Interactive Brokers have frozen 211,930.77 EUR of mine

The background is that I sold a few kilos of gold for CHF, and wanted it in EUR, so I used IB's forex to get it from CHF to EUR at good rates.  Simple right?  Well, it touches on the non-working financial system in several different places, so no, it's certainly not simple, it's an ordeal.  The particular section of the ordeal dealt with here is the seizure of my funds by IB.  The other major part of the ordeal so far is Sparkasse's Kafkaesque handling of giving permission for the EUR to land in their account, which is out of scope here.

Like so many things, the problem comes down to authentication.  

The general problem is that businesses are generally unable to authenticate their own customers, and this is a competence issue.  This is often accompanied by adhoc and incorrectly-designed processes to sort-of "authenticate" customers, outside what the customer was led to believe constitutes the normal authentication process.  

The specific problem is that Interactive Brokers are (wilfully) unable to authenticate me, their established customer.  This is accompanied by IB asking me to email a copy of my id to an email address, or we can't proceed.  By refusing to go along with their idiotic demand, I lose access to my 211k EUR.

On Nov 16, I described the difficult process for requesting the withdrawal in the first place at [0].  It's clear from this that IB are incompetent at authentication, and think that they're making things "more secure" by adding complications and obstacles.

[0]  <https://wibblement.blogspot.com/2021/11/ib-usability-repeated-authentications.html>

Yesterday, I went to look whether IB had completed their review and decided to release the funds.  I found the following message:

Bulletin

IMPORTANT MESSAGE FROM Interactive Brokers - PENDING YOUR REPLY!

15 November 2021

This is an advisory to help manage your Interactive Brokers account REMOVED.

We have detected an attempt to update information on record for this account which we consider sensitive in nature and critical to transferring funds or receiving communications (e.g., a banking instruction or email address).

For your protection and security, we will postpone updating your records with this revised information until it has been verbally confirmed with an authorized individual on the account. To expedite this confirmation step, or answer any questions you may have regarding this information change, please telephone your local Client Services Center at your earliest convenience (after entering your Account ID, select options 2 and then 1 from the main phone menu).

A complete listing of Client Services telephone numbers and hours of operation may be found by selecting the Help and Contacts link located on our home page.

We appreciate your cooperation in this matter.
Interactive Brokers

Message Reference Number: REMOVED, Sent Date: REMOVED

This is a case of "have a phone call about the thing that didn't work on the web site", which is how most web sites work, but okay let's try and get it sorted out.

They don't include the phone number to call.  Doubtless they would claim this is "for security" (it's not).  So I look up a number.  This is a global company and it's unclear exactly which entity I have the contractual relationship with, but I just choose the UK number as it's going to be English-speaking.

There's a fairly annoying phone menu system, which it takes quite a while to nagivate, and at one point it seems to be going in circles.  It keeps talking about "active id", which I don't have.  It asks whether it's due to a deposit or withdrawal (yes) a couple of times, and tries to fob me off automatically as a result.

Eventually I am speaking to someone.  They start with "I'll be sending a push notification on your phone".  I'm not sure what this can mean in this context.  Push notifications, in this context, I would expect to come from an app specific to IB that I've chosen to install and set up, but I have not set up such an app.  I ask what they mean, and they respond with:

I'll be asking you some security questions.  What is your favorite restaurant?

This is actually happening. I'm a customer, I've been using the service for years, and they have apparently not established a proper way for them to authenticate me, and now they think they are "authenticating" me by asking me.. my favorite restaurant?  I have no clue whether I set this up, or what I would have given for an answer, and I have no record of any answer I may have set up in the past.  More pertinent: I did not agree for this to be used an an authentication mechanism for my account, because it is blatantly ineffective.

On to the next question:

Who was your favorite teacher?

The objections to this are identical to the objections to the previous question, and I don't know the answer.

Next, they ask me to email proof of id to csdocuments@interactivebrokers.com.  This is wrong in principle as an authentication mechanism.  Everyone has copies of my id, and I was a hacker, then I would too.  It means nothing.  The hacker able to log in as me to interactivebrokers.com (which I thought was supposed to be the service interface) must have a copy of my id, too.  One of the reasons everyone has a copy, is that every business and government entity keeps asking me to email copies.  Or if we are keeping any kind of pretence that communication between broker and client may be confidential, or even that my id documents are confidential, then emailing them in plain-text would blow that.  That's just how plain-text email works.  So no, I am not going to do this.

IB already have a copy of my ids, as part of the usual account-opening process, so this is not about Know-Your-Customer.  This is about something else: they want to treat realtime emailing of a copy of an id document as an "authentication".  It's not.

I ask if there's another option.  I get boilerplate bullshit about "this is with regards to the security of blah blah blah".

"If the account is not verified, I won't be able to ...", but this begs the question of whether emailing a copy of an id document is effective or acceptable as a way to "verify the account", which it's not.
 
"The only way ...", my notes didn't capture the rest of that sentence, but you get the picture.

"Once you provide us the valid proof of id, I'll check that against the account number ...".  Again, this is not proof of anything.  It's proof someone has a copy of my id and can email it.  I'd be amazed if it is not a breach of financial regulations for IB to be requesting this.  If you want proof of something, you have to have someone competent design the process, so that something then gets to be proved.  You can't just have a rando incompetent deciding that "email copy of id" is proof of something.  It's not.

"This is the last option we give to clients.  You don't have a device blah blah ...".  If they'd sent a device for it, and it worked, then great.  If they are talking about smartphone apps, then no, I don't need more things breaking when my phone breaks.

They then indicated that I could reset the "security" questions via my normal login.  I pointed out that if I was a hacker, I would simply do that, because I already have access to log in as me to the web site.  They went away for a bit, came back, and now said something like "you secure login device can only change the security questions.  You have to send id proof and after that we can change the security questions".  They keep referring to my login device that I don't have.  But it looks like this way round for me (and / or a hacker) to get it working doesn't exist after all.
 
All they have to say, to extended explanations about why none of what they're doing makes any sense, is things like "Sir this is just the security protocol that I'm following".  It's a great catch-all excuse for theft.  Oh, you're not bashing your head against a wall for us on live video feed? well, in that case, "due to security reasons", we have to steal all the money in your account.

Having given up trying to get it working, I say I'll have to take them to court.  It's annoying because 200k is above small claims thresholds, so the legal action will be expensive.  I also state I'll be complaining to regulators in at least the UK and Austria, based on my presence, their presence, and the fact they're global.  I ask for the best corporate entity to sue and the best address to serve legal notices, and they say I should look on my statements for this.  Fair enough.

I say I'll publicise it.  At this point, I'm careful not use this as a lever to get my way, or to make it conditional.  I simply state I'm publishing it.

Finally, I ask the rep's name for my records, and which subsidiary of IB they are representing.  They are on the General Team.  A bit more questioning about geographical location; they are in India.  Okay, I guess I'm searching for an EU-based subsidiary to sue and / or taking action in England.

Comments

Post a Comment

Popular posts from this blog

the persistent idiocy of "privileged ports" on Unix

TCP and UDP have ports.  These are 16 bit; there are 65535 or so per IP address. These protocols don't care to differentiate between the ports.  Elsewhere, IANA presumes to operate a process to allocate "well-known" ports in the range 1-1023, "registered ports" in the range 1024-49151, and to reserve the remainder, 49152–65535, for "ephemeral" ports.  The caller end has to have a port, which is how replies get back within the virtual connection, and these are conventionally picked from the ephemeral range by the OS's networking stack. The whole idea of ports is ridiculous, because it allows ISPs to arse around presuming to decide which services they will "not allow".  Anything that allows IPSs to do anything other than shift opaque packets will allow ISPs to meddle and break things, and due to the Law of Meddling, if they can, they will.  I am currently working around an issue with Claro, a pretend ISP, blocking port 5060, allocated to SI
Read more

google is giving more and more 500 errors

Image
Total state capture and moral bankruptcy are not the only problems facing Google.  They are also giving an increasing rate of 500 Internal Server errors.  This is the sort that means they've messed up, but not in a way that they should have messed up.  On the other hand, they have drawn a lovely picture of a robot falling apart. Today's example is from Google Calendar under calendar.google.com.  I was trying to make an appointment, and now I'm doing this. I remember, in 2018, a friend trying to convince me that 500 Internal Server Errors no longer happened, or if they did it was my fault, and that they hadn't seen any for years, and some other things.  They assured me that they would love to see screenshots of such a rare specimen, which I bored them with for a while.  That friend happens to be a Google employee. Well, there are plenty of others posting about Google Calendar on twitter today, including screenshots of 500 Internal Server errors, so I doubt this one is en
Read more

7 minute workout: a straightforward audio recording (and two broken google web sites)

Image
 Last year I had a simple rendition of the 7 minute workout routine recorded by a voice artist . I wanted a simple audio track to help get the timings right.  I used to have a good "app" that did it, but that handset died.  Subsequent "app"s have got rubbisher and rubbisher, by having mega-configurable exercise order and making it complicated, with intrusive advertising, by synthesizing unpleasant robot voices instead of simply recording a human voice, and by making everything sound so pumped. Youtube video mmq5zZfmIws is not bad, but they have not been able to resist having ads, and a quick part of the morning routine can not have ads, it's just too tacky.  But one can watch someone doing each exercise and see how to do it properly.  Incidentally, they are at 30M views, also because daily routine.  The track I got recorded, in m4a format, is: https://drive.google.com/uc?export=download&id=1c91iH6XJrfCiItTJErJAmIbNdGuHN0tr (direct download link) https://dr
Read more