I'm a computer consultant and the IB rep was offering sound advice. It's not paranoid to layer your security measures. If someone hands you a security device to protect your entire portfolio then you take it and use it. You don't start debating about how you're "secure enough". There is no such thing. I use the security device and it's a 20-second "inconvenience". I can give up 20 seconds of my day to protect my entire portfolio.
Am I right in thinking that this will pretty much prevent any autologin utilities from working? Eeeek! Since you've tied the API access directly to the User Interface, it means that anybody trying to collect data overnight is, basically, screwed. (Or sleepless ) I hope I've misunderstood this.... Steve
Currently, the security device only prevents unauthorized withdrawals from within Account Management. It does nothing with logins to the trading platform right now.
Yes, but he said they are going to be extending the functionality to TWS and webtrader, which is quite different.
Yes, and that's what I expected but what I do not want for me personally. While I even admit it's better for the majority of their customers, there has to be an opt-out for skilled customers who prefer the current maximum flexibility. (I have experience with similar devices. A bank holding current accounts for me uses a likewise procedure. All I have to say, OH MY GOD !!!)
IB has been flooding mailboxes and ET with every imaginable horror story for at least 6 months... And the Security Token ** currently ** works only for withdrawals... Does nothing for their trading platform... So what exactly is the point of the horror stories? In sharp contrast... E*Trade just says, "You're insured... don't worry." Also... Online broker fraud must be waaaaaay < 1% of assets... Probably < 0.1% of assets... So insurance would cost a trivial amount... Perhaps $100/year for a $1,000,000 account... And we could dispense with the Drama Queen theatrics... Since it only scares people who are not engineers. Are IB accounts insured for online theft? If so... what are the terms? If not... why not?
Another issue to consider... And this may in fact be what is driving the IB Security Token rollout: Is the idea that if IB gives you a $100 token... They may be completely off the hook legally if your account is defrauded. It would be easy to claim that the Security Token is "infallible"... And the fraud MUST therefore be the Customer's fault... Like an inside job or whatever. In effect downloading ALL risk on the Customer. That's why insurance is infinitely superior... To ** far less than perfect ** security technology.
Even so, I would prefer the security token to control the login into the TWS. Of course, I would suggest IB to make this an optional feature rather than mandatory (i.e., API users might suffer).
I would imagine that the reason for the urgent need for increased security has a lot to do with things like this: http://computerworld.com/action/art...legal_issues&articleId=9012699&taxonomyId=146