Urgent Security Concern: Unauthorized Withdrawal Attempt

[patrickmuhi]

At approximately 3:00 AM today, there was an unauthorized attempt to withdraw funds from my Interactive Brokers account while using iBeam as an API interface.

Details

• Date and Time: 2024.10.08 03:45:04 -0400
• Nature of the Incident: Attempted unauthorized withdrawal
• Account Affected: Personal Interactive Brokers account

Questions and Concerns

• Is there any known security vulnerability in iBeam that could have led to this incident?
• Are there any recommended security measures or best practices when using iBeam with Interactive Brokers?
• Has anyone else reported similar issues?

Request

• I kindly request the maintainers to investigate this issue and provide any insights or recommendations to prevent such incidents in the future.

[Voyz]

Hi @patrickmuhi, I'm terrified to see that this has happened to you. Thanks for reporting this back here with details.

This is the first time this has happened to an IBeam user as far as I'm aware. Hence, bear with me as I'm not familiar with proper handling of such cases. Contacting people who specialise in dealing with this kind of security breaches may be a wise action here.

I cannot find any endpoint that would allow to withdraw funds using the Client Portal Web API in the docs. This would indicate that the withdrawal was issued in a non-programmatic way, and as such is not related to IBeam and will have to be investigated with the IBKR support team.

Nevertheless, I'd recommend you do the following:

1. Access the machine where IBeam is deployed. If remotely, SSH to the deployed instance.
2. Access the IBeam container, eg. docker exec -it -u 0 [CONTAINER_NAME] bash
3. Navigate to /srv/clientportal.gw/logs
4. There you'll find log files which, among other things, should contain any requests that the Gateway has processed, along the lines of -> GET /v1/portal/sso/validate
5. I encourage you to look through these and see if you can find the withdrawal request in any form. I'd imagine that looking for the time around the timestamp you posted should be a good starting point, although look thoroughly in case the withdrawal was requested some time before IBKR received it, processed it and sent you this email.

If the withdrawal is present and IBeam is deployed remotely, I'd recommend you start a conversation with the customer support of the cloud provider you're using. You'd want to investigate if there has been an unauthorised access - I'd imagine IP address could indicate that.

Whether it is present or not, I'd suggest contacting IBKR and discussing the problem with them.

I'm terribly sorry this has happened to you, I hope you manage to mitigate the losses. Let us know how it goes.

[lazerlabs]

This might help. I have created a secondary account that I funded from my main one, and on this one I created a user (login/password) that has access only on this secondary account. The user has only limited permissions (i.e. trading, of course, but not withdrawals), and access only to the funds I transferred to this secondary account. Also note that I have only cash accounts, so there's no way to borrow on margin.

I don't know if this is available in any regions, but in EU, with IBKR Pro, I was able to set this up.

It doesn't solve your issue, but it certainly limit the amount of damage an attacker can do if your credentials are stolen.