Secure Login System Enrollment

[hokavs]

Hi there,

I just got an e-mail from IB, stating that using the Secure Login has now become mandatory (I didn't use it untill now). Does anyone has experience with this, in combination with IBC? And/or are there any plans for a workaround in the making? Obviously this program should then have an (adjusted) disclaimer, in which it states it's at your own risk. Nonetheless I don't like TWS telling me what to do.

Thanks in advance.

[rlktradewright]

Where are you located?

I believe the Hong Kong authorities imposed this requirement on IB some time ago, and maybe it's spreading elsewhere.

There are certainly no plans for a workaround: partly because technically speaking I'm not sure I can imagine a workaround, at least for the security card IB gave me (currently for account management purposes only); and partly because I've always taken the view that bypassing the Secure Login when you're enrolled in it is almost certainly an infringement of IB's terms and conditions, and I'm not keen to get embroiled in potential legal upsets for enabling such practices.

Not sure I can say much more at this stage. Does anyone have any deeper insight into this?

[hokavs]

Hi,

I'm located in Western Europe. Also I believe there will be an IB login key option (instead of using the security card). If this is so and if I willingly insert this code in some (ibc) document, then I don't see how it's an infringement (as I currently already insert my login data into the same document) ?

[rlktradewright]

I'm also in Western Europe (Scotland), but I haven't yet heard from IB that I can no longer opt out of the Secure Login for logins to TWS/Gateway. They did insist on me having a device for Account Management logins, so when they gave me the card a few months ago I had to explicitly go through the opt-out process again. So are you sure that you're not able to opt out again?

The purpose of the security 'device' (whatever form it takes) is to provide some classic 2FA assurance, ie to logon successfully to TWS/Gateway you have to know something (password) and you have to have something (security device).

With current IBC, the password is included in the config.ini file, so the protection on the account is no greater than the protection on the config.ini file, and of course that's why I strongly suggest that the config.ini file should be encrypted, stored in a folder that only the relevant user can access, etc. That should at least mean that it's the user's login password (for their computer account) that's providing the protection (plus the encryption software if that requires a separate authentication).

But there's no way IB can know whether the user has applied such protections, so as far as they're concerned someone who is not enrolled in the Secure Login scheme is at risk, so they won't provide any compensation if the user's account is hacked and suffers loss.

If they are in the Secure Login scheme, then IB have additional assurance that the person logging in is the account holder, and so they provide certain guarantees against loss in case of the account being somehow compromised.

If now through some clever technique (which I can't currently imagine) IBC can automate the second factor, ie the input from the security device, then we're back in the situation where anyone who can login to the relevant user account on the computer can run IBC and automatically gain access to the IB account: so the security device is not now providing any additional assurance.

I think that may well be an infringement, because I suspect that by signing up to the Secure Login device you are committing to use the device, personally, each time you login. I'm not a lawyer, and I haven't read the T&Cs recently, but by automating it it's no longer 'you' who are activating the device, so why is that not an infringement?

[hokavs]

This is the email I got:

Dear Trader,

With cyber criminals employing increasingly sophisticated techniques designed to infiltrate and steal information from your personal computing devices, we believe it is critical that all clients make use of the log in protection that we provide, and which makes your IBKR account virtually impenetrable.

You are receiving this notice because this protection for your user has been disabled to-date, and its use is now mandatory.

A temporary security code has been automatically enabled to protect your account.

In order to recover access to the account, please contact your local Client Service Center

Interactive Brokers Client Services

---

So if all they do is add another (fixed) code, then it would just be one line more in the config file. Obviously things change when things become dynamic. But even with security card, one could insert all his values from his key card in the config file (this should take the user about ten minutes to setup I reckon). But yeah Ibc would require some ocr scan to know which values are being asked for in the first place.

[rlktradewright]

Ok, thanks for showing the email.

The key 'cards' they're issuing now are nothing like the old printed cards that you seem to have in mind. They are electronic devices, similar to those used by many banks, where you have to turn the device on, enter your PIN, enter the challenge code displayed by TWS, then enter the response displayed by the card into TWS. I really don't see any way that could possibly be automated with a bit of code in IBC, though it might make an interesting research project in a university engineering department to create a machine that could press the relevant buttons!

Even with the old printed cards, while it may have been technically feasible, to automate it, I wouldn't want to spend my time doing that (non-trivial) development for the reasons I've already given. Of course IBC is open-source, so anyone who wants to do this work is fully entitled to do it in their own fork, and publish it wherever they like, but I wouldn't accept it into the official repository.

So the short answer is, it ain't going to happen...

[misantroop]

If you have two accounts, one for trading without banking access (no Secure Login) and another one for banking (Secure Login mandatory), there seems to be no issue. This is also a good solution as you wouldn't want just a static password protecting your funds.