Jump to content

brokers with one-time passcodes


boilermaker75
 Share

Recommended Posts

I have accounts at Schwab and IBKR. I have used the one-time passcode security option at IBKR for a long time and I wished Schwab had such a thing. This week in Schwab's Onward magazine there was an article on account security and one of the suggestions was to obtain a free security token.  I received mine today and I am already using. I wanted to mention this security option in case others who have Schwab accounts were also not aware of this security feature.

Link to comment
Share on other sites

I use IB also, and I really like the additional security step beyond the username and password.  Here are 3 others I know of:

 

Schwab's security token sounds like E-trade's, where I formerly had an account and used their physical token.

 

Vanguard gives an option for account holders to get a single-use 6-digit code texted to one's cellphone.

 

Fidelity - I couldn't find info on their website, but when I inquired about it by phone, a representative set me up with one, where Fidelity uses a virtual token from Verisign they place on your computer desktop.  When I log on with my username and password, I get prompted for the 6-digit code which I can see by minimizing the Fidelity page and clicking the Verisign icon.

 

I'm hoping TDAmeritrade will someday offer some similar security step.

 

 

Link to comment
Share on other sites

I use IB as well and I have a ton of security cards that annoy the hell out of me. Since the only way you can move money into and out of IB is through a bank account that has the same account owner as the IB account owner, what's the point? Is someone going to break through IBs 264 bit SSL encryption just to see what trades I make? I think it's easier to ceck my postings on the what are you buying today thread on CoBF.

Link to comment
Share on other sites

I use IB as well and I have a ton of security cards that annoy the hell out of me. Since the only way you can move money into and out of IB is through a bank account that has the same account owner as the IB account owner, what's the point?

 

Sorry, rb, but in this case you are just not thinking it through.

 

A trivial way to get money from your account is to

- Post a limit sell order of illiquid security at let's say 10x current price from their account

- Post a market buy order for same security from your account.

 

Poof, money is theirs.

I'm sure there are other ways too.

Link to comment
Share on other sites

I have to disagree with you - maybe just a bit.

 

I don't think that the examples you've put up are very good ways to get money out. It's more likely that some spiffy algos will capitalize on those trade before the perpetrator has a chance to get the money.

 

But I think you may be right. I may not be thinking it through enough and I may be a bit handicapped as well. I am not a thief and thieves think differently. But there are other things as well. Firstly, to get into an account you'll have to break through IB's encryption which is pretty damn good. Secondly, there haven't been a lot of cases of fraud involving brokerage accounts.

 

The third and really most pertinent has more to do with location. I live in Canada and we have much tighter laws than the US around identity theft. So if anyone else would do fake trades or other fraud in my IB accounts IB would be liable and I would get all money back. So with secondary security I am actually inconvenienced ( and I seriously have a lot of these cards) just to save IB potential losses.

 

I realize that it may be a bit of an asshole position to take but maybe we should all be allowed one of those from time to time  ;)

Link to comment
Share on other sites

I don't think that the examples you've put up are very good ways to get money out. It's more likely that some spiffy algos will capitalize on those trade before the perpetrator has a chance to get the money.

 

Just for fun.  8)

 

There's a security A. Trades at $1, 1000 shares a day.

Bad guy has accumulated 10000 shares.

There are 2 sellers at $1.10 1000 shares and $1.50 1000 shares.

Bad guy puts limit sell order at $10 for 10000 shares.

Bad guy puts a market buy order for 12000 shares from your account.

 

How exactly algos are going ruin this?

 

Curious minds want to know.

 

To simplify there are no options available for this security.

Also to simplify, it is very unlikely that non-algo people will look at it, see a market buy order for 12000 shares and manage to get their sell orders in time.

 

-----------

 

BTW, without one-time passcode, they don't need to break IB encryption. They just need a keylogger on your computer that comes with any virus or malware. If they zombie your computer, they can even execute the trades from it, so IB won't even notice "it's a different computer, alert".

 

I agree that if you're not liable due to Canadian laws, then you don't give a crap about inconvenient security. ;)

Link to comment
Share on other sites

 

Just for fun.  8)

 

There's a security A. Trades at $1, 1000 shares a day.

Bad guy has accumulated 10000 shares.

There are 2 sellers at $1.10 1000 shares and $1.50 1000 shares.

Bad guy puts limit sell order at $10 for 10000 shares.

Bad guy puts a market buy order for 12000 shares from your account.

 

How exactly algos are going ruin this?

 

Curious minds want to know.

 

To simplify there are no options available for this security.

Also to simplify, it is very unlikely that non-algo people will look at it, see a market buy order for 12000 shares and manage to get their sell orders in time.

 

My answer to myself: most likely algos will grab the bad guys' 10000 shares at $10 and sell them to you at $11 or whatever.

This won't ruin the day for the bad guy though.

Link to comment
Share on other sites

I don't think that the examples you've put up are very good ways to get money out. It's more likely that some spiffy algos will capitalize on those trade before the perpetrator has a chance to get the money.

 

Just for fun.  8)

 

There's a security A. Trades at $1, 1000 shares a day.

Bad guy has accumulated 10000 shares.

There are 2 sellers at $1.10 1000 shares and $1.50 1000 shares.

Bad guy puts limit sell order at $10 for 10000 shares.

Bad guy puts a market buy order for 12000 shares from your account.

 

How exactly algos are going ruin this?

 

Curious minds want to know.

 

To simplify there are no options available for this security.

Also to simplify, it is very unlikely that non-algo people will look at it, see a market buy order for 12000 shares and manage to get their sell orders in time.

 

-----------

 

BTW, without one-time passcode, they don't need to break IB encryption. They just need a keylogger on your computer that comes with any virus or malware. If they zombie your computer, they can even execute the trades from it, so IB won't even notice "it's a different computer, alert".

 

I agree that if you're not liable due to Canadian laws, then you don't give a crap about inconvenient security. ;)

Good sir, algos look thought everything.

 

That being said you're a smart man, your example is pretty good. As I've told you before I haven't thought that much about it before because yes, it is nice to be protected by the current Canadian legislation. From what I have heard it is much more difficult to deal with these issues down in the US. Don't feel too bad though, our government is trying hard to remove our current protections.

Link to comment
Share on other sites

I have to disagree with you - maybe just a bit.

Rb, I don't think there is a nice way to say this so I'll just say it: you are completely clueless with regards to computer security. That's no problem since it isn't your job, but it's probably good to realize this before you form an opinion on anything security related.

 

For example, you think hackers have to break through IB's awesome xxx-bit encryption. Sure, they are not going to do that, but that's almost never how someone/something is hacked. There are tons of attack vectors, and usually the goal is to obtain your username and password (for example: installing malware on your pc to intercept your keyboard input, guess weak passwords, hack another site and try if you use the same password, and so many more options!). Once they have acquired this combination they can log in, and do whatever they want with your account. Unless of course you have 2-factor authentication and they also have to acquire something physical.

Link to comment
Share on other sites

I have to disagree with you - maybe just a bit.

Rb, I don't think there is a nice way to say this so I'll just say it: you are completely clueless with regards to computer security. That's no problem since it isn't your job, but it's probably good to realize this before you form an opinion on anything security related.

 

For example, you think hackers have to break through IB's awesome xxx-bit encryption. Sure, they are not going to do that, but that's almost never how someone/something is hacked. There are tons of attack vectors, and usually the goal is to obtain your username and password (for example: installing malware on your pc to intercept your keyboard input, guess weak passwords, hack another site and try if you use the same password, and so many more options!). Once they have acquired this combination they can log in, and do whatever they want with your account. Unless of course you have 2-factor authentication and they also have to acquire something physical.

 

x2. 

 

This is why US government has gone to two-factor authentication.  Too many idiots leaving their passwords and usernames written down on a piece of paper under their keyboard (seriously! - and this is not just people in government, includes many Fortune 500 companies), or giving up their passwords and usernames via bogus phishing emails from the Prince of (insert name of real or fictitious African Country) because the Prince really really really needs to give you a million dollars, and it will only cost you $1,000 to get the million wired to your bank account....  Because of this, I now need two sets of usernames and passwords, plus a controlled access card with a separate  PIN that must be inserted into the computer, in order to get onto my computer. 

 

And there is serious discussion about taking this a step further to three-factor authentication by incorporating either finger prints, facial recognition, voice recognition, or retina recognition.  I am not a security expert and have no idea how the recognition piece works or is implemented, but they do seem to be talking seriously about moving in that direction.   

 

Which brings this back to security for an investment account.  For many of us, the investment account is our biggest financial asset, bigger than the primary residence.  So RB, what's the big deal with a second security step, and why wouldn't you want that additional security?  Legislation may protect you in the end, but what's the opportunity cost of having $0.00 for however many months while you resolve the issue through court/FINRA/IIROC

Link to comment
Share on other sites

IB provides such a great service to me, and at a negligible cost, that I welcome the slight inconvenience of IB's one-time passcode even if all it did was help IB. But I welcome the added security it provides me and why I was thrilled to find out Schwab had a similar feature. I am not sure how long Schwab has had it, but if it has been a while they did a poor job of letting me know. Plus I am willing to help out, to take a few seconds on an extra step, to stop thieves.

Link to comment
Share on other sites

Fidelity - I couldn't find info on their website, but when I inquired about it by phone, a representative set me up with one, where Fidelity uses a virtual token from Verisign they place on your computer desktop.  When I log on with my username and password, I get prompted for the 6-digit code which I can see by minimizing the Fidelity page and clicking the Verisign icon.

 

How does Fido software work if you have multiple computers? Do you have to install it on every computer you access Fido from?

 

Also anyone does Quicken downloads of Fido with this enabled? How does it work from Quicken? (For example, you can't get IB data from Quicken side, so it's not an issue that IB has authentication card - you have to do it from IB side anyway. But with Fido, I am getting data from Quicken side, so it's not clear how the login would work - or not work.)

Link to comment
Share on other sites

Fidelity - I couldn't find info on their website, but when I inquired about it by phone, a representative set me up with one, where Fidelity uses a virtual token from Verisign they place on your computer desktop.  When I log on with my username and password, I get prompted for the 6-digit code which I can see by minimizing the Fidelity page and clicking the Verisign icon.

 

How does Fido software work if you have multiple computers? Do you have to install it on every computer you access Fido from?

 

I'd guess you would have to install a separate one on each device you use.  For the correct answer, you'd have to call someone in the know at Fidelity.  I do not think they have a physical token like E-trade.

 

My wife and I are paranoid enough that we have a dedicated laptop on which we do only financial stuff (banking, credit card, brokerage, etc.) on it, no web-surfing or anything else on it, and no financial stuff on all our other devices. 

Link to comment
Share on other sites

Fidelity - I couldn't find info on their website, but when I inquired about it by phone, a representative set me up with one, where Fidelity uses a virtual token from Verisign they place on your computer desktop.  When I log on with my username and password, I get prompted for the 6-digit code which I can see by minimizing the Fidelity page and clicking the Verisign icon.

 

How does Fido software work if you have multiple computers? Do you have to install it on every computer you access Fido from?

 

I'd guess you would have to install a separate one on each device you use.  For the correct answer, you'd have to call someone in the know at Fidelity.  I do not think they have a physical token like E-trade.

 

My wife and I are paranoid enough that we have a dedicated laptop on which we do only financial stuff (banking, credit card, brokerage, etc.) on it, no web-surfing or anything else on it, and no financial stuff on all our other devices.

 

FIDO has an app -- for the iphone, at least -- which acts as a token.  It's from Symantec and is on the phone.  You might need to press them to offer it to you.  This solves the issue raised above and also seems generally more secure, as a hacker could break into your computer remotely and load the token that is on your machine, right?

 

Not sure if I'm missing something.

 

In any case, thought I'd throw it out there.  I've only had this for a few months so perhaps it is new.

 

If you need to make a trade and don't have your phone, I've found Fidelity was wiling to work with me.  The two times this has happened to me and I called to make a trade, Fidelity has given me the online commission price.

Link to comment
Share on other sites

 

FIDO has an app -- for the iphone, at least -- which acts as a token.  It's from Symantec and is on the phone.  You might need to press them to offer it to you.  This solves the issue raised above and also seems generally more secure, as a hacker could break into your computer remotely and load the token that is on your machine, right?

 

Not sure if I'm missing something.

 

 

The security token is a small device that is separate from your computer. You push a button on the security token, it shows a passcode that you then type as part of the log in process. You cannot access it through your computer.

Link to comment
Share on other sites

 

FIDO has an app -- for the iphone, at least -- which acts as a token.  It's from Symantec and is on the phone.  You might need to press them to offer it to you.  This solves the issue raised above and also seems generally more secure, as a hacker could break into your computer remotely and load the token that is on your machine, right?

 

Not sure if I'm missing something.

 

 

The security token is a small device that is separate from your computer. You push a button on the security token, it shows a passcode that you then type as part of the log in process. You cannot access it through your computer.

 

Thanks Boiler.  I've got one of those separate tokens for Schwab.  This thing I'm talking about for Fidelity is like have the token but on your phone -- it generates a new 6 digit code every 30 seconds.  It's great (assuming I'm not missing something about the security) because as long as you have your phone with you, you have the code rather than having to be sure you're carrying around your separate tokens (Schwab) or cards (IB).

 

I don't recall, but I'm pretty sure I didn't just download an app from the app store but I made it sound that way.  It was activated somehow from Fidelity but it appears just like any other app on the phone itself.

 

But, it might not be as secure as the entirely separate Schwab token you're talking about and am open to being told otherwise.

 

Perhaps you were telling me that in your reply!

 

 

Link to comment
Share on other sites

 

FIDO has an app -- for the iphone, at least -- which acts as a token.  It's from Symantec and is on the phone.  You might need to press them to offer it to you.  This solves the issue raised above and also seems generally more secure, as a hacker could break into your computer remotely and load the token that is on your machine, right?

 

Not sure if I'm missing something.

 

 

The security token is a small device that is separate from your computer. You push a button on the security token, it shows a passcode that you then type as part of the log in process. You cannot access it through your computer.

 

Thanks Boiler.  I've got one of those separate tokens for Schwab.  This thing I'm talking about for Fidelity is like have the token but on your phone -- it generates a new 6 digit code every 30 seconds.  It's great (assuming I'm not missing something about the security) because as long as you have your phone with you, you have the code rather than having to be sure you're carrying around your separate tokens (Schwab) or cards (IB).

 

I don't recall, but I'm pretty sure I didn't just download an app from the app store but I made it sound that way.  It was activated somehow from Fidelity but it appears just like any other app on the phone itself.

 

But, it might not be as secure as the entirely separate Schwab token you're talking about and am open to being told otherwise.

 

Perhaps you were telling me that in your reply!

 

Kiltacular,

 

I understand now.

 

Yes I think the Schwab token and IB card would be more secure, but of course you can't get into your account if you don't have them with you, or can't find them!

 

Boiler

Link to comment
Share on other sites

  • 2 weeks later...

I have accounts at Schwab and IBKR. I have used the one-time passcode security option at IBKR for a long time and I wished Schwab had such a thing. This week in Schwab's Onward magazine there was an article on account security and one of the suggestions was to obtain a free security token.  I received mine today and I am already using. I wanted to mention this security option in case others who have Schwab accounts were also not aware of this security feature.

 

Thanks!  I called Schwab and they're mailing one out to me! Yay! 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...