Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ameritrade Security Audit Finds Privacy-Busting Back Door

Posted by Zonk on from the dang-canned-pork dept.

RalphTheWonderLlama writes "In recent months, online stock brokers have apparently been upset by the sale of their email addresses to spammers. Today TD Ameritrade released details of their investigation into the matter (along with a video message from the CEO and special FAQ). It seems some 'unauthorized code' had exposed client email addresses and possibly other sensitive information from an internal database. 'TD Ameritrade tracked down the break-in while doing an internal investigation into stock-related spam. The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers. According to the advisory, the code has been eliminated from the system. Moglia, speaking in an online video-taped message to customers, said he is "confident" that they have figured out how the information was taken.'"

9 of 111 comments (clear)

  1. More importantly... by Anonymous Coward · · Score: 1, Interesting

    ...do they know who put the unauthorized code in there and what's going to happen to those responsible for that?

  2. Confidant? by gatekeep · · Score: 2, Interesting

    How exactly did they manage a misspelling in an "online video-taped message?"

    Or was it the editor that mispelled, in which case, why quote a single word with no context?

  3. Re:Unacceptable by bignetbuy · · Score: 2, Interesting

    "...hackers only got email addresses despite the fact that the data base the hackers had access to also had birth dates, social security numbers and everything else necessary to steal account holders' identities."

    Exactly. Those new account forms ask for a boatload of personal information.

    I wonder how many TD accounts are linked to a stock trader's primary checking account? Scary stuff.

    Good luck with your account.

  4. Re:Unacceptable by klenwell · · Score: 3, Interesting

    I'm a TD Ameritrade account holder, too, and contacted them last month after I noticed I got some penny-stock spam addressed to me with a TD Ameritrade subject line right after I got my monthly email statement. This was the response:

    Thank you for taking the time to address your concerns to Executive Management. I very much appreciate your concern and would like you to know we are conducting an internal investigation regarding the complaints you have disclosed in your email regarding the SPAM. While I will not be able to relay any specifics or update you on the findings, I wanted you to know that we are aware of the situation and are making the necessary corrective actions to remedy the issue.

    Citing your inquiry regarding account safety, your assets held with our company are protected by our Asset Protection Guarantee. This safeguards your account from any loss due to fraudulent activity. If you have any further questions regarding this policy please contact our Client Service Representatives at 800-669-3900. They are available 24 hours a day, 7 days a week, excluding market holidays.

    Warm regards,

    Adam Triplett
    atriplett@tdameritrade.com
    Senior Research Analyst
    Office of the President
    Private Client Division
    TD AMERITRADE Holding Corporation

    At least, it wasn't a bald-faced denial.

    It's reached the point that I just assume that sooner rather than later all my private information will be stolen, loss, and compromised -- if it hasn't already. (As a UC graduate, I think I've been party to two other well-publicized identity-theft cases.)

    Luckily, I have several different internet identities. So as soon as one is stolen, I move on to the next one. (If only it were that easy...)

    --
    Innovation makes enemies of all those who prospered under the old regime... -- Machiavelli
  5. and the rich get richer by tidokoro · · Score: 4, Interesting
    I'm actually a TD account holder and wouldn't mind seeing them punished for this. Unfortunately, I've never been party to a class-action suit that even came to close to compensating me for the time I took to fill out whatever forms I needed to fill out much less what I had actually loss as part of the class. From the last class-action I joined:

    Dear Claimant,

    The Proof of Claim and Release you submitted with respect to the In re [Bankrupt Company] Securities Litigation has been processed under the terms and conditions of the Stipulations of Settlement and Second Distribution Order as approved by the United States District Court for the Easter District of New York. Please be advised such Stipulation and Order provides:

    "If such Authorized Claimant is allocated less than $10.00 in value from the remaining Settlement Fund, then such Authorized Claimant shall not receive a further distribution from the Settlement Fund, and such amounts shall be re-allocated among the remaining Authorized Claimants."

    Based upon these terms, we regret to inform you the proration of your share of the Settlement Fund, as approved by the Court, would amount to less than ten dollars ($10.00). Therefore you will not receive a distribution from the Settlement Fund.

    Sincerely,
    Claims Administrator
    --
    tidokoro
    what turns a man's karma neutral? lust for gold? power? or just a heart born full of neutrality?
  6. Re:confidant[sic] they deleted the bad code by ErroneousBee · · Score: 3, Interesting

    More likely, start by playing the "Guess the Webserver" game.

    Compare with the likes of Bank of India, Monster.com, USAjobs.gov, myspace.com and other recent security incidents.

    Do you see a pattern emerging?

    --
    **TODO** Steal someone elses sig.
  7. Possible reason why nobody has been caught by Coward+Anonymous · · Score: 2, Interesting

    The dirty little secret is that the people behind it appear to be in Slovakia and potentially in Canada.

    Clearly more than e-mails were stolen. When I received both e-mail and snail mail stock flipping spam I traced the information down to addresses in Slovakia and Canada (which I promptly fed the SEC who probably never did anything about it considering that the spammers managed to register and flip a completely bogus company within 3 months flat). A spammer in Slovakia won't have much to do with SSNs except sell them.

    It's a matter of time before those "unaccessed SSNs" are sold if they haven't been already.

    There is no incentive for TDAmeritrade to do anything about this because they figure they won't be found responsible for identity thefts that will occur as a result (go trace them back to Slovakia). It's enough for them to stop fraudulent access to their accounts.

    Shame on Ameritrade for being so careless and callous.

  8. Re:Unacceptable by Technician · · Score: 3, Interesting


    How does unauthorized code even get into a financial institutions systems?

    http://www.darkreading.com/document.asp?doc_id=113460&print=true

    No. 1: The Thumb Drive Caper

    In June, a penetration testing firm planted 20 infected USB drives in the bathrooms and parking lots of a busy credit union. It was a simple, non-technical exploit -- and also one of the most effective of the year. Out of the 20 drives, 15 were inserted into PCs by curious credit union employees. If the infection hadn't been benign, the entire business might have gone up in smoke.

    The account of this exploit -- perpetrated by one of our own columnists, Steve Stasiukonis, vice president and founder of Secure Network Technologies Inc. -- was by far our best-read story of the year. It exposed a frequently-overlooked vulnerability in most organizations, and it brought forth a whole range of vendors and products that are now attempting to close the hole.

    We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user's computer, and then email the findings back to us.

    That was just one of many ways to do it.

    --
    The truth shall set you free!
  9. Re:Exec-lish is a weird language. by vic-traill · · Score: 2, Interesting

    That's like saying that the CEO of McDonald's should be able to slaughter a cow.

    Years ago, on Michael Moore's TV Nation program, there was a segment called the CEO Corporate Challenge, in which Moore attempted to get CEO's to perform some task with a product of their company, or component of a product of their company.

    Picture Moore with a megaphone and a 1.44M floppy, outside IBM headquarters, shouting something like "Lou Gerstner, format this disk. You have one hour." Lou didn't show.

    Surprisingly, Alexander Trotman, Ford CEO at the time, came out and changed the oil in a pickup in a time pretty close to a local quik-lube.

    So, yeah, maybe sometimes you can expect the CEO to know about surprising stuff - they may have had a life before they became a CEO. In Trotman's case, he had been in the RAF, and I suspect he picked up skills and possibly a personality on the way through.

    And yeah, I know it's TV *and* Michael Moore. But I have no trouble believing Trotman did it.

    --
    [17] Leary, T., White, C., Wood, P. R., Bhabha, W. D., and Wirth, N. Lambda calculus considered harmful. In Proceedings