Slashdot Mirror
Ameritrade Security Audit Finds Privacy-Busting Back Door
RalphTheWonderLlama writes "In recent months, online stock brokers have apparently been upset by the sale of their email addresses to spammers. Today TD Ameritrade released details of their investigation into the matter (along with a video message from the CEO and special FAQ). It seems some 'unauthorized code' had exposed client email addresses and possibly other sensitive information from an internal database. 'TD Ameritrade tracked down the break-in while doing an internal investigation into stock-related spam. The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers. According to the advisory, the code has been eliminated from the system. Moglia, speaking in an online video-taped message to customers, said he is "confident" that they have figured out how the information was taken.'"
And here comes the GNAA trolls...
Hopefully their investigation turns up who's profiting from it and the SEC turns the screws on them.
><));>
...do they know who put the unauthorized code in there and what's going to happen to those responsible for that?
Will that prosecutor from Law & Order (who's in the TD Ameritrade TV ads) throw the book at the bad guys now?
Great. How did that "bad code" get there? Did they close THAT loophole? Because if not, it's just a matter of time.
My blog. Good stuff (when I remember to update it). Read it.
"there is no evidence that our clients' Social Security numbers were taken" == "there is no evidence that our clients' Social Security numbers were not taken" == "we don't know if our clients' Social Security numbers were taken" == "our clients should probably assume that their SSNs, DOBs, and everything else needed to ruin their lives were taken."
How exactly did they manage a misspelling in an "online video-taped message?"
Or was it the editor that mispelled, in which case, why quote a single word with no context?
Makes you wonder..
As a TD Ameritrade account holder I find this unacceptable. Not only do they have unauthorized code running on their local systems with access to customers social security numbers and the like, but they don't even tell their customers when this happens other than issuing a generic press release in which they say they think the hackers only got email addresses despite the fact that the data base the hackers had access to also had birth dates, social security numbers and everything else necessary to steal account holders' identities.
How does unauthorized code even get into a financial institutions systems? The banking systems should never be accessible via public networks, only private ones, so this should never have happened.
What exactly is TD Ameritrade doing about this? TD Ameritrade should at least give it's customers free credit monitoring.
You don't have to look far - this one is particularly damning, and I've seen evidence elsewhere that people set up an email address ONLY for Ameritrade and they've watched the spam come in.
Never email donotemail@WeAreSpammers.com
Perhaps you should have checked the article before copy-pasting a (bad) troll? Cause from where I am sitting, it clearly says "Zonk" at the top...
Quotes, and translation:
The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers.
Moglia, speaking in an online video-taped message to customers, said he is "confidant" that they have figured out how the information was taken.
It's necessary to know how to translate those statements. It looks like plain English, but it isn't. It's Exec-lish, and must be translated.
Exec-lish to English translation: "We don't actually have anyone our company that understands technical computer issues. The software was written by a low bidder to whom we awarded a contract. Since we don't have any technically knowledgeable people on staff, we had no way to understand if we should have confidence in the bidder or not."
"We don't know how many people accessed our system through the back door, or how many times, or for how long. (Actually I had never heard the term 'back door' until yesterday.) Since we don't have any technical knowledge, we can't assess whether there are other back doors. Possibly even the forensic investigators have left their own back doors."
Exec-lish is a weird language that doesn't allow the expression of negative facts. So, it is possible that, if the executive wanted to be truthful, he or she would say, "I'm not qualified to be in this job, since I don't know enough to understand the company's operations thoroughly."
I'm just guessing about that translation, but gathering from what I've seen at other companies, it is not far off.
I agree with Linus on this one. The Earned Income Tax Credit encourages people to be poor; we should abolish it.
It could be as simple as a cracked laptop used by some executive.
All it needs is access to the database.
Their press release provides NO information. And it does nothing to restore any confidence in their systems or management.
u mean someone inside the stock market blackbox told others :D hello immunsystem ...
...
...
...
... user against user, the profitable ones for ameritrade get sold and bought tho.
:D
...
how the blackbox works? about time
"insider trading is only illegal if it breakes the law(tm)"
can u make sloshdor load faster? pls
look, all online trading companies are a fraud.
they offer u acces to stock market, so u ( and john and his mother sign up to).
sure they show u the delayed 20 minutes stock quotes (which i assume cost money to see),
but in reality, all those
so lets say we have a RING 0, that is the true stock market , if it ever existed.
all the online traders are RING 1, that means, they arn't the real access. they a 3rd party.
owner RING 1 allows them to do trading and balancing without really using RING 0.
what does this mean?
it means that if john sells low and his mom is buying high, they can regulat this internally, without ever touching ring 0 and make a healthy profit.
$buying and selling in RING 1 doesn't effect real RING 0 stock prices, because it is being
cleared inside RING 1, e.g. the so called help-full on-line stock trading company,
like ameritrade
buy and sell commands never leave ameritrade. they are just cleared by other ameritrade
users, they never acctually reach the real stock market
it's a wickedly cool business model. if you can say internet firewall and silently droped packets,
then you can say ameritrade and on-line stock traders
if this doesn't make sense?
Any chance this is a Windows based system? ;P
--
Mathematicians and programmers needed:
http://metascore.sourceforge.net/
I am presuming that unauthorized, means that it wasn't quality controlled. It is faily easy to add SQL code intended for one purpose while forgetting to secure it against SQL injections.
TOP DSLR Cameras Reviews of the top DSLRs
Wow, that's really funny. I mean, I was sitting here, bored out of my mind when I read your post. I couldn't stop laughing, crying, clapping my hands and shouting "Glory glory!". Thank you Mr./Ms. AC for your clever twist on the "in russia blank blanks you!" riff. ...privacy busts your back door...No, really...I'm still giggling.
Oh, I know you could've added a profound comment or even no comment at all. But you saw your chance...and by golly, you seized it. Carpe Cliche!
So on behalf of all slashdot readers. Thank you. Thank you. Thank you.
Sincerely,
lottameez
Yeah? Well I think you're overrated too.
Anyone know what OS they happen to be running ?
What was it?
Well, that explains why I have started getting spam to my Ameritrade email address MANY MONTHS AGO. Yup, I gave them a one-time-use address, and it was compromised. It goes to a black hole now, but I still see how often it is tried in my mail logs. But this has been going on for quite some time (and I closed this account a long time ago before this, and thought maybe they sold my address for doing so).
Despite the whitewashing that's going on, AMTD is going to take a BIG hit. These issues are not to be taken lightly.
From the FAQ:
Absence of evidence is not evidence of absence.
Flourescent (adj): smelling like ground wheat.
Its like Washington Politicians dumping the really bad news too late for the news cycle.
Nice of them to let the users know so soon.
...that the "author" of this post has some kind of "problem" with Ameritrade.
Anyone have recommendations?
tidokoro
what turns a man's karma neutral? lust for gold? power? or just a heart born full of neutrality?
The dirty little secret is that the people behind it appear to be in Slovakia and potentially in Canada.
Clearly more than e-mails were stolen. When I received both e-mail and snail mail stock flipping spam I traced the information down to addresses in Slovakia and Canada (which I promptly fed the SEC who probably never did anything about it considering that the spammers managed to register and flip a completely bogus company within 3 months flat). A spammer in Slovakia won't have much to do with SSNs except sell them.
It's a matter of time before those "unaccessed SSNs" are sold if they haven't been already.
There is no incentive for TDAmeritrade to do anything about this because they figure they won't be found responsible for identity thefts that will occur as a result (go trace them back to Slovakia). It's enough for them to stop fraudulent access to their accounts.
Shame on Ameritrade for being so careless and callous.
I was an Ameritrade customer. Soon after setting up an account with them, I started getting pump-and-dump spam sent to the single-purpose email address that I'd created only for use with them. A simple google search showed that this had been going on for years at Ameritrade. I run Linux, and am fairly careful about keeping my box secure, so I was pretty sure the address hadn't been leaked by malware on my end. In the past, they've claimed that the addresses might be getting found by dictionary attacks, but the address I was using had 13 characters before the @ sign, didn't have dictionary words in it, and had an obscure domain name after the @, not yahoo or hotmail or anything like that.
I decided that I wasn't going to entrust the bulk of my life's savings to a company that was that clueless about security, so I transferred my account to Scottrade. When I did the transfer, I explained in an email to the Ameritrade people that the security problem was the reason I was leaving them. The responded with a phone call, and the phone rep was completely in denial about the spam problem, which was had been publicly known and discussed for years.
The other reason I wanted to get away from them was that some of the functionality of their web interface didn't work on Firefox in Linux, so I had to do certain things (e.g., withdrawing money) on a Mac or Windows machine instead. (When I called to report it as a bug, they said they didn't support Linux.)
Find free books.
Provide at least one year of credit-monitoring services for your customers whose data were compromised.
This has been going on for years.In 2005, a user of the spamgourmet disposable web site address reported that he was getting spam advertizing stock scams to an address he created exclusively for Ameritrade. Moreover, the user ran a *nix version on his PC and was very careful, so a leak on his end was unlikely. Ameritrade first denied, then compensated him. That was only the start. Since then, many reports surfaced showing that Ameritrade has an email leak problem.
It was only logical that the leak wasn't limited to email addresses.
Meanwhile, Ameritrade denied that their system was compromised. For instance, a spamgourmet user attempted to contact Ameritrade but got nowhere, so he complained about Ameritrade to the BBB. That woke Ameritrade up. They finally answered the user, while denying any breach in their systems:
In the light of their recent admission, this translates into: "Our staff was utterly clueless and couldn't find a Trojan if it hit them in the balls with a brick. This contractor guy ran a newfangled thingie called a "rootkit detector" and whaddya know, it lit up like a Christmas tree. He saod your data got pwned. So there."
Fantasy: http://ferrisfantasy.blogspot.com/
Check out the dossier page for ameritrade on SiteAdvisor -- you'll see they have a dossier of spams sent out by Ameritrade. Note, they've been getting a green rating because SA felt they didn't deserve to get a red rating overall because they are a trusted financial institution.. however it's very likely they'll be getting a red rating overall quite soon, which might have quite an impact on Ameritrade's bottom line given SA's enormous user base.
http://cltracker.net -- powerful craigslist multi-city search
Here is the Ameritrade response someone use used a VERY random unique email address for their Ameritrade account and complained in 2005 (almost 2 years ago).
"Thank you for contacting us today regarding e-mails that you received.
"We have received reports from some clients that a spam e-mail
regarding information on the security SNFX, has been targeted to an
address they use with Ameritrade. This is not result from Ameritrade
sharing or selling any contact information, nor do we believe any
information has been compromised. The cornerstone of our Privacy
Statement is the commitment to keep our clients' personal information
confidential. Ameritrade does not sell, license, lease or otherwise
disclose your personal information to any third party for any reason,
except as noted in the Privacy Statement.
"Several Spam methods do not depend on using purchased or intercepted
lists of existing or valid e-mail accounts. Spammers also use known
"brute forcing" or dictionary techniques. Brute forcing e-mails
basically starts with something like a@doeinvestor.net, aa@doeinvestor,
aaa@doeinvestor, aab@doeinvestor, abb@doeinvestor and continues on from
there. Brute forcing basically generates and sends out an email to
every possible combination of characters/email addresses at a domain
like the optiline.net domain. A dictionary email spam basically uses
all of the words that would be included in a dictionary or combinations
of words which generally produce quite a few valid email accounts.
This type of method would not be inhibited by using a separate e-mail
address for each business account you may have.
"We have located the ISP that these e-mails originated from and legal
has taken the appropriate action to address and prohibit further spam
attempts.
"We have no reason to believe that any of our systems have been
compromised. Ameritrade deploys state of the art firewalls, intrusion
detection, anti - virus software as well as employs a full time staff
of employee's dedicated strictly to Information Security and protecting
Ameritrade's systems from unauthorized access.
"If you have further concerns or inquiries, please reply to this
message.
"Have a good day!"
I believe them. For months, they said that my system was hacked and the custom e-mail addressed used by them must have been signed up with someone else and that is how the spammers got my address.
Yep, I believe them. 110%.
Their new spokesman is Harcourt Fenton Mudd.
Fight Spammers!
Your daughter is gonna have a mixed baby. It'll be funny.
So I dunno but if anyone else uses TD and has seen nVidia's stock price the past few months, they'd see it was rising upwards of $52, but now it shows it at $32, and the charts for the year never go past. Yet earlier, I had bought the stock at $45 and sold for a little more. How the hell did this happen? Is it the same problem.
I did a project for Ameritrade back in 1999 to do a kind of single signon for Ameritrade customers to research providers like TheStreet.com and such.
Anyway, when I got onsite and started talking to them, I found out that the entire trading system was written in noncompiled Perl. They used huge modules for all their trading functions and had a habit of just "use"ing all of the modules in all of the scripts whether they needed them or not. I actually figured out that every time a trade was input by a user, the system had to load and tokenize well over 50,000 lines of Perl code in something like 75 files. Their idea of increasing performance was adding another huge SunFire server to the growing pool of over 30 in the group.
I asked them if they had ever thought of using something like FastCGI to speed things up by preloading the modules at least, or coding in C or C++ rather than Perl. They said noone really knew how to code in C and they couldn't figure out FastCGI.
Anyway, the upshot is that was kind of a scary bunch. It's hard enough to lure good programmers to Omaha in the first place, and then they required all of their staff to wear a shirt, coat and tie, so they didn't exactly get the cream of even that crop!
In Manitoba, Day/Month of birth are on the License Plates + 4 months - 1 day. That is the new system they invented to cut lineups.
You'd think they learned their lesson about back-doors after the WOPR incident!
I had several unproductive exchanges with Ameritrade last year about this problem. They claimed that my account was compromised by a dictionary attack (the address was lpm_ameritrade_xubz@...) or that it was leaked by a virus on my computer (running OpenBSD).
I changed it several times, eventually to an absurdly long string of random characters--a rhetorical ploy. Each time the address was compromised within weeks. Finally I closed my account and moved to another brokerage, which has kept my contact information delightfully secure.
I'm glad to see that Ameritrade is going to take its licks for this. I was quite unhappy with their handling of the situation. I interacted with one reasonable senior-level person after I had already initiated the closure of my account--he refunded my account termination charges and seemed interested in investigating the problem with an open mind. That doesn't right the wrong.
I usually tend to ignore class action lawsuits but in this case, sign me up! I've got complete, detailed documentation of my SPAM-related suffering at the hand of Ameritrade.
In Manitoba, Day/Month of birth are on the License Plates + 4 months - 1 day. That is the new system they invented to cut lineups.
Really? I can't find any info in google about that.
In fact, I find information to the contrary.
"You think that a CEO of an investment firm should understand the nuances of computer security?"
My understanding is that Ameritrade is NOT an "investment firm". The company is a computer services firm. If you buy a stock, Ameritrade checks its own inventory that day, and likely sells you some of its own stock, which it keeps to avoid going somewhere else, which would be more expensive. That selling is just quick computer entries, debiting its own account and adding to the buyer's account.
In the same way, Amazon is not a book seller. It is an inventory company. Amazon does not read the books, it just stocks them.
So, if the Ameritrade CEO knows nothing about computer systems, as it seems from the statements on the web site, he knows nothing about his job.
It, unfortunately, is not that easy. As soon as one computer is connected to another computer (via wireless, wired networks or 'sneaker-net'), problems with security start to cascade. If a computer has a USB port, a CD drive, DVD drive, or a network connection, it is nearly impossible to lock down - malware will find it's way onto the machine.
The U.S. and foreign governments spend a fortune trying to lock down some of their most sophisticated computers and networks and still they leak like a sieve.
Although we may wish that it were otherwise, we can hardly expect for a company whose bottom line is the profit margin, to spend all that it takes to secure even one computer...
Consider the magnitude of the problem:
- Keep the network holes plugged as much as possible
- Keep the operating system patched
- Keep all of the applications (including the off-the-shelf and home-grown applications) patched - Keep all security software patched and updated
- Most importantly, keep all employees from doing anything remotely silly or risky
Many of the items above, are nearly impossible to do well - for example...if a typical patch for a piece of software arrives ~5 days after the vulnerability is announced, what is the financial institution supposed to do for those 5 days? NOTE: the 5 days is a fictitious number - no one achieves that high a speed in issuing and applying patches...but it illustrates the point...
There is no way for an underpaid, overworked security staff to plug EVERY hole - especially in the world of zero day exploits. The hackers, on the other hand, have automated tools that can plug at the problem 24/7 until they find even one, overlooked hole...
Chalmer
Congrats to Ameritrade on owning up to the problem and closing the hole caused by the rogue code.
However, the programmer (or hacker) who added this code probably didn't do it just once -- there are likely other backdoors that they put in. So, Ameritrade needs to perform a top-to-bottom code audit in order to ensure that all their code is what it is supposed to be. This should be done by two unrelated teams of skilled developers who are familiar with financial systems, and who have never been on their payroll, or the payroll of any of their vendors they have used in the past.
Only then can the management at Ameritrade have any assurance at any level, that their systems are now uncompromised.
Chip H.
I hear an onslaught of phone calls to Ameritrade demanding 1 year Monitoring... Do it soon before they change the policy.
Please. Get the facts instead of "searching Google"
http://www.mpi.mb.ca/english/dr_licensing/DriverLicensing.html
"The Driver's Licence Certificate (Part 2) is renewed yearly and expires four months less one day after your birthdate."
Which is OK except they harmonized renewal of licenses and vehicle registration plates. So, effectively, you have birth day/month on license plates.
http://www.mpi.mb.ca/english/insurance/i_faq.html
Q. How do I know when my next time payment is due?
A: [snip] Your anniversary day is the day 4 months after your birthday.
... that I got in snail-mail this week and reproduced at http://lee-phillips.org/ameritrade/ with my reactions.