The Ameritrade Fallout
Breach is a Warning to All Financial Institutions
The announcement by online brokerage TD Ameritrade that a database had been breached reinforces an important lesson to other financial institutions: Know your systems and whoâ€™s accessing them.
On Sept. 14, Ameritrade went public with the news that it had â€œdiscovered and eliminated unauthorized code from its systems that allowed access to an internal databaseâ€ [View TD Ameritrade Press Release] .
For financial institutions (and all other companies), this breach brings to light common themes in data breach prevention, according to Rebecca Herold, an information security and privacy expert and author. â€œThere are similarities to the Ameritrade and TJX (in January 2007 TJX revealed that hackers took account numbers of more than 45 million credit and debit cards from its databases), and financial institutions should learn from these breaches to better prepare themselves for a data breach.â€
In both cases, there were insufficient controls and monitoring in place to detect data breaches were happening. â€œWhen you donâ€™t have enough monitoring and logging, the longer it exists, the longer the criminal has to steal information,â€ she adds, â€œThere is too much focus on network and perimeter security. Institutions need to look at the bigger picture of where data is, and who or what groups are accessing, using, copying and keeping.â€
Precautions to Take
Monitoring all communications is one point at which to start. â€œYou need to know whatâ€™s happening on your email servers,â€ Herold says. â€œNot just whatâ€™s coming in, but whatâ€™s going out.â€ Instant messaging, too, should be scrutinized.
Further, look into operational controls you have in place, Herold advises. How aware is your personnel on securing information appropriately? Incorporate safeguards and security activities within the employeesâ€™ individual job activities. â€œYou can create job descriptions and list these safeguards and practices as part of each employeeâ€™s job, so that you donâ€™t have someone absent-mindedly sending off information containing personally identifiable information in an email that gets forwarded or gets shared inappropriately,â€ she says.
The human factor isnâ€™t always appropriately addressed when considering information security. Yet it is important too for people to realize, that even email addresses (like the ones stolen in the Ameritrade breach) and other types of innocuous things like name and address can be used for identity theft, and loss of privacy.
Not an Isolated Incident
According to statements from Ameritrade, â€œThe discovery was made as the result of an internal investigation of stock-related SPAM.â€ This is not a surprise to those Ameritrade customers who have reportedly been receiving that spam. Ameritrade has known about the problem at least since October 2006, when some customers began complaining to the company about receiving stock-related spam. Lawyer Scott Kamber filed a spam-related class action law suit against TD Ameritrade in May.
Garth Bruen, a information security researcher at Knujon, a project offering multi-tiered response to Internet threats -- specifically email-based ones -- sees the Ameritrade breach and theft of email addresses unsettling.
â€œWhat happened with the Ameritrade is the database with email addresses was broken into and email addresses were stolen,â€ Bruen says. â€œWe saw a similar action when hackers broke into Pfizer and took over computers. The hackers then used those email accounts to send out phishing emails touting fake drug sites.â€ (Pfizerâ€™s zombie problem was uncovered by Support Intelligence, a San Francisco security company.)
Bruen said while he had not seen any of this occurring with the Ameritrade email addresses, they would be harder to find among all the spam mail, as the email names would not end with the same company name, as in the case of Pfizerâ€™s breach.
Missed Your Wake-Up Call?
â€œIt is a total clichÃ© to say this is a wake-up call for financial institutions and other companies,â€ Bruen says. â€œThey all got their wake-up call five years ago. Some of them are still walking around looking for the coffee pot.â€
Incident response plans are important to have as a plan of action to take it public when a breach occurs. I think there will be a public relations specialty formed to handle the massive publicity that some of these breaches incur,â€ says Bruen, referring to the video statement of TD Ameritradeâ€™s CEO Joe Moglia [TD Ameritrade CEO Video] that was placed on a special site for more information on the breach.
Another problem that comes out of the Ameritrade breach is the lack of attention to brand protection. â€œPhishing is another form of brand hijacking, with the brand being the bank or credit unionâ€™s name,â€ Bruen says. â€œThe bankâ€™s name has value, just as a famous designerâ€™s handbag or a well-know prescription drugâ€™s name has value.â€
For those smaller institutions out there reassuring themselves that they canâ€™t possibly be a data breach victim, Bruen advises: Think again. â€œIs anyone a target? The answer is pretty much yes. As a business person, youâ€™re not looking at it from a criminalâ€™s perspective. Youâ€™d be surprised to know what they think is valuable.â€
Bruen sees many smaller firms and institutions targeted by hackers, mainly because those companies donâ€™t have the security perimeter built up as larger companies do. â€œYou may not be a major bank, but a smaller bank, or a tiny loan servicer -- youâ€™re still a target,â€ he adds. Third-party service providers that handle your operations are also possible targets.
How Database Was Hacked
The best advice to financial institutions is â€œPrevention,â€ says database researcher Amichai Shulman. â€œThis is the best method when it comes to breaches and loss of data.â€ Shulman, an expert on Payment Card Industry (PCI) Data Security Standard is also Chief Technology Officer at Imperva, an application data security company.
According to Shulman, Ameritrade may have had security controls on the database, â€œBut whatever security and policies mechanisms they had it place, it was not enough to detect the long period of data leakage and the earlier intrusion or hack that initiated the data leak.â€
It appears no timely information was available to detect the breach, he says. â€œAny financial institution needs to have precise policies and auditing for inappropriate access to information.â€ The important thing is to have the mechanisms in place, and be alerted immediately when something out of the ordinary occurs, he adds.
No SSN Were Taken?
Ameritradeâ€™s Chief Executive Officer Joe Moglia asserts â€œWhile the financial assets our clients hold with us were never touched, and there is no evidence
that our clientsâ€™ Social Security Numbers were taken, we understand that this issue has increased unwanted SPAM, which is annoying and inconvenient for them.â€
â€œAmeritrade has said it was very certain that no PII or SSNs were touched, though this information was on the same database,â€ says Shulman, as he theorizes how the attack may have occurred. â€œIt wasnâ€™t an insider job, but an attack through a web application attack that extracted the information. This attack was sophisticated. The attackers injected the code into the application and did not access database directly, but indirectly, and would grab the information when it was used or accessed.â€
One thing is certain in Shulmanâ€™s opinion, â€œThe older generation protective measures, perimeter firewalls and code reviews arenâ€™t enough. You need web application firewalls to defend against these new kinds of attacks that go through the application.â€ His advice to financial institutions:
- Mitigation of web application threats
- Detection of breaches or unauthorized activity
- Better database auditing solutions
Reputation and Loss
And what of the reaction of the Ameritrade customers whose email addresses were filched? The loss to Ameritradeâ€™s reputation canâ€™t be measured yet, but you can look to the amount that must be spent on credit monitoring services for the affected customers. â€œIt is very hard to quantify the real cost of a breach such as this,â€ Shulman says. â€œI think the first time weâ€™ll have a clue of actual cost when next yearâ€™s TJX cost reports come out.â€