Ameritrade Security Audit Finds Privacy-Busting Back Door

RalphTheWonderLlama writes "In recent months, online stock brokers have apparently been upset by the sale of their email addresses to spammers. Today TD Ameritrade released details of their investigation into the matter (along with a video message from the CEO and special FAQ). It seems some 'unauthorized code' had exposed client email addresses and possibly other sensitive information from an internal database. 'TD Ameritrade tracked down the break-in while doing an internal investigation into stock-related spam. The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers. According to the advisory, the code has been eliminated from the system. Moglia, speaking in an online video-taped message to customers, said he is "confident" that they have figured out how the information was taken.'"

confidant[sic] they deleted the bad code

[PitaBred]

Great. How did that "bad code" get there? Did they close THAT loophole? Because if not, it's just a matter of time.

Re:confidant[sic] they deleted the bad code

[ErroneousBee]

More likely, start by playing the "Guess the Webserver" game.

Compare with the likes of Bank of India, Monster.com, USAjobs.gov, myspace.com and other recent security incidents.

Do you see a pattern emerging?

Re:Law & Order?

[pjwalen]

Sam Waterston? I would also like to buy some Robot insurance. Robots are made of metal and they are strong.

no evidence?

"there is no evidence that our clients' Social Security numbers were taken" == "there is no evidence that our clients' Social Security numbers were not taken" == "we don't know if our clients' Social Security numbers were taken" == "our clients should probably assume that their SSNs, DOBs, and everything else needed to ruin their lives were taken."

Confidant?

[gatekeep]

How exactly did they manage a misspelling in an "online video-taped message?"

Or was it the editor that mispelled, in which case, why quote a single word with no context?

confidant?

[snarkh]

Makes you wonder..

Unacceptable

[mkraft]

As a TD Ameritrade account holder I find this unacceptable. Not only do they have unauthorized code running on their local systems with access to customers social security numbers and the like, but they don't even tell their customers when this happens other than issuing a generic press release in which they say they think the hackers only got email addresses despite the fact that the data base the hackers had access to also had birth dates, social security numbers and everything else necessary to steal account holders' identities.

How does unauthorized code even get into a financial institutions systems? The banking systems should never be accessible via public networks, only private ones, so this should never have happened.

What exactly is TD Ameritrade doing about this? TD Ameritrade should at least give it's customers free credit monitoring.

Re:Unacceptable

[bignetbuy]

"...hackers only got email addresses despite the fact that the data base the hackers had access to also had birth dates, social security numbers and everything else necessary to steal account holders' identities."

Exactly. Those new account forms ask for a boatload of personal information.

I wonder how many TD accounts are linked to a stock trader's primary checking account? Scary stuff.

Good luck with your account.

Re:Unacceptable

Here's a copy of Ameritrade's response.

September 14, 2007

You do not need to make any changes to your TD AMERITRADE accounts or to change the way you do business with us.

Dear AC,

Let me tell you why I am sending you this email. While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases, including email addresses, to be retrieved by an external source.

Please be assured that UserIDs and passwords are not included in this database, and we can confirm that your assets remain secure at TD AMERITRADE.

What we want you to know:
Once we discovered the unauthorized code, we took immediate action to eliminate it. We are confident that we have identified the means by which the information was accessed and have taken appropriate steps to prevent this from reoccurring.
You continue to be covered by our Asset Protection Guarantee, which protects you and your assets from any unauthorized activity that may occur in your account through no fault of your own. If you lose cash or securities as a result of such activity, we will reimburse you for the cash or shares of securities you lost.
While Social Security Numbers are stored in this particular database, we have no evidence to establish that they were retrieved or used to commit identity theft. To further protect you, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft. ID Analytics provides identity risk services to many of the country's largest banks and telecommunication companies, as well as government agencies. Following its initial evaluation, ID Analytics found no evidence of identity theft as a result of this data breach. We will retain its services on an ongoing basis to support your TD AMERITRADE accounts and to monitor for evidence of identity theft. We will alert and advise you if any is found. As always, we encourage you to remain alert in guarding your personal information, regularly review your account statements and monitor your credit activity from the major reporting agencies.

For more information on protecting yourself against the possibility of security threats, please visit our online Security Center.

We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your assets and information remains a top priority. We have made and will continue to make significant investments in security software, systems and procedures, and we will remain vigilant about protecting you.

We want to answer any questions and address any concerns that you may have about this matter. For more information, including a list of Frequently Asked Questions (FAQs) and an additional message from me, please go to www.amtd.com or contact Client Services. Please note that we are anticipating increased call volume during this period, which may lead to long wait times. We encourage you to review the FAQs and, if you have a question, to log on to your account and send us a secure email. Once again, please be assured that your assets are secure at TD AMERITRADE.

Sincerely,

Joe Moglia
CEO
TD AMERITRADE

Re:Unacceptable

[klenwell]

I'm a TD Ameritrade account holder, too, and contacted them last month after I noticed I got some penny-stock spam addressed to me with a TD Ameritrade subject line right after I got my monthly email statement. This was the response:

Thank you for taking the time to address your concerns to Executive Management. I very much appreciate your concern and would like you to know we are conducting an internal investigation regarding the complaints you have disclosed in your email regarding the SPAM. While I will not be able to relay any specifics or update you on the findings, I wanted you to know that we are aware of the situation and are making the necessary corrective actions to remedy the issue.

Citing your inquiry regarding account safety, your assets held with our company are protected by our Asset Protection Guarantee. This safeguards your account from any loss due to fraudulent activity. If you have any further questions regarding this policy please contact our Client Service Representatives at 800-669-3900. They are available 24 hours a day, 7 days a week, excluding market holidays.

Warm regards,

Adam Triplett
atriplett@tdameritrade.com
Senior Research Analyst
Office of the President
Private Client Division
TD AMERITRADE Holding Corporation

At least, it wasn't a bald-faced denial.

It's reached the point that I just assume that sooner rather than later all my private information will be stolen, loss, and compromised -- if it hasn't already. (As a UC graduate, I think I've been party to two other well-publicized identity-theft cases.)

Luckily, I have several different internet identities. So as soon as one is stolen, I move on to the next one. (If only it were that easy...)

Re:Unacceptable

[Technician]

How does unauthorized code even get into a financial institutions systems?

http://www.darkreading.com/document.asp?doc_id=113460&print=true

No. 1: The Thumb Drive Caper

In June, a penetration testing firm planted 20 infected USB drives in the bathrooms and parking lots of a busy credit union. It was a simple, non-technical exploit -- and also one of the most effective of the year. Out of the 20 drives, 15 were inserted into PCs by curious credit union employees. If the infection hadn't been benign, the entire business might have gone up in smoke.

The account of this exploit -- perpetrated by one of our own columnists, Steve Stasiukonis, vice president and founder of Secure Network Technologies Inc. -- was by far our best-read story of the year. It exposed a frequently-overlooked vulnerability in most organizations, and it brought forth a whole range of vendors and products that are now attempting to close the hole.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user's computer, and then email the findings back to us.

That was just one of many ways to do it.

Re:Unacceptable

[frup]

Hey email me if you want a new Identity I recently bought a whole database off some hacker.

Google for it..

[Dynamoo]

Do a Google search for Ameritrade spam. This isn't a new problem, it's been going on for months and even years where there's clear evidence that the data is being lifted by spammers.

You don't have to look far - this one is particularly damning, and I've seen evidence elsewhere that people set up an email address ONLY for Ameritrade and they've watched the spam come in.

Exec-lish is a weird language.

[Futurepower(R)]

Quotes, and translation:

The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers.

Moglia, speaking in an online video-taped message to customers, said he is "confidant" that they have figured out how the information was taken.

It's necessary to know how to translate those statements. It looks like plain English, but it isn't. It's Exec-lish, and must be translated.

Exec-lish to English translation: "We don't actually have anyone our company that understands technical computer issues. The software was written by a low bidder to whom we awarded a contract. Since we don't have any technically knowledgeable people on staff, we had no way to understand if we should have confidence in the bidder or not."

"We don't know how many people accessed our system through the back door, or how many times, or for how long. (Actually I had never heard the term 'back door' until yesterday.) Since we don't have any technical knowledge, we can't assess whether there are other back doors. Possibly even the forensic investigators have left their own back doors."

Exec-lish is a weird language that doesn't allow the expression of negative facts. So, it is possible that, if the executive wanted to be truthful, he or she would say, "I'm not qualified to be in this job, since I don't know enough to understand the company's operations thoroughly."

I'm just guessing about that translation, but gathering from what I've seen at other companies, it is not far off.

Re:Exec-lish is a weird language.

[vic-traill]

That's like saying that the CEO of McDonald's should be able to slaughter a cow.

Years ago, on Michael Moore's TV Nation program, there was a segment called the CEO Corporate Challenge, in which Moore attempted to get CEO's to perform some task with a product of their company, or component of a product of their company.

Picture Moore with a megaphone and a 1.44M floppy, outside IBM headquarters, shouting something like "Lou Gerstner, format this disk. You have one hour." Lou didn't show.

Surprisingly, Alexander Trotman, Ford CEO at the time, came out and changed the oil in a pickup in a time pretty close to a local quik-lube.

So, yeah, maybe sometimes you can expect the CEO to know about surprising stuff - they may have had a life before they became a CEO. In Trotman's case, he had been in the RAF, and I suspect he picked up skills and possibly a personality on the way through.

And yeah, I know it's TV *and* Michael Moore. But I have no trouble believing Trotman did it.

Re:pump and dump

[larry+bagina]

Maybe because it works? Look at slashdot: Every pump n dump story features dozens of people suggesting you buy the stock in question early Monday morning before all the other suckers do.

Press Release Doesn't Tell the Whole Story

[Ethan+Preston]

I am a class action attorney. My law firm and I sued Ameritrade over failing to disclose the security breach on May 31, 2007. We filed for a preliminary injunction on July 10, 2007. Part of the relief we sought for the accountholders in the preliminary injunction was a disclosure of this information.

In sum, this Motion seeks an Order from this Court against TD AMERITRADE, Inc. that: ... 8. Requires TD AMERITRADE, Inc. to prominently disclose in its Privacy Statement and in emails or other individual disclosures to its accountholders: ALERT: AMERITRADE'S INFORMATION SYSTEMS ARE NOT NECESSARILY SECURE AND WE CANNOT ASSURE THE SECURITY OF YOUR PERSONAL INFORMATION. THERE IS EVIDENCE THAT SOME ACCOUNTHOLDERS' EMAIL ADDRESSES HAVE LEAKED FROM AMERITRADE'S COMPUTER SYSTEMS TO SPAMMERS. AMERITRADE HAS AN ONGOING INVESTIGATION INTO THIS SITUATION. YOUR NAME, SOCIAL SECURITY NUMBER, AND YOUR EMAIL ADDRESS MAY HAVE BEEN LEAKED AS WELL. We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review. You can contact Equifax (800-685-1111), Experian (888-397-3742), or TransUnionCorp (800-680-7289). Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly. If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call [insert contact information for law enforcement] and file a police report. Get a copy of the report; many creditors want the information it contains to absolve you of the fraudulent debts. You also should file a complaint with the FTC at www.consumer.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Your complaint will be added to the FTC's Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. You can obtain a copy of Take Charge: Fighting Back Against Identity Theft, a comprehensive guide from the FTC to help you guard against and deal with identity theft at: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.htm

It's real, and very worrying.

[ballpoint]

The email addresses I used contained 'datek' and later 'ameritrade' when Datek merged with Ameritrade. You can guess that I didn't use these email addresses for anything else, yet both were spammed. At the time I thought they were leaked by someone logging traffic at an ISP.

Despite the whitewashing that's going on, AMTD is going to take a BIG hit. These issues are not to be taken lightly.

From the FAQ:

"How do you know that this sensitive information, like Social Security Numbers, hasn't been leaked or misused? After extensive investigations involving outside forensics experts, we have no evidence that this sensitive personal information was taken. That is one of the reasons why we have also hired ID Analytics. Its initial investigation has concluded that there is no evidence of identity theft as a result of this issue."

Absence of evidence is not evidence of absence.

Late Friday Bade News Release

[1_brown_mouse]

Its like Washington Politicians dumping the really bad news too late for the news cycle.

Nice of them to let the users know so soon.

and the rich get richer

[tidokoro]

I'm actually a TD account holder and wouldn't mind seeing them punished for this. Unfortunately, I've never been party to a class-action suit that even came to close to compensating me for the time I took to fill out whatever forms I needed to fill out much less what I had actually loss as part of the class. From the last class-action I joined:

Dear Claimant,

The Proof of Claim and Release you submitted with respect to the In re [Bankrupt Company] Securities Litigation has been processed under the terms and conditions of the Stipulations of Settlement and Second Distribution Order as approved by the United States District Court for the Easter District of New York. Please be advised such Stipulation and Order provides:

"If such Authorized Claimant is allocated less than $10.00 in value from the remaining Settlement Fund, then such Authorized Claimant shall not receive a further distribution from the Settlement Fund, and such amounts shall be re-allocated among the remaining Authorized Claimants."

Based upon these terms, we regret to inform you the proration of your share of the Settlement Fund, as approved by the Court, would amount to less than ten dollars ($10.00). Therefore you will not receive a distribution from the Settlement Fund.

Sincerely,
Claims Administrator

Possible reason why nobody has been caught

[Coward+Anonymous]

The dirty little secret is that the people behind it appear to be in Slovakia and potentially in Canada.

Clearly more than e-mails were stolen. When I received both e-mail and snail mail stock flipping spam I traced the information down to addresses in Slovakia and Canada (which I promptly fed the SEC who probably never did anything about it considering that the spammers managed to register and flip a completely bogus company within 3 months flat). A spammer in Slovakia won't have much to do with SSNs except sell them.

It's a matter of time before those "unaccessed SSNs" are sold if they haven't been already.

There is no incentive for TDAmeritrade to do anything about this because they figure they won't be found responsible for identity thefts that will occur as a result (go trace them back to Slovakia). It's enough for them to stop fraudulent access to their accounts.

Shame on Ameritrade for being so careless and callous.

I bailed on them for this reason.

[bcrowell]

I was an Ameritrade customer. Soon after setting up an account with them, I started getting pump-and-dump spam sent to the single-purpose email address that I'd created only for use with them. A simple google search showed that this had been going on for years at Ameritrade. I run Linux, and am fairly careful about keeping my box secure, so I was pretty sure the address hadn't been leaked by malware on my end. In the past, they've claimed that the addresses might be getting found by dictionary attacks, but the address I was using had 13 characters before the @ sign, didn't have dictionary words in it, and had an obscure domain name after the @, not yahoo or hotmail or anything like that.

I decided that I wasn't going to entrust the bulk of my life's savings to a company that was that clueless about security, so I transferred my account to Scottrade. When I did the transfer, I explained in an email to the Ameritrade people that the security problem was the reason I was leaving them. The responded with a phone call, and the phone rep was completely in denial about the spam problem, which was had been publicly known and discussed for years.

The other reason I wanted to get away from them was that some of the functionality of their web interface didn't work on Firefox in Linux, so I had to do certain things (e.g., withdrawing money) on a Mac or Windows machine instead. (When I called to report it as a bug, they said they didn't support Linux.)

Not surprising to me

[Abalamahalamatandra]

I did a project for Ameritrade back in 1999 to do a kind of single signon for Ameritrade customers to research providers like TheStreet.com and such.

Anyway, when I got onsite and started talking to them, I found out that the entire trading system was written in noncompiled Perl. They used huge modules for all their trading functions and had a habit of just "use"ing all of the modules in all of the scripts whether they needed them or not. I actually figured out that every time a trade was input by a user, the system had to load and tokenize well over 50,000 lines of Perl code in something like 75 files. Their idea of increasing performance was adding another huge SunFire server to the growing pool of over 30 in the group.

I asked them if they had ever thought of using something like FastCGI to speed things up by preloading the modules at least, or coding in C or C++ rather than Perl. They said noone really knew how to code in C and they couldn't figure out FastCGI.

Anyway, the upshot is that was kind of a scary bunch. It's hard enough to lure good programmers to Omaha in the first place, and then they required all of their staff to wear a shirt, coat and tie, so they didn't exactly get the cream of even that crop!