Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ameritrade Security Audit Finds Privacy-Busting Back Door

Zonk posted more than 7 years ago | from the dang-canned-pork dept.

Spam 111

RalphTheWonderLlama writes "In recent months, online stock brokers have apparently been upset by the sale of their email addresses to spammers. Today TD Ameritrade released details of their investigation into the matter (along with a video message from the CEO and special FAQ). It seems some 'unauthorized code' had exposed client email addresses and possibly other sensitive information from an internal database. 'TD Ameritrade tracked down the break-in while doing an internal investigation into stock-related spam. The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers. According to the advisory, the code has been eliminated from the system. Moglia, speaking in an online video-taped message to customers, said he is "confident" that they have figured out how the information was taken.'"

Sorry! There are no comments related to the filter you selected.

i for one (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#20609057)

welcome our privacy busting back door overlords.

Re:i for one (0)

Anonymous Coward | more than 7 years ago | (#20609083)

And here comes the GNAA trolls...

Maybe you should have done a fucking search of the (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#20609255)

Maybe you should have done a fucking search of the contents of the page before shooting your mouth off? Let's see, ctrl-F, type kdawson, yup - highlighted right there at the top. But no, you couldn't be bothered to do that. You had to jump in and start questioning people because your tiny little brain didn't pick up the fucking reference. Have some sympathy for others and don't fucking post here ever again you stupid cumdumpster. I hope your mother gets diarrhea tonight.

Re:Maybe you should have done a fucking search of (0)

Anonymous Coward | more than 7 years ago | (#20609363)

Perhaps you should have checked the article before copy-pasting a (bad) troll? Cause from where I am sitting, it clearly says "Zonk" at the top...

Re:Maybe you should have done a fucking search of (0)

Anonymous Coward | more than 7 years ago | (#20609445)

I agree with Linus on this one. The Earned Income Tax Credit encourages people to be poor; we should abolish it.

in mother russia (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#20609081)

privacy busts your back door!

Re:in mother russia (1)

lottameez (816335) | more than 7 years ago | (#20609565)

Wow, that's really funny. I mean, I was sitting here, bored out of my mind when I read your post. I couldn't stop laughing, crying, clapping my hands and shouting "Glory glory!". Thank you Mr./Ms. AC for your clever twist on the "in russia blank blanks you!" riff. ...privacy busts your back door...No, really...I'm still giggling.

Oh, I know you could've added a profound comment or even no comment at all. But you saw your chance...and by golly, you seized it. Carpe Cliche!

So on behalf of all slashdot readers. Thank you. Thank you. Thank you.

Sincerely,
lottameez

pump and dump (0, Flamebait)

fishybell (516991) | more than 7 years ago | (#20609085)

This explains little as to why the rest of us keep getting the pump-and-dump spam.


Hopefully their investigation turns up who's profiting from it and the SEC turns the screws on them.

Re:pump and dump (2, Insightful)

larry bagina (561269) | more than 7 years ago | (#20609517)

Maybe because it works? Look at slashdot: Every pump n dump story features dozens of people suggesting you buy the stock in question early Monday morning before all the other suckers do.

Re:pump and dump (1)

DrSkwid (118965) | more than 7 years ago | (#20611501)

> Hopefully their investigation turns up who's profiting from it and the SEC turns the screws on them.

Every broker that ever bought or sold a share on someone's behalf. Content is not King.

More importantly... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#20609115)

...do they know who put the unauthorized code in there and what's going to happen to those responsible for that?

Re:More importantly... (0)

Anonymous Coward | more than 7 years ago | (#20609209)

From the Special FAQ:

What are you doing about it?

We eliminated the unauthorized code identified in our systems and made changes to prevent this issue from recurring.

We contacted the proper authorities and are working with them to track down responsible parties. We are communicating with our clients and are addressing their questions as they are raised.

We have also hired a third party, ID Analytics, which specializes in identity risk, to monitor potential identity theft. After a thorough initial evaluation, the firm found no evidence of identity theft as a result of this issue. We are retaining its services on an ongoing basis to continue to monitor for evidence of identity theft.
I would think they already know what company/consultant put the code in, unless of course their records suck....

Re:More importantly... (1)

Scruffy Dan (1122291) | more than 7 years ago | (#20614715)

I would be more concerned about how the code got in there and if they taken steps to ensure that it doesn't happen again

Re:More importantly... (1)

sticky.pirate (1114263) | more than 7 years ago | (#20617449)

You hit the nail on the head with that question. I'm an Ameritrade customer, and I'm also a software developer for an extremely large financial services company, so this is an issue that really hits close to home. I know that no security system is perfect, but I can't believe that that it's even POSSIBLE that there could be "unauthorized code" running on their computers. The apparent lack of accountability and control over their systems is unbelievable. It also begs the question: "what ELSE is running on their computers that they don't know about?"

As far as catching the bad-guy hacker goes, I hope they get him, but I'm not so upset that my name, e-mail address and SSN might have been disclosed (I mean, I am upset, but it's pretty likely that somewhere, sometime in the past they've already been disclosed, and if not I'm sure that it will happen sometime soon). The real criminal activity here is going on at Ameritrade; I would much rather see the CIO, Head of Operations, Lord High Security Guru, or whoever else is responsible for system integrity there nailed to the wall over this one.

Now that I've vented a little steam, please excuse me while I search for another on-line brokerage...

SLASHDOT SUX0RZ (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20609121)

8====D
Read More [goatse.ch]

Law & Order? (1)

bignetbuy (1105123) | more than 7 years ago | (#20609133)

Will that prosecutor from Law & Order (who's in the TD Ameritrade TV ads) throw the book at the bad guys now?

Re:Law & Order? (2, Funny)

pjwalen (546460) | more than 7 years ago | (#20609207)

Sam Waterston? I would also like to buy some Robot insurance. Robots are made of metal and they are strong.

Re:Law & Order? (0)

Anonymous Coward | more than 7 years ago | (#20609717)

thank you! [jt.org]

Re:Law & Order? (0)

Anonymous Coward | more than 7 years ago | (#20610741)

Nah, he's busy angling for the Secretary of the Interior job, if Fred Thompsen gets elected President.

confidant[sic] they deleted the bad code (4, Insightful)

PitaBred (632671) | more than 7 years ago | (#20609193)

Great. How did that "bad code" get there? Did they close THAT loophole? Because if not, it's just a matter of time.

Re:confidant[sic] they deleted the bad code (1)

E++99 (880734) | more than 7 years ago | (#20609341)

Presumably they use some sort of version control for their source code, in which case methinks there is most likely one new programmer on the unemployment role.

Wouldn't have to be. (1)

khasim (1285) | more than 7 years ago | (#20609493)

It could be as simple as a cracked laptop used by some executive.

All it needs is access to the database.

Their press release provides NO information. And it does nothing to restore any confidence in their systems or management.

Re:Wouldn't have to be. (0)

rah1420 (234198) | more than 7 years ago | (#20611729)

And it does nothing to restore any confidence in their systems or management.

ITYM "Confidance."

Re:confidant[sic] they deleted the bad code (3, Interesting)

ErroneousBee (611028) | more than 7 years ago | (#20610121)

More likely, start by playing the "Guess the Webserver" game.

Compare with the likes of Bank of India, Monster.com, USAjobs.gov, myspace.com and other recent security incidents.

Do you see a pattern emerging?

no evidence? (3, Insightful)

Anonymous Coward | more than 7 years ago | (#20609249)

"there is no evidence that our clients' Social Security numbers were taken" == "there is no evidence that our clients' Social Security numbers were not taken" == "we don't know if our clients' Social Security numbers were taken" == "our clients should probably assume that their SSNs, DOBs, and everything else needed to ruin their lives were taken."

Re:no evidence? (1)

hedwards (940851) | more than 7 years ago | (#20610943)

Not necessarily, since my information was in their database, I intend on asking directly. But it really depends upon how they were structuring their DBs.

I suspect that those numbers are held separately in case the feds ask for information and when doing IRS forms. There isn't any good reason why they need to keep the SSNs in with the other records, as they most likely look up and track accounts by the account number anyway. Or at least if they are even the smallest bit responsible they were doing something similar. Onion layers and all.

Most likely the individuals with the back door access were just interested in email addresses and actual addresses. I've suspected for a while that Ameritrade was responible for spammers getting my email address.

On the flip side, it is kind of odd to get spam with ones name and address already filled in.

Re:no evidence? (0)

Anonymous Coward | more than 7 years ago | (#20611463)

the article and FAQs say that the SSNs were in the compromised database, at least for "legacy ameritrade" customers.

But beyond that, you know that if they could say "there is evidence that no SSNs were retrieved" then that is what they would say. But they didn't say that; they said, "there is no evidence that SSNs were retrieved" which is not the same thing at all.

I believe them!! (1)

www.sorehands.com (142825) | more than 7 years ago | (#20611065)

I believe them. For months, they said that my system was hacked and the custom e-mail addressed used by them must have been signed up with someone else and that is how the spammers got my address.

Yep, I believe them. 110%.

Their new spokesman is Harcourt Fenton Mudd.

DOBs? In Manitoba,Canada they are on license plate (1)

gnuman99 (746007) | more than 7 years ago | (#20612011)

In Manitoba, Day/Month of birth are on the License Plates + 4 months - 1 day. That is the new system they invented to cut lineups.

Re:DOBs? In Manitoba,Canada they are on license pl (0)

Anonymous Coward | more than 7 years ago | (#20612895)

In Manitoba, Day/Month of birth are on the License Plates + 4 months - 1 day. That is the new system they invented to cut lineups.

Really? I can't find any info in google about that.

In fact, I find information to the contrary. [canplates.com]

Confidant? (2, Interesting)

gatekeep (122108) | more than 7 years ago | (#20609257)

How exactly did they manage a misspelling in an "online video-taped message?"

Or was it the editor that mispelled, in which case, why quote a single word with no context?

confidant? (2, Funny)

snarkh (118018) | more than 7 years ago | (#20609269)


Makes you wonder..

Unacceptable (5, Insightful)

mkraft (200694) | more than 7 years ago | (#20609287)

As a TD Ameritrade account holder I find this unacceptable. Not only do they have unauthorized code running on their local systems with access to customers social security numbers and the like, but they don't even tell their customers when this happens other than issuing a generic press release in which they say they think the hackers only got email addresses despite the fact that the data base the hackers had access to also had birth dates, social security numbers and everything else necessary to steal account holders' identities.

How does unauthorized code even get into a financial institutions systems? The banking systems should never be accessible via public networks, only private ones, so this should never have happened.

What exactly is TD Ameritrade doing about this? TD Ameritrade should at least give it's customers free credit monitoring.

Re:Unacceptable (2, Interesting)

bignetbuy (1105123) | more than 7 years ago | (#20609377)

"...hackers only got email addresses despite the fact that the data base the hackers had access to also had birth dates, social security numbers and everything else necessary to steal account holders' identities."

Exactly. Those new account forms ask for a boatload of personal information.

I wonder how many TD accounts are linked to a stock trader's primary checking account? Scary stuff.

Good luck with your account.

Re:Unacceptable (1)

linuxwrangler (582055) | more than 7 years ago | (#20609465)

I have accounts there, too. And, like with other places I do business, I use a unique email address. And I've been getting a lot of spam to that address. Lucky me.

Wonder how they are so certain that nothing else was read. And I agree - they should pay for credit monitoring. (Actually, anyone who purports to be providing valid credit information should be doing monitoring as a cost of doing business. And if they spread untruths about someone, they should be held 100% liable for all resulting costs and losses related to that incorrect data.)

But the way they say that they have hired this outside firm doesn't make them look too independent. I'd much prefer they let me choose the monitoring company and they pay for it. In fact I may insist on it.

Re:Unacceptable (1)

fishybell (516991) | more than 7 years ago | (#20609509)

the data base the hackers had access to also had birth dates, social security numbers and everything else necessary to steal account holders' identities


And why, pray tell, does TD Amiritrade require all of that in their main database? If set up properly they could have one database with financial information, and database with contact information, and a link between them. At the very least it's possible (I'm not in any way assuming likely) that the unauthorized code didn't have sufficient database privileges to access the more secure information.


Either way, I'd recommend a strongly worded letter to TD A. and a watchful eye on your credit.

Re:Unacceptable (1)

mpe (36238) | more than 7 years ago | (#20617637)

And why, pray tell, does TD Amiritrade require all of that in their main database? If set up properly they could have one database with financial information, and database with contact information, and a link between them.

Even then there's information on their customers they probably shouldn't be storing at all (e.g. date of birth). Data protection laws, as exist in Europe, explicitally disallow storing unnecessary personal information.

Re:Unacceptable (1)

Intron (870560) | more than 7 years ago | (#20609511)

Just to be on the safe side, you should probably change your name.

Re:Unacceptable (1)

grcumb (781340) | more than 7 years ago | (#20609863)

Gah, rolling back a mistaken moderation. Sorry.

Re:Unacceptable (2, Funny)

frup (998325) | more than 7 years ago | (#20610735)

Hey email me if you want a new Identity I recently bought a whole database off some hacker.

Re:Unacceptable (2, Informative)

Anonymous Coward | more than 7 years ago | (#20609555)

Here's a copy of Ameritrade's response.

September 14, 2007

You do not need to make any changes to your TD AMERITRADE accounts or to change the way you do business with us.

Dear AC,

Let me tell you why I am sending you this email. While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases, including email addresses, to be retrieved by an external source.

Please be assured that UserIDs and passwords are not included in this database, and we can confirm that your assets remain secure at TD AMERITRADE.

What we want you to know:
Once we discovered the unauthorized code, we took immediate action to eliminate it. We are confident that we have identified the means by which the information was accessed and have taken appropriate steps to prevent this from reoccurring.
You continue to be covered by our Asset Protection Guarantee, which protects you and your assets from any unauthorized activity that may occur in your account through no fault of your own. If you lose cash or securities as a result of such activity, we will reimburse you for the cash or shares of securities you lost.
While Social Security Numbers are stored in this particular database, we have no evidence to establish that they were retrieved or used to commit identity theft. To further protect you, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft. ID Analytics provides identity risk services to many of the country's largest banks and telecommunication companies, as well as government agencies. Following its initial evaluation, ID Analytics found no evidence of identity theft as a result of this data breach. We will retain its services on an ongoing basis to support your TD AMERITRADE accounts and to monitor for evidence of identity theft. We will alert and advise you if any is found. As always, we encourage you to remain alert in guarding your personal information, regularly review your account statements and monitor your credit activity from the major reporting agencies.

For more information on protecting yourself against the possibility of security threats, please visit our online Security Center.

We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your assets and information remains a top priority. We have made and will continue to make significant investments in security software, systems and procedures, and we will remain vigilant about protecting you.

We want to answer any questions and address any concerns that you may have about this matter. For more information, including a list of Frequently Asked Questions (FAQs) and an additional message from me, please go to www.amtd.com or contact Client Services. Please note that we are anticipating increased call volume during this period, which may lead to long wait times. We encourage you to review the FAQs and, if you have a question, to log on to your account and send us a secure email. Once again, please be assured that your assets are secure at TD AMERITRADE.

Sincerely,

Joe Moglia
CEO
TD AMERITRADE

Re:Unacceptable (3, Interesting)

klenwell (960296) | more than 7 years ago | (#20609795)

I'm a TD Ameritrade account holder, too, and contacted them last month after I noticed I got some penny-stock spam addressed to me with a TD Ameritrade subject line right after I got my monthly email statement. This was the response:

Thank you for taking the time to address your concerns to Executive Management. I very much appreciate your concern and would like you to know we are conducting an internal investigation regarding the complaints you have disclosed in your email regarding the SPAM. While I will not be able to relay any specifics or update you on the findings, I wanted you to know that we are aware of the situation and are making the necessary corrective actions to remedy the issue.

Citing your inquiry regarding account safety, your assets held with our company are protected by our Asset Protection Guarantee. This safeguards your account from any loss due to fraudulent activity. If you have any further questions regarding this policy please contact our Client Service Representatives at 800-669-3900. They are available 24 hours a day, 7 days a week, excluding market holidays.

Warm regards,

Adam Triplett
atriplett@tdameritrade.com
Senior Research Analyst
Office of the President
Private Client Division
TD AMERITRADE Holding Corporation


At least, it wasn't a bald-faced denial.

It's reached the point that I just assume that sooner rather than later all my private information will be stolen, loss, and compromised -- if it hasn't already. (As a UC graduate, I think I've been party to two other well-publicized identity-theft cases.)

Luckily, I have several different internet identities. So as soon as one is stolen, I move on to the next one. (If only it were that easy...)

Re:Unacceptable (3, Interesting)

Technician (215283) | more than 7 years ago | (#20610703)


How does unauthorized code even get into a financial institutions systems?


http://www.darkreading.com/document.asp?doc_id=113460&print=true [darkreading.com]

No. 1: The Thumb Drive Caper

In June, a penetration testing firm planted 20 infected USB drives in the bathrooms and parking lots of a busy credit union. It was a simple, non-technical exploit -- and also one of the most effective of the year. Out of the 20 drives, 15 were inserted into PCs by curious credit union employees. If the infection hadn't been benign, the entire business might have gone up in smoke.

The account of this exploit -- perpetrated by one of our own columnists, Steve Stasiukonis, vice president and founder of Secure Network Technologies Inc. -- was by far our best-read story of the year. It exposed a frequently-overlooked vulnerability in most organizations, and it brought forth a whole range of vendors and products that are now attempting to close the hole.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user's computer, and then email the findings back to us.


That was just one of many ways to do it.

Re:Unacceptable (1)

alterami (267758) | more than 7 years ago | (#20611847)

I had a Datek account and loved it, then Ameritrade bought them out, before the merger was complete I closed my account and switched to TD Waterhouse which I was also pretty happy with... unfortunately they got bought by them too and I knew bad things would happen but for some reason stayed with them this time. Now I know why my one email account I used for years with zero spam issues was always over its size limit and bouncing back every legitimate email. Every time I checked it, it was nothing but spam and every one with attachments. You better believe all of our Social Security numbers have been compromised. I agree Ameritrade owes us more than an apology for this.

Unacceptable Inevitable, I think, is what u mean (1)

oKAMi-InfoSec (1043042) | more than 7 years ago | (#20615865)

mkraft: In reference to your statement "How does unauthorized code even get into a financial institution's systems? The banking systems should never be accessible via public networks, only private ones, so this should never have happened."

It, unfortunately, is not that easy. As soon as one computer is connected to another computer (via wireless, wired networks or 'sneaker-net'), problems with security start to cascade. If a computer has a USB port, a CD drive, DVD drive, or a network connection, it is nearly impossible to lock down - malware will find it's way onto the machine.

The U.S. and foreign governments spend a fortune trying to lock down some of their most sophisticated computers and networks and still they leak like a sieve.

Although we may wish that it were otherwise, we can hardly expect for a company whose bottom line is the profit margin, to spend all that it takes to secure even one computer...

Consider the magnitude of the problem:
- Keep the network holes plugged as much as possible
- Keep the operating system patched
- Keep all of the applications (including the off-the-shelf and home-grown applications) patched - Keep all security software patched and updated
- Most importantly, keep all employees from doing anything remotely silly or risky

Many of the items above, are nearly impossible to do well - for example...if a typical patch for a piece of software arrives ~5 days after the vulnerability is announced, what is the financial institution supposed to do for those 5 days? NOTE: the 5 days is a fictitious number - no one achieves that high a speed in issuing and applying patches...but it illustrates the point...

There is no way for an underpaid, overworked security staff to plug EVERY hole - especially in the world of zero day exploits. The hackers, on the other hand, have automated tools that can plug at the problem 24/7 until they find even one, overlooked hole...

Re:Unacceptable (0)

Anonymous Coward | more than 7 years ago | (#20616353)

I do infosec at a company that supplies banks, and judging from the depth & detail of the thrashing most of them give our internal processes & kit before signing up, financial firms take security very seriously. This is about as bad as it gets. The fear of something like this happening on my watch is what makes me so damn motivated & obsessive at work. Security's a small industry and although the general public will probably have forgotten all about this in a few weeks' time (the ones that've noticed, that is) Ameritrade is now a liability on the resumes of all their security people, rather than the asset I imagine they mostly thought it would be. There but for, well, hard work & good luck & - well, I nurse the superstition that thinking about it all the time helps fend off The Ph33r.

Google for it.. (4, Informative)

Dynamoo (527749) | more than 7 years ago | (#20609315)

Do a Google search for Ameritrade spam [google.com] . This isn't a new problem, it's been going on for months and even years where there's clear evidence that the data is being lifted by spammers.

You don't have to look far - this one [blogspot.com] is particularly damning, and I've seen evidence elsewhere that people set up an email address ONLY for Ameritrade and they've watched the spam come in.

Re:Google for it.. (1)

Starwanderer (230199) | more than 7 years ago | (#20610083)

I don't even have to Google. I complained to them close to four years ago that they had someone stealing email addresses. They wouldn't admit it then and didn't believe me when I offered sufficient proof it was happening. While I'd really like more details, at least they're admitting it. That's a start.

Re:Google for it.. (1)

gorbachev (512743) | more than 7 years ago | (#20610181)

The anti-spam activists (yea yea) have been complaining about Ameritrade "leaking" Email addresses to spammers for a LOOOOOOONG time. I can't remember when the first time I heard about this, but a really quick Googling reveals July 2006 blog post...comments on it seemed to suggest it had already been going on for while before that date.

http://thespamdiaries.blogspot.com/2006/07/ameritrade-customer-email-lists-sold.html [blogspot.com]

Re:Google for it.. (1)

gorbachev (512743) | more than 7 years ago | (#20610207)

Here's one from October 2005:

http://news.umailcampaign.com/message/107456.aspx [umailcampaign.com]

Amazing.

Re:Google for it.. (1)

Grert (1157123) | more than 7 years ago | (#20614083)

I think I was one of the first to publically report an Ameritrade unique email address getting hit, though not the first. FWIW, I got hit again very late last year or early this year, on a new/different Ameritrade account with yet another unique email address. I called Ameritrade this time and spoke with someone in their security department. I explained everything and very strongly urged them to investigate things on their end. I'm sure others did the same thing, and I'm sure others were both happy and sad to hear the recent news. Happy for obvious reasons, sad for it taking so frigging long. After the second event, over a year after the first one, I played it safe and as soon as possible ended my relationship with them. It is highly unlikely I'll ever open an account with them again. I can understand it taking some time to track down and eliminate an exploit. Not many, many months though... let alone years. IMO, Ameritrade should have been the FIRST to know about the problem, for they should have seeded their database with spamtrap addresses.

From 2005! (1)

krbvroc1 (725200) | more than 7 years ago | (#20610965)

Here is the Ameritrade response someone use used a VERY random unique email address for their Ameritrade account and complained in 2005 (almost 2 years ago).

"Thank you for contacting us today regarding e-mails that you received.

"We have received reports from some clients that a spam e-mail
regarding information on the security SNFX, has been targeted to an
address they use with Ameritrade. This is not result from Ameritrade
sharing or selling any contact information, nor do we believe any
information has been compromised. The cornerstone of our Privacy
Statement is the commitment to keep our clients' personal information
confidential. Ameritrade does not sell, license, lease or otherwise
disclose your personal information to any third party for any reason,
except as noted in the Privacy Statement.

"Several Spam methods do not depend on using purchased or intercepted
lists of existing or valid e-mail accounts. Spammers also use known
"brute forcing" or dictionary techniques. Brute forcing e-mails
basically starts with something like a@doeinvestor.net, aa@doeinvestor,
aaa@doeinvestor, aab@doeinvestor, abb@doeinvestor and continues on from
there. Brute forcing basically generates and sends out an email to
every possible combination of characters/email addresses at a domain
like the optiline.net domain. A dictionary email spam basically uses
all of the words that would be included in a dictionary or combinations
of words which generally produce quite a few valid email accounts.
This type of method would not be inhibited by using a separate e-mail
address for each business account you may have.

"We have located the ISP that these e-mails originated from and legal
has taken the appropriate action to address and prohibit further spam
attempts.

"We have no reason to believe that any of our systems have been
compromised. Ameritrade deploys state of the art firewalls, intrusion
detection, anti - virus software as well as employs a full time staff
of employee's dedicated strictly to Information Security and protecting
Ameritrade's systems from unauthorized access.

"If you have further concerns or inquiries, please reply to this
message.

"Have a good day!"

Yo0 fail it... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20609385)

Deeper into the moronic, dilettante mileStones, telling for it. I don't than this BSD box,

Exec-lish is a weird language. (4, Insightful)

Futurepower(R) (558542) | more than 7 years ago | (#20609411)

Quotes, and translation:

The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers.

Moglia, speaking in an online video-taped message to customers, said he is "confidant" that they have figured out how the information was taken.

It's necessary to know how to translate those statements. It looks like plain English, but it isn't. It's Exec-lish, and must be translated.

Exec-lish to English translation: "We don't actually have anyone our company that understands technical computer issues. The software was written by a low bidder to whom we awarded a contract. Since we don't have any technically knowledgeable people on staff, we had no way to understand if we should have confidence in the bidder or not."

"We don't know how many people accessed our system through the back door, or how many times, or for how long. (Actually I had never heard the term 'back door' until yesterday.) Since we don't have any technical knowledge, we can't assess whether there are other back doors. Possibly even the forensic investigators have left their own back doors."

Exec-lish is a weird language that doesn't allow the expression of negative facts. So, it is possible that, if the executive wanted to be truthful, he or she would say, "I'm not qualified to be in this job, since I don't know enough to understand the company's operations thoroughly."

I'm just guessing about that translation, but gathering from what I've seen at other companies, it is not far off.

Re:Exec-lish is a weird language. (1)

gatekeep (122108) | more than 7 years ago | (#20609603)

So, it is possible that, if the executive wanted to be truthful, he or she would say, "I'm not qualified to be in this job, since I don't know enough to understand the company's operations thoroughly."

Really? You think that a CEO of an investment firm should understand the nuances of computer security? That's like saying that the CEO of McDonald's should be able to slaughter a cow.

Re:Exec-lish is a weird language. (1)

ewhenn (647989) | more than 7 years ago | (#20609875)

No, but he should have the common sense to make sure he has adequately qualified individuals dealing with database code, and that the code should be double... scratch that... tripple checked, and most likely check by an outside security consultant BEFORE it goes live. Especially when it is data that needs absolute security.

I don't have a major in business or anything, but it's pretty obvious that if you do not understand the basic concept of, "protect private information", you are NOT a competent CEO.

Re:Exec-lish is a weird language. (1)

radish (98371) | more than 7 years ago | (#20611017)

It was obviously an inside job. Banks' information security is designed much like their physical security - put everything in a huge impenetrable vault and lock the door. That doesn't work so well when you have a threat on the inside.

Re:Exec-lish is a weird language. (2, Interesting)

vic-traill (1038742) | more than 7 years ago | (#20611241)

That's like saying that the CEO of McDonald's should be able to slaughter a cow.

Years ago, on Michael Moore's TV Nation program, there was a segment called the CEO Corporate Challenge, in which Moore attempted to get CEO's to perform some task with a product of their company, or component of a product of their company.

Picture Moore with a megaphone and a 1.44M floppy, outside IBM headquarters, shouting something like "Lou Gerstner, format this disk. You have one hour." Lou didn't show.

Surprisingly, Alexander Trotman, Ford CEO at the time, came out and changed the oil in a pickup in a time pretty close to a local quik-lube.

So, yeah, maybe sometimes you can expect the CEO to know about surprising stuff - they may have had a life before they became a CEO. In Trotman's case, he had been in the RAF, and I suspect he picked up skills and possibly a personality on the way through.

And yeah, I know it's TV *and* Michael Moore. But I have no trouble believing Trotman did it.

The CEO of an online company must know security. (1)

Futurepower(R) (558542) | more than 7 years ago | (#20614975)

"You think that a CEO of an investment firm should understand the nuances of computer security?"

My understanding is that Ameritrade is NOT an "investment firm". The company is a computer services firm. If you buy a stock, Ameritrade checks its own inventory that day, and likely sells you some of its own stock, which it keeps to avoid going somewhere else, which would be more expensive. That selling is just quick computer entries, debiting its own account and adding to the buyer's account.

In the same way, Amazon is not a book seller. It is an inventory company. Amazon does not read the books, it just stocks them.

So, if the Ameritrade CEO knows nothing about computer systems, as it seems from the statements on the web site, he knows nothing about his job.

and time passes ... (0)

Anonymous Coward | more than 7 years ago | (#20609521)

u mean someone inside the stock market blackbox told others
how the blackbox works? about time :D hello immunsystem ...

"insider trading is only illegal if it breakes the law(tm)" ...

can u make sloshdor load faster? pls ...

look, all online trading companies are a fraud.

they offer u acces to stock market, so u ( and john and his mother sign up to).
sure they show u the delayed 20 minutes stock quotes (which i assume cost money to see),
but in reality, all those ...

so lets say we have a RING 0, that is the true stock market , if it ever existed.
all the online traders are RING 1, that means, they arn't the real access. they a 3rd party.

owner RING 1 allows them to do trading and balancing without really using RING 0.

what does this mean?

it means that if john sells low and his mom is buying high, they can regulat this internally, without ever touching ring 0 and make a healthy profit.

$buying and selling in RING 1 doesn't effect real RING 0 stock prices, because it is being
cleared inside RING 1, e.g. the so called help-full on-line stock trading company,
like ameritrade ... user against user, the profitable ones for ameritrade get sold and bought tho.

buy and sell commands never leave ameritrade. they are just cleared by other ameritrade
users, they never acctually reach the real stock market :D

it's a wickedly cool business model. if you can say internet firewall and silently droped packets,
then you can say ameritrade and on-line stock traders ...

if this doesn't make sense?

Re:and time passes ... (0)

Anonymous Coward | more than 7 years ago | (#20609687)

if this doesn't make sense?


You took the words right out of my mouth

Re:and time passes ... (0)

Anonymous Coward | more than 7 years ago | (#20610077)

have u read neuromancer? by william gibson?
well, there u have it. stop denying it.

u DONT want to understand, because it would HURT. denial ... is a sickness.

on a side not. sure u can work for the man.

dont u just LUV the ameritrade /. user PR-ing on /.?

Re:and time passes ... (1)

DrSkwid (118965) | more than 7 years ago | (#20611587)

People made up names for such a system.

We generally call it "wholesale" and "retail".

Go and rant your Ring 0 nonsense to the guy with the Kwik-E-Mart franchise down the street that he's part of a blatantly unsecret cabal that is overcharging you for your cheezy-poofs.

Windows? (0)

Anonymous Coward | more than 7 years ago | (#20609533)

Any chance this is a Windows based system? ;P

--
Mathematicians and programmers needed:
http://metascore.sourceforge.net/ [sourceforge.net]

Re:Windows? (0)

Anonymous Coward | more than 7 years ago | (#20610035)

Just because Microsoft can't even deal with known viruses [bbc.co.uk] ?

Or because the most anticipated feature of Windows 2008 Server [computerweekly.com] is security? (What does that say about current Windows servers?)

Re:Windows? (0)

Anonymous Coward | more than 7 years ago | (#20611377)

Yeah. Windows ME.

SQL injection code? (1)

SlashDev (627697) | more than 7 years ago | (#20609543)

I am presuming that unauthorized, means that it wasn't quality controlled. It is faily easy to add SQL code intended for one purpose while forgetting to secure it against SQL injections.

Press Release Doesn't Tell the Whole Story (5, Informative)

Ethan Preston (929189) | more than 7 years ago | (#20609571)

I am a class action attorney. My law firm and I sued Ameritrade over failing to disclose the security breach [justia.com] on May 31, 2007. We filed for a preliminary injunction on July 10, 2007. Part of the relief we sought for the accountholders in the preliminary injunction was a disclosure of this information.

In sum, this Motion seeks an Order from this Court against TD AMERITRADE, Inc. that: ... 8. Requires TD AMERITRADE, Inc. to prominently disclose in its Privacy Statement and in emails or other individual disclosures to its accountholders: ALERT: AMERITRADE'S INFORMATION SYSTEMS ARE NOT NECESSARILY SECURE AND WE CANNOT ASSURE THE SECURITY OF YOUR PERSONAL INFORMATION. THERE IS EVIDENCE THAT SOME ACCOUNTHOLDERS' EMAIL ADDRESSES HAVE LEAKED FROM AMERITRADE'S COMPUTER SYSTEMS TO SPAMMERS. AMERITRADE HAS AN ONGOING INVESTIGATION INTO THIS SITUATION. YOUR NAME, SOCIAL SECURITY NUMBER, AND YOUR EMAIL ADDRESS MAY HAVE BEEN LEAKED AS WELL. We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review. You can contact Equifax (800-685-1111), Experian (888-397-3742), or TransUnionCorp (800-680-7289). Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly. If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call [insert contact information for law enforcement] and file a police report. Get a copy of the report; many creditors want the information it contains to absolve you of the fraudulent debts. You also should file a complaint with the FTC at www.consumer.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Your complaint will be added to the FTC's Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. You can obtain a copy of Take Charge: Fighting Back Against Identity Theft, a comprehensive guide from the FTC to help you guard against and deal with identity theft at: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.htm [ftc.gov]

and the rich get richer (4, Interesting)

tidokoro (967675) | more than 7 years ago | (#20610027)

I'm actually a TD account holder and wouldn't mind seeing them punished for this. Unfortunately, I've never been party to a class-action suit that even came to close to compensating me for the time I took to fill out whatever forms I needed to fill out much less what I had actually loss as part of the class. From the last class-action I joined:

Dear Claimant,

The Proof of Claim and Release you submitted with respect to the In re [Bankrupt Company] Securities Litigation has been processed under the terms and conditions of the Stipulations of Settlement and Second Distribution Order as approved by the United States District Court for the Easter District of New York. Please be advised such Stipulation and Order provides:

"If such Authorized Claimant is allocated less than $10.00 in value from the remaining Settlement Fund, then such Authorized Claimant shall not receive a further distribution from the Settlement Fund, and such amounts shall be re-allocated among the remaining Authorized Claimants."

Based upon these terms, we regret to inform you the proration of your share of the Settlement Fund, as approved by the Court, would amount to less than ten dollars ($10.00). Therefore you will not receive a distribution from the Settlement Fund.

Sincerely,
Claims Administrator

Anyone know..... (1)

budword (680846) | more than 7 years ago | (#20609575)

Anyone know what OS they happen to be running ?

Unauthorized software? (0)

Anonymous Coward | more than 7 years ago | (#20609693)

What was it?

i love it (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20609695)

when my backdoor gets pounded!

stupid fucking niggers!

o man, i took a big shit. look, i was pregnant, look at that little niglet

Re:i love it (0)

Anonymous Coward | more than 7 years ago | (#20611129)

Your daughter is gonna have a mixed baby. It'll be funny.

Found my address sold long ago (1)

NevesisEF (414044) | more than 7 years ago | (#20609699)

Well, that explains why I have started getting spam to my Ameritrade email address MANY MONTHS AGO. Yup, I gave them a one-time-use address, and it was compromised. It goes to a black hole now, but I still see how often it is tried in my mail logs. But this has been going on for quite some time (and I closed this account a long time ago before this, and thought maybe they sold my address for doing so).

It's real, and very worrying. (4, Insightful)

ballpoint (192660) | more than 7 years ago | (#20609705)

The email addresses I used contained 'datek' and later 'ameritrade' when Datek merged with Ameritrade. You can guess that I didn't use these email addresses for anything else, yet both were spammed. At the time I thought they were leaked by someone logging traffic at an ISP.

Despite the whitewashing that's going on, AMTD is going to take a BIG hit. These issues are not to be taken lightly.

From the FAQ:

"How do you know that this sensitive information, like Social Security Numbers, hasn't been leaked or misused? After extensive investigations involving outside forensics experts, we have no evidence that this sensitive personal information was taken. That is one of the reasons why we have also hired ID Analytics. Its initial investigation has concluded that there is no evidence of identity theft as a result of this issue."

Absence of evidence is not evidence of absence.

Re:It's real, and very worrying. (1)

ScrewMaster (602015) | more than 7 years ago | (#20611075)

In any event, unless they can conclusively demonstrate that the "unauthorized code" was not capable of transmitting other information then that statement is meaningless. Any halfway competent cracker would take steps to cover his tracks: for all we know, this address-harvesting business was just cover for something worse.

Late Friday Bade News Release (2, Insightful)

1_brown_mouse (160511) | more than 7 years ago | (#20609839)

Its like Washington Politicians dumping the really bad news too late for the news cycle.

Nice of them to let the users know so soon.

I'm "Confident"... (0)

Anonymous Coward | more than 7 years ago | (#20609873)

...that the "author" of this post has some kind of "problem" with Ameritrade.

Ameritrade customer seeking to move (1)

Coward Anonymous (110649) | more than 7 years ago | (#20610001)

Anyone have recommendations?

Re:Ameritrade customer seeking to move (1)

umrguy76 (114837) | more than 7 years ago | (#20610639)

Check out http://www.scottrade.com/ [scottrade.com]

*disclaimer: I work there

Re:Ameritrade customer seeking to move (0)

Anonymous Coward | more than 7 years ago | (#20611989)

Sure, move to Etrade (before the future merge with TD Ameritrade).

Possible reason why nobody has been caught (2, Interesting)

Coward Anonymous (110649) | more than 7 years ago | (#20610347)

The dirty little secret is that the people behind it appear to be in Slovakia and potentially in Canada.

Clearly more than e-mails were stolen. When I received both e-mail and snail mail stock flipping spam I traced the information down to addresses in Slovakia and Canada (which I promptly fed the SEC who probably never did anything about it considering that the spammers managed to register and flip a completely bogus company within 3 months flat). A spammer in Slovakia won't have much to do with SSNs except sell them.

It's a matter of time before those "unaccessed SSNs" are sold if they haven't been already.

There is no incentive for TDAmeritrade to do anything about this because they figure they won't be found responsible for identity thefts that will occur as a result (go trace them back to Slovakia). It's enough for them to stop fraudulent access to their accounts.

Shame on Ameritrade for being so careless and callous.

I bailed on them for this reason. (2, Informative)

bcrowell (177657) | more than 7 years ago | (#20610549)

I was an Ameritrade customer. Soon after setting up an account with them, I started getting pump-and-dump spam sent to the single-purpose email address that I'd created only for use with them. A simple google search showed that this had been going on for years at Ameritrade. I run Linux, and am fairly careful about keeping my box secure, so I was pretty sure the address hadn't been leaked by malware on my end. In the past, they've claimed that the addresses might be getting found by dictionary attacks, but the address I was using had 13 characters before the @ sign, didn't have dictionary words in it, and had an obscure domain name after the @, not yahoo or hotmail or anything like that.

I decided that I wasn't going to entrust the bulk of my life's savings to a company that was that clueless about security, so I transferred my account to Scottrade. When I did the transfer, I explained in an email to the Ameritrade people that the security problem was the reason I was leaving them. The responded with a phone call, and the phone rep was completely in denial about the spam problem, which was had been publicly known and discussed for years.

The other reason I wanted to get away from them was that some of the functionality of their web interface didn't work on Firefox in Linux, so I had to do certain things (e.g., withdrawing money) on a Mac or Windows machine instead. (When I called to report it as a bug, they said they didn't support Linux.)

Re:I bailed on them for this reason. (1)

ir (104) | more than 7 years ago | (#20613285)

Does the scottrade web site hang on you sometimes? I get this problem a lot in Firefox in Linux and Windows.

TDA - do the right thing (1)

QuietLagoon (813062) | more than 7 years ago | (#20610559)

Provide at least one year of credit-monitoring services for your customers whose data were compromised.

Re:TDA - do the right thing (1)

Captain Electrode (946391) | more than 7 years ago | (#20612467)

...or non customers, even. They collect tons of personal information before telling you they want a minimum deposit before doing business with you, which is when I balked.

Re:TDA - do the right thing (1)

duh_lime (583156) | more than 7 years ago | (#20612559)

They'll do it -- if you complain enough. I called TDA, forcefully explained that there was a big difference between "no evidence of XYZ" and "evidence that there wasn't XYZ", and the girl offered me 1 year free "Triple Credit Monitoring from Experian" (a $70 value). Then I got her to do it for my wife too... (Yes, some /.'ers have those...) I explained that I wasn't concerned about the "security of my Ameritrade assets"... that I EXPECTED them to be safe... It was all about the possibility of compromise of my personal info... SSN and DOB... I said the CEO needed to buy a clue if he thought the issue was the security of my measly Ameritrade account.

I hear an onslaught of phone calls to Ameritrade demanding 1 year Monitoring... Do it soon before they change the policy.

History of the leak (1)

ericferris (1087061) | more than 7 years ago | (#20610625)

This has been going on for years.In 2005, a user of the spamgourmet disposable web site address reported [spamgourmet.com] that he was getting spam advertizing stock scams to an address he created exclusively for Ameritrade. Moreover, the user ran a *nix version on his PC and was very careful, so a leak on his end was unlikely. Ameritrade first denied, then compensated him. That was only the start. Since then, many reports surfaced showing that Ameritrade has an email leak problem.

It was only logical that the leak wasn't limited to email addresses.

Meanwhile, Ameritrade denied that their system was compromised. For instance, a spamgourmet user attempted to contact Ameritrade but got nowhere, so he complained about Ameritrade to the BBB. That woke Ameritrade up. They finally answered the user, while denying any breach in their systems:

We received correspondence from the Better Business Bureau about your Ameritrade account.

I wanted to follow up with you about the Spam e-mails you received. I apologize for the delayed response and understand any frustration you may have experienced in this matter. Although we have been unable to determine the exact cause of the Spam, I wanted to inform you of what we do know.

We thoroughly reviewed our systems and data sent to third parties with access to e-mail addresses and found no misuse or compromises of any of our systems or storage mediums for e-mail addresses. Additionally, after further review of our systems, there is no indication that your account information held with Ameritrade has been compromised. Please be assured that we regularly contract leading edge security firms to conduct network and application penetration tests to test the security of our network and web presence. We also employ a staff of full time employees solely dedicated to Information Security.

In the light of their recent admission, this translates into: "Our staff was utterly clueless and couldn't find a Trojan if it hit them in the balls with a brick. This contractor guy ran a newfangled thingie called a "rootkit detector" and whaddya know, it lit up like a Christmas tree. He saod your data got pwned. So there."

Re:History of the leak (1)

polygamous coward (1127507) | more than 7 years ago | (#20612569)

Yes! For years. Old news. The fuckers finally fess up? There should be laws against this.

SiteAdvisor figured this out a while ago (1)

schmiddy (599730) | more than 7 years ago | (#20610955)

Check out the dossier page for ameritrade on SiteAdvisor [siteadvisor.com] -- you'll see they have a dossier of spams sent out by Ameritrade. Note, they've been getting a green rating because SA felt they didn't deserve to get a red rating overall because they are a trusted financial institution.. however it's very likely they'll be getting a red rating overall quite soon, which might have quite an impact on Ameritrade's bottom line given SA's enormous user base.

Re:SiteAdvisor figured this out a while ago (1)

neomunk (913773) | more than 7 years ago | (#20611201)

they've been getting a green rating because SA felt they didn't deserve to get a red rating overall because they are a trusted financial institution..
I've heard of security through obscurity, but security through clout? Wow.

nVidia stock price (0)

Anonymous Coward | more than 7 years ago | (#20611955)

So I dunno but if anyone else uses TD and has seen nVidia's stock price the past few months, they'd see it was rising upwards of $52, but now it shows it at $32, and the charts for the year never go past. Yet earlier, I had bought the stock at $45 and sold for a little more. How the hell did this happen? Is it the same problem.

Re:nVidia stock price (1)

ChrisMaple (607946) | more than 7 years ago | (#20612717)

nVidia had a 3:2 stock split Sept. 11, 2007 and the price adjusted accordingly. This has nothing to do with TDA.

Not surprising to me (2, Insightful)

Abalamahalamatandra (639919) | more than 7 years ago | (#20611971)

I did a project for Ameritrade back in 1999 to do a kind of single signon for Ameritrade customers to research providers like TheStreet.com and such.

Anyway, when I got onsite and started talking to them, I found out that the entire trading system was written in noncompiled Perl. They used huge modules for all their trading functions and had a habit of just "use"ing all of the modules in all of the scripts whether they needed them or not. I actually figured out that every time a trade was input by a user, the system had to load and tokenize well over 50,000 lines of Perl code in something like 75 files. Their idea of increasing performance was adding another huge SunFire server to the growing pool of over 30 in the group.

I asked them if they had ever thought of using something like FastCGI to speed things up by preloading the modules at least, or coding in C or C++ rather than Perl. They said noone really knew how to code in C and they couldn't figure out FastCGI.

Anyway, the upshot is that was kind of a scary bunch. It's hard enough to lure good programmers to Omaha in the first place, and then they required all of their staff to wear a shirt, coat and tie, so they didn't exactly get the cream of even that crop!

Re:Not surprising to me (1)

HedyLamarr (1078257) | more than 7 years ago | (#20615351)

I also worked on a project at Ameritrade during the same time frame to improve performance of the front end and we had actually recommended they use FastCGI as an temporary measure until they could do a full re-write in Java. I got to see the infrastructure up close and it was not pretty. I remember seeing a Netgear DS108 hub inline on their front-end to support an ISS sensor and they were wondering why they were dropping market open traffic. WTF! You nailed it about Omaha, other clients based there have the same issues attracting talent.

You'd think they learned... (0)

Anonymous Coward | more than 7 years ago | (#20612095)

You'd think they learned their lesson about back-doors after the WOPR incident!

Ameritrade 'fesses up (1)

dpletche (207193) | more than 7 years ago | (#20612587)

I had several unproductive exchanges with Ameritrade last year about this problem. They claimed that my account was compromised by a dictionary attack (the address was lpm_ameritrade_xubz@...) or that it was leaked by a virus on my computer (running OpenBSD).

I changed it several times, eventually to an absurdly long string of random characters--a rhetorical ploy. Each time the address was compromised within weeks. Finally I closed my account and moved to another brokerage, which has kept my contact information delightfully secure.

I'm glad to see that Ameritrade is going to take its licks for this. I was quite unhappy with their handling of the situation. I interacted with one reasonable senior-level person after I had already initiated the closure of my account--he refunded my account termination charges and seemed interested in investigating the problem with an open mind. That doesn't right the wrong.

I usually tend to ignore class action lawsuits but in this case, sign me up! I've got complete, detailed documentation of my SPAM-related suffering at the hand of Ameritrade.

Closed one hole -- but are there others? (1)

chiph (523845) | more than 7 years ago | (#20616933)

Congrats to Ameritrade on owning up to the problem and closing the hole caused by the rogue code.

However, the programmer (or hacker) who added this code probably didn't do it just once -- there are likely other backdoors that they put in. So, Ameritrade needs to perform a top-to-bottom code audit in order to ensure that all their code is what it is supposed to be. This should be done by two unrelated teams of skilled developers who are familiar with financial systems, and who have never been on their payroll, or the payroll of any of their vendors they have used in the past.

Only then can the management at Ameritrade have any assurance at any level, that their systems are now uncompromised.

Chip H.

Free ONE YEAR credit monitoring !! (1)

duh_lime (583156) | more than 7 years ago | (#20616973)

They'll do it -- if you complain enough. I called TDA, forcefully explained that there was a big difference between "no evidence of XYZ" and "evidence that there wasn't XYZ", and the girl offered me 1 year free "Triple Credit Monitoring from Experian" (a $70 value). Then I got her to do it for my wife too... (Yes, some /.'ers have those...) I said the CEO needed to buy a clue if he thought the issue was the security of my measly Ameritrade account.

I hear an onslaught of phone calls to Ameritrade demanding 1 year Monitoring... Do it soon before they change the policy.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?