It is my hope that you do not grow silent as regards this matter and also IB. Silence brings about suspicion and false statement by uninformed people. I think IB should step up to the plate so to speak and be a leader. I am not saying that IB is not handling this matter. I am sure that IB has this issue at the top of the list. This is not just an issue for IB, but rather an issue for all brokers. If the FBI is looking into this and have taken steps to thwart theses people....then just that knowledge alone is comforting and a deterrent to would be hackers or terrorists. Just the fact that the word gets out on the street... that the FBI, IB and others are taking action should help a lot. Keeping us informed is part of it. So if you can...without jeopardizing anyone or anything....please keep us abreast of the situation
vinager, as my management responsibilities are on the Asian side of things, i'm not in the loop on this one. However, i'll make a request to legal compliance and if i can post anything further i'll do so. However, if this case is one where a trojan horse was placed on a clients computer and id info etc was stolen from the clients PC and not the broker, I am not sure what IB can do other than report it to the authorities and lock the account. It even gets more complex when the victim is overseas. I'm not a lawyer but I think the client who whose PC was broken into needs to report the matter as well. I definately can say given a few e-mails i rec'd when i intially reported the info was that a: they were already aware of it and b: people were put on the case to follow up.
fyi: that would not be a lot more secure than the email statments, because - to the best of my knowledge - the TWS communications are not encrypted. - jaan
Go to http://www.swhois.net and enter the IP address. It will do a DNS lookup and tell you the domain address corresponding to the IP no.
I disagree. The primary insecurity in emails would seem to be the fact that they sit on your ISP's mail server until you poll for them. During that time, they can be read by someone who hacks your mail account, hacks the ISP, an unscrupulous person at the ISP, etc. They may also appear on backups, which could be subject to physical theft, etc. Way down the list of possible exploits is packet-sniffing, which seems to be a relatively rare occurrence. By transferring the statements via TWS, you're left with packet-sniffing as the main exploit. IMHO, that's about as good as you're going to get as long as you're using public networks. Also, it would be relatively simple to implement encryption for the download without the hassle and tech support burden of having the customer deal with installation of a third-party email encryption facility. As others have pointed out, you can never be completely safe. There are all sorts of possible security exploits (trojans, social engineering, physical). The best a professional can do is to know which of them are easiest to exploit and plug those holes first.
Anomaly R. " An option for a customer to elect check disbursement only, would provide another level of security. Once elected it could not be reversed EVER on that account. I would opt for such an election." I like this idea. How do you go about it? I went to IB's site and cannot see any way to do this. Do all brokers allow this?
It seems to me that IB is not really interested to improve security measures. Maybe increasing demand for security from customer could push them to act. Among other things, this thread has demonstrated that there is a vulnerability even in the funds transfer process. Summarizing, there are at least 5 sure and big vulnerabilities and 2 suspected. 1) LOCK/UNLOCK not implemented (you can't stop someone trading in your account illegally) 2) OPTIONS EXERCISE in plain vanilla text 3) EMAIL WITH STATEMENTS in plain vanilla text 4) DISPLAY LAST LOGIN TIME/DATE not implemented 5) FUND TRANSFER when the email account POP3 of a customer has been hacked The suspected: 1) TWS transmission of orders not encrypted 2) API interface not secure: maybe it's possible to use this API to send orders for other accounts or to easily trade in behalf of a customer logged in. --- S-Gerry