Monday, February 04, 2008
TD Ameritrade Breach Affects 6.3M Customers
TD Ameritrade Breach Affects 6.3M Customers
Brokerage firm uncovers data-sucking malware during system audit
SEPTEMBER 14, 2007 | 3:42 PM
By Tim Wilson
Site Editor, Dark Reading
Malware found on an internal database may have allowed spammers to steal names, addresses, phone numbers, and email addresses from as many as 6.3 million customers of TD Ameritrade, the brokerage firm revealed today.
In a press release, TD Ameritrade this morning confirmed reports that it has been informing customers of a potential security breach. The release does not confirm the figure of 6.3 million customers, but a company spokesperson did give that number to reporters in interviews.
The company uncovered the malicious code in one of its databases during an audit, which is part of a stock spam investigation. Sources familiar with the breach said the code is not unlike the code used to steal data on 1.3 million users at Monster.com.
TD Ameritrade has not closed its investigation, but early results indicate that the attack was designed not to penetrate users' accounts, but to collect addresses for spam campaigns. In addition to names and email addresses, the breached database also contains Social Security numbers, account numbers, and dates of birth, but there is no indication that the thieves stole any of this latter information, the brokerage firm said.
TD Ameritrade customers' user IDs, PINs, and passwords are stored in a separate database that was not penetrated in this attack, according to the company.
"While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security numbers were taken, we understand that this issue has increased unwanted SPAM, which is annoying and inconvenient for them," said Joe Moglia, CEO of TD Ameritrade. "We sincerely apologize for that and any added concern this may have caused."
TD Ameritrade hired a third party, ID Analytics Inc., to investigate and monitor for potential identity theft. An initial evaluation by ID Analytics found no evidence of identity theft.
The brokerage firm says it is confident that it has identified the method in which the information was stolen and has taken the appropriate steps to prevent it from recurring.
"This issue is not unique to TD Ameritrade. It's something that all companies involved in e-commerce should be aware of and prepared to address," Moglia said. "We participate in industry peer groups to share information on these types of threats in the interest of protecting all clients."
A spokesperson declined to give further information on the malware, or how it penetrated the TD Ameritrade, until the investigation is complete.
Brokerage firm uncovers data-sucking malware during system audit
SEPTEMBER 14, 2007 | 3:42 PM
By Tim Wilson
Site Editor, Dark Reading
Malware found on an internal database may have allowed spammers to steal names, addresses, phone numbers, and email addresses from as many as 6.3 million customers of TD Ameritrade, the brokerage firm revealed today.
In a press release, TD Ameritrade this morning confirmed reports that it has been informing customers of a potential security breach. The release does not confirm the figure of 6.3 million customers, but a company spokesperson did give that number to reporters in interviews.
The company uncovered the malicious code in one of its databases during an audit, which is part of a stock spam investigation. Sources familiar with the breach said the code is not unlike the code used to steal data on 1.3 million users at Monster.com.
TD Ameritrade has not closed its investigation, but early results indicate that the attack was designed not to penetrate users' accounts, but to collect addresses for spam campaigns. In addition to names and email addresses, the breached database also contains Social Security numbers, account numbers, and dates of birth, but there is no indication that the thieves stole any of this latter information, the brokerage firm said.
TD Ameritrade customers' user IDs, PINs, and passwords are stored in a separate database that was not penetrated in this attack, according to the company.
"While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security numbers were taken, we understand that this issue has increased unwanted SPAM, which is annoying and inconvenient for them," said Joe Moglia, CEO of TD Ameritrade. "We sincerely apologize for that and any added concern this may have caused."
TD Ameritrade hired a third party, ID Analytics Inc., to investigate and monitor for potential identity theft. An initial evaluation by ID Analytics found no evidence of identity theft.
The brokerage firm says it is confident that it has identified the method in which the information was stolen and has taken the appropriate steps to prevent it from recurring.
"This issue is not unique to TD Ameritrade. It's something that all companies involved in e-commerce should be aware of and prepared to address," Moglia said. "We participate in industry peer groups to share information on these types of threats in the interest of protecting all clients."
A spokesperson declined to give further information on the malware, or how it penetrated the TD Ameritrade, until the investigation is complete.
Labels: TD Ameritrade Holding Corp.
What Not to Do After a Security Breach
What Not to Do After a Security Breach
Expert familiar with TD Ameritrade, TJX cases discusses the mistakes enterprises often make following a breach
OCTOBER 26, 2007 | 4:00 PM
By Kelly Jackson Higgins
Senior Editor, Dark Reading
Step number one after a security breach: Don't immediately bring in the outside forensics team --- get your attorney up to speed on the attack first. And don't assume just because you had a break-in that you have to disclose it publicly -- it all depends on whether data covered under regulatory mandates was exposed.
These are two bits of advice to the security-breached from Kevin Mandia, a forensics expert who has worked on the front line of the TD Ameritrade investigation and is serving as an expert in the TJX breach case. Mandia will testify as an expert witness for the credit- and debit-card issuers if the TJX case goes to trial.
Mandia takes a different view than some breach experts, who encourage enterprises to make swift disclosure of suspected breaches. (See What to Do When Your Security's Breached.)
"Only 'the need to know' should be 'in the know,'" says Mandia, CEO of Mandiant, who for the past 15 years has worked on over 100 computer security breaches with the Fortune 500, FBI, and military. He's seen a lot of mistakes made by victims over the years, he says, as well as major shifts in how companies must respond in today's regulatory and disclosure environment.
Mandia, who couldn't comment directly on the Ameritrade or TJX cases, says over half of the cases that his firm responds to don't actually require public disclosure at all. "This happens a lot -- a database gets compromised and the systems admin pushes back his chair and says 'our database has been compromised,' and the rumor mill starts," he says. "Even if there's no 'covered' [regulated] data on the database, people start talking about it, the Wall Street Journal [reports it]."
"I still believe that in over 50 percent of the [incidents] we respond to, disclosure is not required," Mandia says. "Even if there's 'covered' data in the system, it could be encrypted, for instance, and it's unreasonable to think it was compromised."
Attorney-client privilege goes a long way. "The need for counsel is one of the biggest changes I've seen in incident response in the past two years," he says. "But it's very important to have counsel involved before we are -- for attorney-client privilege."
Another big misstep is misjudging whether sensitive data covered by regulatory requirements has been breached. "If I have a computer that's been compromised, I don't have to disclose that my computer has been breached," says Mandia, who will be presenting some of his findings in forensic investigations at the SecTor security conference in Toronto next month. Only if the data that falls under HIPAA, SOX, PCI, FTC safeguards, and state privacy laws, for instance, has been breached, he says.
Typically, the IT or security technicians in the trenches have to respond and provide their opinions to upper management and counsel on whether data was exposed. "The biggest challenge is technicians are not very good with gray areas, and they're not suited for making opinions" on this, he says. "It's actually better for a layperson to do it."
Another common error companies make is assuming that the attack was an inside job, and focusing only on that attack vector. "Nine of out 10 think it's an insider... that there's no way their crown jewels could be compromised [by an outsider]," Mandia says. "The catch is that insider investigations are 10 times more costly than external ones because [they must work] surreptitiously -- it's us versus us."
So it can take months to investigate, and it may be all for naught if the breach actually came from outside, he says. Not to mention lost time in catching the real perpetrators on the outside. "Firms need to move as fast as they can for the first five days... If they do that, they are more successful," he says. "But most are making their decisions too damn slowly."
Part of the problem is in most cases, there isn't just one "owner" of the incident response in an organization. The internal investigation often has people going off in different directions and not coordinating their findings, which leads to mistakes and inefficiencies. "You need one guy who handles it appropriately and has enough clout to be a leader," Mandia says. "It needs to be someone no less than two rungs from the top."
Meanwhile, the process of forensic data collection has changed: Due to the nature of today's malware, companies now must also acquire and analyze system memory as well during their investigations, he says. "You have to inspect within the memory," he says.
And most organizations today are running in fear of kernel-level rootkits, he says. "Everyone is chasing that ghost, although they are not finding a lot of them," he says. "Everyone wants to do rootkit detection when responding" to a breach, he says.
The attack techniques, however, are basically same old, same old, he says. "The vulnerabilities are generally going to be in Office and PowerPoint and they are still coming in via email," he says, and users are still being duped into clicking infected attachments with trojans and keyloggers, for instance.
Expert familiar with TD Ameritrade, TJX cases discusses the mistakes enterprises often make following a breach
OCTOBER 26, 2007 | 4:00 PM
By Kelly Jackson Higgins
Senior Editor, Dark Reading
Step number one after a security breach: Don't immediately bring in the outside forensics team --- get your attorney up to speed on the attack first. And don't assume just because you had a break-in that you have to disclose it publicly -- it all depends on whether data covered under regulatory mandates was exposed.
These are two bits of advice to the security-breached from Kevin Mandia, a forensics expert who has worked on the front line of the TD Ameritrade investigation and is serving as an expert in the TJX breach case. Mandia will testify as an expert witness for the credit- and debit-card issuers if the TJX case goes to trial.
Mandia takes a different view than some breach experts, who encourage enterprises to make swift disclosure of suspected breaches. (See What to Do When Your Security's Breached.)
"Only 'the need to know' should be 'in the know,'" says Mandia, CEO of Mandiant, who for the past 15 years has worked on over 100 computer security breaches with the Fortune 500, FBI, and military. He's seen a lot of mistakes made by victims over the years, he says, as well as major shifts in how companies must respond in today's regulatory and disclosure environment.
Mandia, who couldn't comment directly on the Ameritrade or TJX cases, says over half of the cases that his firm responds to don't actually require public disclosure at all. "This happens a lot -- a database gets compromised and the systems admin pushes back his chair and says 'our database has been compromised,' and the rumor mill starts," he says. "Even if there's no 'covered' [regulated] data on the database, people start talking about it, the Wall Street Journal [reports it]."
"I still believe that in over 50 percent of the [incidents] we respond to, disclosure is not required," Mandia says. "Even if there's 'covered' data in the system, it could be encrypted, for instance, and it's unreasonable to think it was compromised."
Attorney-client privilege goes a long way. "The need for counsel is one of the biggest changes I've seen in incident response in the past two years," he says. "But it's very important to have counsel involved before we are -- for attorney-client privilege."
Another big misstep is misjudging whether sensitive data covered by regulatory requirements has been breached. "If I have a computer that's been compromised, I don't have to disclose that my computer has been breached," says Mandia, who will be presenting some of his findings in forensic investigations at the SecTor security conference in Toronto next month. Only if the data that falls under HIPAA, SOX, PCI, FTC safeguards, and state privacy laws, for instance, has been breached, he says.
Typically, the IT or security technicians in the trenches have to respond and provide their opinions to upper management and counsel on whether data was exposed. "The biggest challenge is technicians are not very good with gray areas, and they're not suited for making opinions" on this, he says. "It's actually better for a layperson to do it."
Another common error companies make is assuming that the attack was an inside job, and focusing only on that attack vector. "Nine of out 10 think it's an insider... that there's no way their crown jewels could be compromised [by an outsider]," Mandia says. "The catch is that insider investigations are 10 times more costly than external ones because [they must work] surreptitiously -- it's us versus us."
So it can take months to investigate, and it may be all for naught if the breach actually came from outside, he says. Not to mention lost time in catching the real perpetrators on the outside. "Firms need to move as fast as they can for the first five days... If they do that, they are more successful," he says. "But most are making their decisions too damn slowly."
Part of the problem is in most cases, there isn't just one "owner" of the incident response in an organization. The internal investigation often has people going off in different directions and not coordinating their findings, which leads to mistakes and inefficiencies. "You need one guy who handles it appropriately and has enough clout to be a leader," Mandia says. "It needs to be someone no less than two rungs from the top."
Meanwhile, the process of forensic data collection has changed: Due to the nature of today's malware, companies now must also acquire and analyze system memory as well during their investigations, he says. "You have to inspect within the memory," he says.
And most organizations today are running in fear of kernel-level rootkits, he says. "Everyone is chasing that ghost, although they are not finding a lot of them," he says. "Everyone wants to do rootkit detection when responding" to a breach, he says.
The attack techniques, however, are basically same old, same old, he says. "The vulnerabilities are generally going to be in Office and PowerPoint and they are still coming in via email," he says, and users are still being duped into clicking infected attachments with trojans and keyloggers, for instance.
Labels: TD Ameritrade Holding Corp., TJX Companies Inc.
Saturday, September 29, 2007
Names, contact info on 6M TD Ameritrade customers compromised
Names, contact info on 6M TD Ameritrade customers compromised
Jaikumar Vijayan
September 14, 2007 (Computerworld) Brokerage firm TD Ameritrade Holding Corp. today disclosed that the names, addresses, phone numbers and "miscellaneous trading" information of potentially all of its more than 6 million retail and institutional customers have been compromised by an intrusion into one of its databases.
But Social Security numbers, account numbers and dates of birth, all of which were stored in the same hacked database, appear to have been left untouched, the company said today.
The intrusion was discovered during an internal investigation into stock-related spam being reported by TD Ameritrade customers, said Kim Hillyer, a company spokeswoman. According to Hillyer, the investigation revealed the presence of unauthorized code, which has since been removed, on a database containing customer information.
TD Ameritrade has hired fraud detection firm ID Analytics Inc. to investigate the compromise and to help monitor for fraud, she said. So far, neither TD Ameritrade nor ID Analytics has been able to unearth any evidence to show that the information was accessed for any reason other than to send spam, she said.
"We do apologize for that and we do understand there may be added concern" for customers because of the incident, she said.
In a statement, company CEO Joe Moglia apologized for the breach, but tried to downplay its impact. "While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them," Moglia said. "We sincerely apologize for that and any added concern this may have caused."
The statement also informed customers that no "special actions" were required of them with regard to their accounts as a result of the breach.
The company will start notifying all its customers via postal and e-mail over the next few days, Hillyer said.
Robert Ellis, an analyst at Celent, a Boston-based financial research firm, called the breach a "particularly egregious and scary" one.
"The idea that someone could hack into TD Ameritrade's system sufficiently to extract contact information such as phone numbers, e-mail and home addresses, and to bury the code so deeply that the breach was only noted after phishers attempted to utilize the data is quite alarming," he said. "Either the contact information was behind a less-strong level of security, or TD Ameritrade dodged a major bullet."
Jaikumar Vijayan
September 14, 2007 (Computerworld) Brokerage firm TD Ameritrade Holding Corp. today disclosed that the names, addresses, phone numbers and "miscellaneous trading" information of potentially all of its more than 6 million retail and institutional customers have been compromised by an intrusion into one of its databases.
But Social Security numbers, account numbers and dates of birth, all of which were stored in the same hacked database, appear to have been left untouched, the company said today.
The intrusion was discovered during an internal investigation into stock-related spam being reported by TD Ameritrade customers, said Kim Hillyer, a company spokeswoman. According to Hillyer, the investigation revealed the presence of unauthorized code, which has since been removed, on a database containing customer information.
TD Ameritrade has hired fraud detection firm ID Analytics Inc. to investigate the compromise and to help monitor for fraud, she said. So far, neither TD Ameritrade nor ID Analytics has been able to unearth any evidence to show that the information was accessed for any reason other than to send spam, she said.
"We do apologize for that and we do understand there may be added concern" for customers because of the incident, she said.
In a statement, company CEO Joe Moglia apologized for the breach, but tried to downplay its impact. "While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them," Moglia said. "We sincerely apologize for that and any added concern this may have caused."
The statement also informed customers that no "special actions" were required of them with regard to their accounts as a result of the breach.
The company will start notifying all its customers via postal and e-mail over the next few days, Hillyer said.
Robert Ellis, an analyst at Celent, a Boston-based financial research firm, called the breach a "particularly egregious and scary" one.
"The idea that someone could hack into TD Ameritrade's system sufficiently to extract contact information such as phone numbers, e-mail and home addresses, and to bury the code so deeply that the breach was only noted after phishers attempted to utilize the data is quite alarming," he said. "Either the contact information was behind a less-strong level of security, or TD Ameritrade dodged a major bullet."
Labels: TD Ameritrade Holding Corp.
Thursday, November 02, 2006
ID Thefts Slam Online Brokers
ID Thefts Slam Online Brokers
Eric Lai
October 30, 2006 (Computerworld)
Two of the top online stock brokerages in the U.S. disclosed that overseas hackers broke into some of their customer accounts during the past three months, resulting in combined losses of at least $22 million and leading both firms to take steps to bolster their security measures.
Jerry Bartlett, CIO at TD Ameritrade Holding Corp., said in an interview last week that the attacks were launched by identity thieves in Eastern Europe and Asia who used keylogging software delivered via Trojan horses or other malware to steal the account information of users logging onto public computers or their own infected PCs.
Jerry Bartlett, CIO at TD Ameritrade Holding CorpThe hackers then used existing accounts or created dummy ones to buy shares in little-traded stocks, driving the prices up so they could sell previously purchased shares at a profit. Customers of ETrade Financial Corp. were also victimized by the so-called pump-and-dump scheme, according to ETrade officials.
Bartlett said no data was stolen from TD Ameritrade’s own databases, nor were its servers breached during the attacks. But he acknowledged that the company’s antifraud efforts, which include a security team that uses special software to monitor for anomalous activity such as users logging in from unusual IP addresses, failed to detect the stock scams quickly enough.
As a result, TD Ameritrade has installed new technology and reconfigured its existing tools to monitor for pump-and-dump activity, Bartlett said. “We could identify it [before], but certainly not to the sophistication of what we can do now,” he added. He declined to discuss the new capabilities in detail or disclose which security tools his firm uses to guard against online fraud.
ETrade has also beefed up its online security in response to the recent attacks, CEO Mitchell Caplan said during an Oct. 18 conference call on the company’s third-quarter financial results. Caplan said ETrade had cut the amount of fraudulent activity to “almost zero” over the previous three weeks as a result of the security changes.
The inability of ETrade and TD Ameritrade to promptly detect the hackers is hitting them in their pocketbooks. Although the money in brokerage accounts isn’t insured, both firms guarantee customers against losses caused by fraud.
ETrade officials said during the earnings call that the company had spent $18 million to compensate customers for losses from the attacks. Last week, TD Ameritrade disclosed during a conference call on its fourth-quarter results that it had reimbursed a total of $4 million to its customers.
To help it monitor accounts for unusual behavior, ETrade uses antifraud software developed by Cyota Inc., which is now a part of EMC Corp.’s RSA Security Inc. division.
Since February 2005, ETrade has also offered its customers a two-factor authentication option based on RSA’s SecurID token technology. The tokens generate new six-digit codes every 60 seconds. Customers must enter the codes along with their usernames and passwords when logging in, according to an ETrade spokeswoman.
She declined to say how many ETrade customers are using the RSA tokens and whether the hackers accessed any accounts guarded by the SecurID technology.
Persistent Challenges
Ryan Sherstobitoff, chief technology officer at security tools vendor Panda Software International SL, said skillful hackers can trick software such as Cyota’s, which relies in part on checking whether users are logging in from their usual IP addresses. And tokens are ineffective against identity thieves who use names and Social Security numbers to create new bank or stock-trading accounts, he said.
“We can protect against certain scenarios now, but there are certain ones we can’t protect well against at all,” Sherstobitoff said.
In a report released last month, Javelin Strategy & Research in Pleasanton, Calif., ranked ETrade 17th out of 24 financial institutions on efforts to protect consumers from identity theft. Javelin didn’t rank TD Ameritrade as part of its security scorecard, which primarily involved banks.
Identity theft in all its forms resulted in an estimated $56.6billion in losses in the U.S. last year, according to Javelin, with one in 25 people being affected by it. “Fighting identity theft is a cat-and-mouse game — there’s always room for improvement,” said Javelin President James Van Dyke.
Bartlett said new antifraud tools on the horizon could help bolster corporate defenses. “It’s been a lot of back and forth between vendors and the bad guys,” he said. “But I’ve recently seen a lot of products in beta that should leapfrog [hacking tools] and keep vendors ahead in the arms race.”
Eric Lai
October 30, 2006 (Computerworld)
Two of the top online stock brokerages in the U.S. disclosed that overseas hackers broke into some of their customer accounts during the past three months, resulting in combined losses of at least $22 million and leading both firms to take steps to bolster their security measures.
Jerry Bartlett, CIO at TD Ameritrade Holding Corp., said in an interview last week that the attacks were launched by identity thieves in Eastern Europe and Asia who used keylogging software delivered via Trojan horses or other malware to steal the account information of users logging onto public computers or their own infected PCs.
Jerry Bartlett, CIO at TD Ameritrade Holding CorpThe hackers then used existing accounts or created dummy ones to buy shares in little-traded stocks, driving the prices up so they could sell previously purchased shares at a profit. Customers of ETrade Financial Corp. were also victimized by the so-called pump-and-dump scheme, according to ETrade officials.
Bartlett said no data was stolen from TD Ameritrade’s own databases, nor were its servers breached during the attacks. But he acknowledged that the company’s antifraud efforts, which include a security team that uses special software to monitor for anomalous activity such as users logging in from unusual IP addresses, failed to detect the stock scams quickly enough.
As a result, TD Ameritrade has installed new technology and reconfigured its existing tools to monitor for pump-and-dump activity, Bartlett said. “We could identify it [before], but certainly not to the sophistication of what we can do now,” he added. He declined to discuss the new capabilities in detail or disclose which security tools his firm uses to guard against online fraud.
ETrade has also beefed up its online security in response to the recent attacks, CEO Mitchell Caplan said during an Oct. 18 conference call on the company’s third-quarter financial results. Caplan said ETrade had cut the amount of fraudulent activity to “almost zero” over the previous three weeks as a result of the security changes.
The inability of ETrade and TD Ameritrade to promptly detect the hackers is hitting them in their pocketbooks. Although the money in brokerage accounts isn’t insured, both firms guarantee customers against losses caused by fraud.
ETrade officials said during the earnings call that the company had spent $18 million to compensate customers for losses from the attacks. Last week, TD Ameritrade disclosed during a conference call on its fourth-quarter results that it had reimbursed a total of $4 million to its customers.
To help it monitor accounts for unusual behavior, ETrade uses antifraud software developed by Cyota Inc., which is now a part of EMC Corp.’s RSA Security Inc. division.
Since February 2005, ETrade has also offered its customers a two-factor authentication option based on RSA’s SecurID token technology. The tokens generate new six-digit codes every 60 seconds. Customers must enter the codes along with their usernames and passwords when logging in, according to an ETrade spokeswoman.
She declined to say how many ETrade customers are using the RSA tokens and whether the hackers accessed any accounts guarded by the SecurID technology.
Persistent Challenges
Ryan Sherstobitoff, chief technology officer at security tools vendor Panda Software International SL, said skillful hackers can trick software such as Cyota’s, which relies in part on checking whether users are logging in from their usual IP addresses. And tokens are ineffective against identity thieves who use names and Social Security numbers to create new bank or stock-trading accounts, he said.
“We can protect against certain scenarios now, but there are certain ones we can’t protect well against at all,” Sherstobitoff said.
In a report released last month, Javelin Strategy & Research in Pleasanton, Calif., ranked ETrade 17th out of 24 financial institutions on efforts to protect consumers from identity theft. Javelin didn’t rank TD Ameritrade as part of its security scorecard, which primarily involved banks.
Identity theft in all its forms resulted in an estimated $56.6billion in losses in the U.S. last year, according to Javelin, with one in 25 people being affected by it. “Fighting identity theft is a cat-and-mouse game — there’s always room for improvement,” said Javelin President James Van Dyke.
Bartlett said new antifraud tools on the horizon could help bolster corporate defenses. “It’s been a lot of back and forth between vendors and the bad guys,” he said. “But I’ve recently seen a lot of products in beta that should leapfrog [hacking tools] and keep vendors ahead in the arms race.”
Labels: TD Ameritrade Holding Corp.
