The Ameritrade Fallout

The Ameritrade Fallout

Breach is a Warning to All Financial Institutions

See Also: Key Drivers to Enable Digital Transformation in Financial Services

The announcement by online brokerage TD Ameritrade that a database had been breached reinforces an important lesson to other financial institutions: Know your systems and who’s accessing them.

On Sept. 14, Ameritrade went public with the news that it had “discovered and eliminated unauthorized code from its systems that allowed access to an internal database” [View TD Ameritrade Press Release] .

For financial institutions (and all other companies), this breach brings to light common themes in data breach prevention, according to Rebecca Herold, an information security and privacy expert and author. “There are similarities to the Ameritrade and TJX (in January 2007 TJX revealed that hackers took account numbers of more than 45 million credit and debit cards from its databases), and financial institutions should learn from these breaches to better prepare themselves for a data breach.”

In both cases, there were insufficient controls and monitoring in place to detect data breaches were happening. “When you don’t have enough monitoring and logging, the longer it exists, the longer the criminal has to steal information,” she adds, “There is too much focus on network and perimeter security. Institutions need to look at the bigger picture of where data is, and who or what groups are accessing, using, copying and keeping.”

Precautions to Take

Monitoring all communications is one point at which to start. “You need to know what’s happening on your email servers,” Herold says. “Not just what’s coming in, but what’s going out.” Instant messaging, too, should be scrutinized.

Further, look into operational controls you have in place, Herold advises. How aware is your personnel on securing information appropriately? Incorporate safeguards and security activities within the employees’ individual job activities. “You can create job descriptions and list these safeguards and practices as part of each employee’s job, so that you don’t have someone absent-mindedly sending off information containing personally identifiable information in an email that gets forwarded or gets shared inappropriately,” she says.

The human factor isn’t always appropriately addressed when considering information security. Yet it is important too for people to realize, that even email addresses (like the ones stolen in the Ameritrade breach) and other types of innocuous things like name and address can be used for identity theft, and loss of privacy.

Not an Isolated Incident

According to statements from Ameritrade, “The discovery was made as the result of an internal investigation of stock-related SPAM.” This is not a surprise to those Ameritrade customers who have reportedly been receiving that spam. Ameritrade has known about the problem at least since October 2006, when some customers began complaining to the company about receiving stock-related spam. Lawyer Scott Kamber filed a spam-related class action law suit against TD Ameritrade in May.

Garth Bruen, a information security researcher at Knujon, a project offering multi-tiered response to Internet threats -- specifically email-based ones -- sees the Ameritrade breach and theft of email addresses unsettling.

“What happened with the Ameritrade is the database with email addresses was broken into and email addresses were stolen,” Bruen says. “We saw a similar action when hackers broke into Pfizer and took over computers. The hackers then used those email accounts to send out phishing emails touting fake drug sites.” (Pfizer’s zombie problem was uncovered by Support Intelligence, a San Francisco security company.)

Bruen said while he had not seen any of this occurring with the Ameritrade email addresses, they would be harder to find among all the spam mail, as the email names would not end with the same company name, as in the case of Pfizer’s breach.

Missed Your Wake-Up Call?

“It is a total cliché to say this is a wake-up call for financial institutions and other companies,” Bruen says. “They all got their wake-up call five years ago. Some of them are still walking around looking for the coffee pot.”

Incident response plans are important to have as a plan of action to take it public when a breach occurs. I think there will be a public relations specialty formed to handle the massive publicity that some of these breaches incur,” says Bruen, referring to the video statement of TD Ameritrade’s CEO Joe Moglia [TD Ameritrade CEO Video] that was placed on a special site for more information on the breach.

Another problem that comes out of the Ameritrade breach is the lack of attention to brand protection. “Phishing is another form of brand hijacking, with the brand being the bank or credit union’s name,” Bruen says. “The bank’s name has value, just as a famous designer’s handbag or a well-know prescription drug’s name has value.”

Who’s Next?

For those smaller institutions out there reassuring themselves that they can’t possibly be a data breach victim, Bruen advises: Think again. “Is anyone a target? The answer is pretty much yes. As a business person, you’re not looking at it from a criminal’s perspective. You’d be surprised to know what they think is valuable.”

Bruen sees many smaller firms and institutions targeted by hackers, mainly because those companies don’t have the security perimeter built up as larger companies do. “You may not be a major bank, but a smaller bank, or a tiny loan servicer -- you’re still a target,” he adds. Third-party service providers that handle your operations are also possible targets.

How Database Was Hacked

The best advice to financial institutions is “Prevention,” says database researcher Amichai Shulman. “This is the best method when it comes to breaches and loss of data.” Shulman, an expert on Payment Card Industry (PCI) Data Security Standard is also Chief Technology Officer at Imperva, an application data security company.

According to Shulman, Ameritrade may have had security controls on the database, “But whatever security and policies mechanisms they had it place, it was not enough to detect the long period of data leakage and the earlier intrusion or hack that initiated the data leak.”

It appears no timely information was available to detect the breach, he says. “Any financial institution needs to have precise policies and auditing for inappropriate access to information.” The important thing is to have the mechanisms in place, and be alerted immediately when something out of the ordinary occurs, he adds.

No SSN Were Taken?

Ameritrade’s Chief Executive Officer Joe Moglia asserts “While the financial assets our clients hold with us were never touched, and there is no evidence

that our clients’ Social Security Numbers were taken, we understand that this issue has increased unwanted SPAM, which is annoying and inconvenient for them.”

“Ameritrade has said it was very certain that no PII or SSNs were touched, though this information was on the same database,” says Shulman, as he theorizes how the attack may have occurred. “It wasn’t an insider job, but an attack through a web application attack that extracted the information. This attack was sophisticated. The attackers injected the code into the application and did not access database directly, but indirectly, and would grab the information when it was used or accessed.”

One thing is certain in Shulman’s opinion, “The older generation protective measures, perimeter firewalls and code reviews aren’t enough. You need web application firewalls to defend against these new kinds of attacks that go through the application.” His advice to financial institutions:

  • Mitigation of web application threats
  • Detection of breaches or unauthorized activity
  • Better database auditing solutions

Reputation and Loss

And what of the reaction of the Ameritrade customers whose email addresses were filched? The loss to Ameritrade’s reputation can’t be measured yet, but you can look to the amount that must be spent on credit monitoring services for the affected customers. “It is very hard to quantify the real cost of a breach such as this,” Shulman says. “I think the first time we’ll have a clue of actual cost when next year’s TJX cost reports come out.”


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.