All AlgoLab client's Interactive Brokers account passwords are private, although they may be occasionally known to us to enable the ongoing smooth operation of their AlgoLab instance, and Docker Container maintenance. I was wondering what kind of problems someone could cause if they were to obtain a customers IB password and account name - either through us, or through one of our contract employees, or through a slip of our client's security protocol.
As for trading, a thief could log into the stolen account name through Trader Work Station (TWS) or Interactive Brokers web trading interface. And from there, it is possible they could place a bunch of random trades. But the outcome of the trades would be random also - probably 50% of the random trades would earn a profit while 50% would suffer losses. We would know about it immediately because the clients AlgoLab instance would automatically disconnect from IB, which would trigger alarms and the client could halt trading. But of course, there would be nothing for the thief in this activity.
So I wondered what the thief could do with the account name and password by signing into account management at the IB web site. I contacted a tech support rep at IB and asked. He basically told me that the only thing the thief could do would be to transfer funds BETWEEN accounts that the owner of the main IB account already owned and were linked. The only way possible for a thief to actually steal funds would be if the thief were to somehow obtain the customers actual bank account number and other private details. The thief would have to provide enough personal information associated to the stolen account to satisfy IB's internal compliance department.
2 stage security pass code
Interactive brokers offers a 2 stage security password system which would make credential theft even more difficult to profit from. The 2 stage password protection works as follows:
1. Client logs into TWS, Gateway, or their account management at Interactive Brokers using their user name and password.
2. The log in screen shows a prompt with 2 random numbers on it which the client looks up on a plastic laminated pas code card. 2 new numbers are located and entered into 2 fields, and if the lookup numbers match the random numbers, the user is allowed to enter.
The only inconvenience of this 2 stage security pass code system, is that when an instance of GateWay is restarted, the pass code is required during re-login. Our AlgoLab client would have to be notified, and they would be required to log into their virtual machine to fill in the 2 matching numbers.
My personal AlgoLab account has been autotrading for years, and sometimes I don't disconnect from my IB account in Gateway for a month or more. Disconnects that require re-login for funded accounts are rare. In fact, I cannot remember the last time my account required a new login. Even this week when IB's API server went down for a few hours on Tuesday night, Gateway remained logged in, and everything resumed as per normal when the problem was fixed.