I agree. I think we going to see really massive scams unless security level is increased quickly. Derivates markets are very vulnerable to scams. While IB is the largest player in futures and options market with very distributed client base it is the most obvious target. I think enforcement of security device is very good move. Of course automated trading users need the way to work around. ie. API may be used only from fixed IP without PIN as long as no USB key generator is available. Automated trading users should also be advised to use hardware based firewalls. (Taking control of fixed IP computer with trojan and posting orders through TWS is very difficult. Surely not impossible but pretty close to it, if user has hardware firewall blocking unauthorized incoming traffic. ) I hope the device will be very quickly available for individual accounts which have balance under 100000$. Security level of online brokerage has been unacceptable low compared to the money held in securities. Secure device makes it very difficult for hackers to crack accounts. I do not think that online brokers should wait for really massive scams until force acceptable security standards. I live in Finland there almost every internet bank and brokerage has chancing PIN system (in the form of paper). It has worked very well. There is very little scams compared to other countries.
Not nearly as difficult as you may assume. If you can get the trojan on their computer, they are hosed whether they have a hardware firewall or not. A firewall, hardware or software is only going to be able to block traffic to or from a certain port... and or to or from a certain ip address..... A firewall makes it difficult for a trojan to work IF the person controlling the trojan has to connect in to that computer... at that point the firewall if configured correctly WILL not let them be able to reach the computer on the specified port.... however... no one writes trojans this way anymore.... All they have to do is simply make the trojan connect out to them. The trojan waits until it notices that TWS has been connected..... now the trojan connects out.... and all the security you had is all for naught... They can COMPLETLY control TWS remotely at this point or any other program for that matter.... You may be thinking... well the firewall will block outgoing connections as well..... yes and no.... it may be set to block all unauthorized ports... but you have some ports you will leave authorized such as http.... All the trojan has to do is connect outbound on port 80 and the firewall will think its normal web traffic and let it through.... thus defeating the firewall.... If you truly want to be safe, you have to use your computer for NOTHING but trading.. no web browsing.. no email.. nothing... stick it behind a firewall configured to lock down every port but the port/ports that tws connects to on ib's servers, and also lock it down to only ib's ip addresses... you do this and your pretty safe.... but if you have anything.. even just simple web browsing open.. you can be compromised....
Have you tried it -- I'm fairly sure the IB reps posted last month that you can now get them no matter what, but that if you do and are under $100K they'll "reserve" $150 in your account in case you don't return the keyfob (you can use the $150 for trading but cannot withdraw it until you return the keyfob).
Some trojans are written the way they connect to some fixed or dynamic address. It is technically possible to write a system which connects to attacker address when ie. TWS is started. But that approach is not very useful. And it is extremely risky. The attacker has to wait in remote address when the machine is compromized. This way the attacker is practically telling the world: "Here I am come and get me." Sure it is not impossible, but very impractical and risky. I would say it is difficult to make without getting caught. More practical way is to build a solution which steals userid/password and creates backdoor to the compromized machine and sends then to ie. some email address or web-page which cannot easily be linked to the attacker. When the attacker has userid/password he can safely log to ie TWS from "anonymous IP" and just vanish after that. Or if compromized machine has stiill the same IP and backdoor open he can take control of compromized machine from "anonymous IP". Risk of getting caught is small compared to the other method. This is very true. In addition you should use fixed IP and device like IB secure device every time connection is made. Or even better buy dedicated connection to IB. .. ...... If you want to be sure .... But really most of us need good protection like single-use passwords, firewalls and virus protection software.
frostengine is correct. Hackers now install bots on your computer that use port 80 (which is never blocked on a computer you browse the internet with), to connect outbound to a site that lists commands for the bot to perform. No firewall can block this activity because its a pull model, not a push model. Bots are on a schedule, and read their command list at X time several times a day. The command will often be, "wait until next cmd" But the hacker now knows how many bots he has managed to install on other machines as they check in to see what their next command is. Once he has infected enough computers, and has enough bots reporting in, he then posts the command to the secret website "buy BLAH @ 12:30pm", the bots log in and get their command and wait until that moment. At 12:28 the hackers buy tons of BLAH, then the bots fire and push the price up and he sells. Then the loop continues until he's blown all the accounts out No security device will save you from this. As long as your TWS is logged in and connected ***AFTER*** you have entered the security code, the bots can control it and send market orders. The bots dont connect to the hackers machine, giving up his IP address. They typically use a 3rd party chat channel or something similar and encode their commands. In any case, it sucks the official message did not have the opt-out in it. Hopefully, it really is only for advisors. If they try to stuff this down my throat, as I said before ill take thousands of dollars worth of commissions each month to genesis and ill trash IB everywhere I go for being stupid. I really dont want to have to re-code my execution interfaces, but will if they do this. They will lose millions in ATS trader profit if they do this.
A good software firewall can be set up to block this type of activity. You can let one application access port 80 and block another one. Everyone should be running a sw firewall. zonealarm and outpost make free firwalls that do this. It does require the user to be aware of the programs they've installed and to understand why an application needs tcp/ip access. But it's not accurate for you to say no firewall can block this.
How about IB gets rid of the TWS autologoff "feature" before implementing the security device requirement? Then I could log in on Sunday and not have to mess with the security device for the rest of the week. Aaron Schindler Schindler Trading
I agree with you there Aaron. As for software firewalls I recommend Kaspersky Internet Security which contains a firewall, antivirus, antispyware and popup blocker. As long as you use them properly (therein lies the problem for many) software firewalls are pretty much 100% effective against trojans because each program needs your permission to access the internet. In general if you behave with a bit of common sense on the internet you're not even going to get infected with a trojan.