Interactive Brokers have frozen 211,930.77 EUR of mine

The background is that I sold a few kilos of gold for CHF, and wanted it in EUR, so I used IB's forex to get it from CHF to EUR at good rates.  Simple right?  Well, it touches on the non-working financial system in several different places, so no, it's certainly not simple, it's an ordeal.  The particular section of the ordeal dealt with here is the seizure of my funds by IB.  The other major part of the ordeal so far is Sparkasse's Kafkaesque handling of giving permission for the EUR to land in their account, which is out of scope here.

Like so many things, the problem comes down to authentication.  

The general problem is that businesses are generally unable to authenticate their own customers, and this is a competence issue.  This is often accompanied by adhoc and incorrectly-designed processes to sort-of "authenticate" customers, outside what the customer was led to believe constitutes the normal authentication process.  

The specific problem is that Interactive Brokers are (wilfully) unable to authenticate me, their established customer.  This is accompanied by IB asking me to email a copy of my id to an email address, or we can't proceed.  By refusing to go along with their idiotic demand, I lose access to my 211k EUR.

On Nov 16, I described the difficult process for requesting the withdrawal in the first place at [0].  It's clear from this that IB are incompetent at authentication, and think that they're making things "more secure" by adding complications and obstacles.

[0]  <https://wibblement.blogspot.com/2021/11/ib-usability-repeated-authentications.html>

Yesterday, I went to look whether IB had completed their review and decided to release the funds.  I found the following message:

Bulletin

IMPORTANT MESSAGE FROM Interactive Brokers - PENDING YOUR REPLY!

15 November 2021

This is an advisory to help manage your Interactive Brokers account REMOVED.

We have detected an attempt to update information on record for this account which we consider sensitive in nature and critical to transferring funds or receiving communications (e.g., a banking instruction or email address).

For your protection and security, we will postpone updating your records with this revised information until it has been verbally confirmed with an authorized individual on the account. To expedite this confirmation step, or answer any questions you may have regarding this information change, please telephone your local Client Services Center at your earliest convenience (after entering your Account ID, select options 2 and then 1 from the main phone menu).

A complete listing of Client Services telephone numbers and hours of operation may be found by selecting the Help and Contacts link located on our home page.

We appreciate your cooperation in this matter.
Interactive Brokers

Message Reference Number: REMOVED, Sent Date: REMOVED

This is a case of "have a phone call about the thing that didn't work on the web site", which is how most web sites work, but okay let's try and get it sorted out.

They don't include the phone number to call.  Doubtless they would claim this is "for security" (it's not).  So I look up a number.  This is a global company and it's unclear exactly which entity I have the contractual relationship with, but I just choose the UK number as it's going to be English-speaking.

There's a fairly annoying phone menu system, which it takes quite a while to nagivate, and at one point it seems to be going in circles.  It keeps talking about "active id", which I don't have.  It asks whether it's due to a deposit or withdrawal (yes) a couple of times, and tries to fob me off automatically as a result.

Eventually I am speaking to someone.  They start with "I'll be sending a push notification on your phone".  I'm not sure what this can mean in this context.  Push notifications, in this context, I would expect to come from an app specific to IB that I've chosen to install and set up, but I have not set up such an app.  I ask what they mean, and they respond with:

I'll be asking you some security questions.  What is your favorite restaurant?

This is actually happening. I'm a customer, I've been using the service for years, and they have apparently not established a proper way for them to authenticate me, and now they think they are "authenticating" me by asking me.. my favorite restaurant?  I have no clue whether I set this up, or what I would have given for an answer, and I have no record of any answer I may have set up in the past.  More pertinent: I did not agree for this to be used an an authentication mechanism for my account, because it is blatantly ineffective.

On to the next question:

Who was your favorite teacher?

The objections to this are identical to the objections to the previous question, and I don't know the answer.

Next, they ask me to email proof of id to csdocuments@interactivebrokers.com.  This is wrong in principle as an authentication mechanism.  Everyone has copies of my id, and I was a hacker, then I would too.  It means nothing.  The hacker able to log in as me to interactivebrokers.com (which I thought was supposed to be the service interface) must have a copy of my id, too.  One of the reasons everyone has a copy, is that every business and government entity keeps asking me to email copies.  Or if we are keeping any kind of pretence that communication between broker and client may be confidential, or even that my id documents are confidential, then emailing them in plain-text would blow that.  That's just how plain-text email works.  So no, I am not going to do this.

IB already have a copy of my ids, as part of the usual account-opening process, so this is not about Know-Your-Customer.  This is about something else: they want to treat realtime emailing of a copy of an id document as an "authentication".  It's not.

I ask if there's another option.  I get boilerplate bullshit about "this is with regards to the security of blah blah blah".

"If the account is not verified, I won't be able to ...", but this begs the question of whether emailing a copy of an id document is effective or acceptable as a way to "verify the account", which it's not.
 
"The only way ...", my notes didn't capture the rest of that sentence, but you get the picture.

"Once you provide us the valid proof of id, I'll check that against the account number ...".  Again, this is not proof of anything.  It's proof someone has a copy of my id and can email it.  I'd be amazed if it is not a breach of financial regulations for IB to be requesting this.  If you want proof of something, you have to have someone competent design the process, so that something then gets to be proved.  You can't just have a rando incompetent deciding that "email copy of id" is proof of something.  It's not.

"This is the last option we give to clients.  You don't have a device blah blah ...".  If they'd sent a device for it, and it worked, then great.  If they are talking about smartphone apps, then no, I don't need more things breaking when my phone breaks.

They then indicated that I could reset the "security" questions via my normal login.  I pointed out that if I was a hacker, I would simply do that, because I already have access to log in as me to the web site.  They went away for a bit, came back, and now said something like "you secure login device can only change the security questions.  You have to send id proof and after that we can change the security questions".  They keep referring to my login device that I don't have.  But it looks like this way round for me (and / or a hacker) to get it working doesn't exist after all.
 
All they have to say, to extended explanations about why none of what they're doing makes any sense, is things like "Sir this is just the security protocol that I'm following".  It's a great catch-all excuse for theft.  Oh, you're not bashing your head against a wall for us on live video feed? well, in that case, "due to security reasons", we have to steal all the money in your account.

Having given up trying to get it working, I say I'll have to take them to court.  It's annoying because 200k is above small claims thresholds, so the legal action will be expensive.  I also state I'll be complaining to regulators in at least the UK and Austria, based on my presence, their presence, and the fact they're global.  I ask for the best corporate entity to sue and the best address to serve legal notices, and they say I should look on my statements for this.  Fair enough.

I say I'll publicise it.  At this point, I'm careful not use this as a lever to get my way, or to make it conditional.  I simply state I'm publishing it.

Finally, I ask the rep's name for my records, and which subsidiary of IB they are representing.  They are on the General Team.  A bit more questioning about geographical location; they are in India.  Okay, I guess I'm searching for an EU-based subsidiary to sue and / or taking action in England.

Comments

Post a Comment

Popular posts from this blog

the persistent idiocy of "privileged ports" on Unix

TCP and UDP have ports.  These are 16 bit; there are 65535 or so per IP address. These protocols don't care to differentiate between the ports.  Elsewhere, IANA presumes to operate a process to allocate "well-known" ports in the range 1-1023, "registered ports" in the range 1024-49151, and to reserve the remainder, 49152–65535, for "ephemeral" ports.  The caller end has to have a port, which is how replies get back within the virtual connection, and these are conventionally picked from the ephemeral range by the OS's networking stack. The whole idea of ports is ridiculous, because it allows ISPs to arse around presuming to decide which services they will "not allow".  Anything that allows IPSs to do anything other than shift opaque packets will allow ISPs to meddle and break things, and due to the Law of Meddling, if they can, they will.  I am currently working around an issue with Claro, a pretend ISP, blocking port 5060, allocated to SI...
Read more

easyjet: repeated entry of information they already have

Image
As I observed earlier today, airline web sites are obsessed with making people re-enter information, apparently arbitrarily. The following seems to be required for Easyjet, for an "existing" customer relationship, every time: country of residence selected from big list, involving skidding around on the screen that makes the victim feel sick should be remembered. If it has to be changed, should be type-and-choose victim is taunted with the text "tell us about you", when they thought they had logged in form with the following on one page: business / leisure title, first name, last name, age there is a button to "copy from contact details", but this doesn't do the "age" field.  Since they have my date of birth, they are of course able to calculate my age.  As well, the only values for this field are "18+", "17", or "16".  Is it a deliberate decision, to not fill this field based on the customer data, and to make the...
Read more

Guernsey Waste in incorrect bag-rejection horror May 6th, 2024

Image
The rubbish collection folk at my new place seem pickier than at other places on Guernsey. Last week, they removed some card packaging that I'd included in the card and paper (plastic) clear bag, and left it on the lane.  This week, they have attached a rejection label entitled "Polite Notice".  Just like modern software-engineered error messages (see attached tag "extremely_general_error_handling"), this does not give a specific reason why the bag was rejected, but instead lists miscellaneous possible "reasons", leaving the victim guessing, or perhaps trying to follow a process of elimination. In this case, some possible reasons, which the label does not claim to be exhaustive ("was most likely because ..."), and of which none apply, are: (i) "did not have the required payment sticker" -- no, I applied to 90 litre sticker; or  (ii) (a) "too heavy" -- no, I estimate it was 3kg, and I easily supported the bag's weight o...
Read more