Slashdot Mirror
Ameritrade Security Audit Finds Privacy-Busting Back Door
RalphTheWonderLlama writes "In recent months, online stock brokers have apparently been upset by the sale of their email addresses to spammers. Today TD Ameritrade released details of their investigation into the matter (along with a video message from the CEO and special FAQ). It seems some 'unauthorized code' had exposed client email addresses and possibly other sensitive information from an internal database. 'TD Ameritrade tracked down the break-in while doing an internal investigation into stock-related spam. The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers. According to the advisory, the code has been eliminated from the system. Moglia, speaking in an online video-taped message to customers, said he is "confident" that they have figured out how the information was taken.'"
Great. How did that "bad code" get there? Did they close THAT loophole? Because if not, it's just a matter of time.
My blog. Good stuff (when I remember to update it). Read it.
"there is no evidence that our clients' Social Security numbers were taken" == "there is no evidence that our clients' Social Security numbers were not taken" == "we don't know if our clients' Social Security numbers were taken" == "our clients should probably assume that their SSNs, DOBs, and everything else needed to ruin their lives were taken."
As a TD Ameritrade account holder I find this unacceptable. Not only do they have unauthorized code running on their local systems with access to customers social security numbers and the like, but they don't even tell their customers when this happens other than issuing a generic press release in which they say they think the hackers only got email addresses despite the fact that the data base the hackers had access to also had birth dates, social security numbers and everything else necessary to steal account holders' identities.
How does unauthorized code even get into a financial institutions systems? The banking systems should never be accessible via public networks, only private ones, so this should never have happened.
What exactly is TD Ameritrade doing about this? TD Ameritrade should at least give it's customers free credit monitoring.
Quotes, and translation:
The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers.
Moglia, speaking in an online video-taped message to customers, said he is "confidant" that they have figured out how the information was taken.
It's necessary to know how to translate those statements. It looks like plain English, but it isn't. It's Exec-lish, and must be translated.
Exec-lish to English translation: "We don't actually have anyone our company that understands technical computer issues. The software was written by a low bidder to whom we awarded a contract. Since we don't have any technically knowledgeable people on staff, we had no way to understand if we should have confidence in the bidder or not."
"We don't know how many people accessed our system through the back door, or how many times, or for how long. (Actually I had never heard the term 'back door' until yesterday.) Since we don't have any technical knowledge, we can't assess whether there are other back doors. Possibly even the forensic investigators have left their own back doors."
Exec-lish is a weird language that doesn't allow the expression of negative facts. So, it is possible that, if the executive wanted to be truthful, he or she would say, "I'm not qualified to be in this job, since I don't know enough to understand the company's operations thoroughly."
I'm just guessing about that translation, but gathering from what I've seen at other companies, it is not far off.
Maybe because it works? Look at slashdot: Every pump n dump story features dozens of people suggesting you buy the stock in question early Monday morning before all the other suckers do.
Do you even lift?
These aren't the 'roids you're looking for.
Despite the whitewashing that's going on, AMTD is going to take a BIG hit. These issues are not to be taken lightly.
From the FAQ:
Absence of evidence is not evidence of absence.
Flourescent (adj): smelling like ground wheat.
Its like Washington Politicians dumping the really bad news too late for the news cycle.
Nice of them to let the users know so soon.
I did a project for Ameritrade back in 1999 to do a kind of single signon for Ameritrade customers to research providers like TheStreet.com and such.
Anyway, when I got onsite and started talking to them, I found out that the entire trading system was written in noncompiled Perl. They used huge modules for all their trading functions and had a habit of just "use"ing all of the modules in all of the scripts whether they needed them or not. I actually figured out that every time a trade was input by a user, the system had to load and tokenize well over 50,000 lines of Perl code in something like 75 files. Their idea of increasing performance was adding another huge SunFire server to the growing pool of over 30 in the group.
I asked them if they had ever thought of using something like FastCGI to speed things up by preloading the modules at least, or coding in C or C++ rather than Perl. They said noone really knew how to code in C and they couldn't figure out FastCGI.
Anyway, the upshot is that was kind of a scary bunch. It's hard enough to lure good programmers to Omaha in the first place, and then they required all of their staff to wear a shirt, coat and tie, so they didn't exactly get the cream of even that crop!