Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ameritrade Security Audit Finds Privacy-Busting Back Door

Posted by Zonk on from the dang-canned-pork dept.

RalphTheWonderLlama writes "In recent months, online stock brokers have apparently been upset by the sale of their email addresses to spammers. Today TD Ameritrade released details of their investigation into the matter (along with a video message from the CEO and special FAQ). It seems some 'unauthorized code' had exposed client email addresses and possibly other sensitive information from an internal database. 'TD Ameritrade tracked down the break-in while doing an internal investigation into stock-related spam. The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers. According to the advisory, the code has been eliminated from the system. Moglia, speaking in an online video-taped message to customers, said he is "confident" that they have figured out how the information was taken.'"

4 of 111 comments (clear)

  1. Google for it.. by Dynamoo · · Score: 4, Informative
    Do a Google search for Ameritrade spam. This isn't a new problem, it's been going on for months and even years where there's clear evidence that the data is being lifted by spammers.

    You don't have to look far - this one is particularly damning, and I've seen evidence elsewhere that people set up an email address ONLY for Ameritrade and they've watched the spam come in.

    --
    Never email donotemail@WeAreSpammers.com
  2. Re:Unacceptable by Anonymous Coward · · Score: 2, Informative

    Here's a copy of Ameritrade's response.

    September 14, 2007

    You do not need to make any changes to your TD AMERITRADE accounts or to change the way you do business with us.

    Dear AC,

    Let me tell you why I am sending you this email. While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases, including email addresses, to be retrieved by an external source.

    Please be assured that UserIDs and passwords are not included in this database, and we can confirm that your assets remain secure at TD AMERITRADE.

    What we want you to know:
    Once we discovered the unauthorized code, we took immediate action to eliminate it. We are confident that we have identified the means by which the information was accessed and have taken appropriate steps to prevent this from reoccurring.
    You continue to be covered by our Asset Protection Guarantee, which protects you and your assets from any unauthorized activity that may occur in your account through no fault of your own. If you lose cash or securities as a result of such activity, we will reimburse you for the cash or shares of securities you lost.
    While Social Security Numbers are stored in this particular database, we have no evidence to establish that they were retrieved or used to commit identity theft. To further protect you, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft. ID Analytics provides identity risk services to many of the country's largest banks and telecommunication companies, as well as government agencies. Following its initial evaluation, ID Analytics found no evidence of identity theft as a result of this data breach. We will retain its services on an ongoing basis to support your TD AMERITRADE accounts and to monitor for evidence of identity theft. We will alert and advise you if any is found. As always, we encourage you to remain alert in guarding your personal information, regularly review your account statements and monitor your credit activity from the major reporting agencies.

    For more information on protecting yourself against the possibility of security threats, please visit our online Security Center.

    We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your assets and information remains a top priority. We have made and will continue to make significant investments in security software, systems and procedures, and we will remain vigilant about protecting you.

    We want to answer any questions and address any concerns that you may have about this matter. For more information, including a list of Frequently Asked Questions (FAQs) and an additional message from me, please go to www.amtd.com or contact Client Services. Please note that we are anticipating increased call volume during this period, which may lead to long wait times. We encourage you to review the FAQs and, if you have a question, to log on to your account and send us a secure email. Once again, please be assured that your assets are secure at TD AMERITRADE.

    Sincerely,

    Joe Moglia
    CEO
    TD AMERITRADE

  3. Press Release Doesn't Tell the Whole Story by Ethan+Preston · · Score: 5, Informative
    I am a class action attorney. My law firm and I sued Ameritrade over failing to disclose the security breach on May 31, 2007. We filed for a preliminary injunction on July 10, 2007. Part of the relief we sought for the accountholders in the preliminary injunction was a disclosure of this information.

    In sum, this Motion seeks an Order from this Court against TD AMERITRADE, Inc. that: ... 8. Requires TD AMERITRADE, Inc. to prominently disclose in its Privacy Statement and in emails or other individual disclosures to its accountholders: ALERT: AMERITRADE'S INFORMATION SYSTEMS ARE NOT NECESSARILY SECURE AND WE CANNOT ASSURE THE SECURITY OF YOUR PERSONAL INFORMATION. THERE IS EVIDENCE THAT SOME ACCOUNTHOLDERS' EMAIL ADDRESSES HAVE LEAKED FROM AMERITRADE'S COMPUTER SYSTEMS TO SPAMMERS. AMERITRADE HAS AN ONGOING INVESTIGATION INTO THIS SITUATION. YOUR NAME, SOCIAL SECURITY NUMBER, AND YOUR EMAIL ADDRESS MAY HAVE BEEN LEAKED AS WELL. We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review. You can contact Equifax (800-685-1111), Experian (888-397-3742), or TransUnionCorp (800-680-7289). Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly. If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call [insert contact information for law enforcement] and file a police report. Get a copy of the report; many creditors want the information it contains to absolve you of the fraudulent debts. You also should file a complaint with the FTC at www.consumer.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Your complaint will be added to the FTC's Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. You can obtain a copy of Take Charge: Fighting Back Against Identity Theft, a comprehensive guide from the FTC to help you guard against and deal with identity theft at: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.htm
  4. I bailed on them for this reason. by bcrowell · · Score: 2, Informative

    I was an Ameritrade customer. Soon after setting up an account with them, I started getting pump-and-dump spam sent to the single-purpose email address that I'd created only for use with them. A simple google search showed that this had been going on for years at Ameritrade. I run Linux, and am fairly careful about keeping my box secure, so I was pretty sure the address hadn't been leaked by malware on my end. In the past, they've claimed that the addresses might be getting found by dictionary attacks, but the address I was using had 13 characters before the @ sign, didn't have dictionary words in it, and had an obscure domain name after the @, not yahoo or hotmail or anything like that.

    I decided that I wasn't going to entrust the bulk of my life's savings to a company that was that clueless about security, so I transferred my account to Scottrade. When I did the transfer, I explained in an email to the Ameritrade people that the security problem was the reason I was leaving them. The responded with a phone call, and the phone rep was completely in denial about the spam problem, which was had been publicly known and discussed for years.

    The other reason I wanted to get away from them was that some of the functionality of their web interface didn't work on Firefox in Linux, so I had to do certain things (e.g., withdrawing money) on a Mac or Windows machine instead. (When I called to report it as a bug, they said they didn't support Linux.)

    --
    Find free books.