Friday, September 14, 2007

How not to handle data leaks: TD Ameritrade

I was greeted this morning by my broker's CEO. After telling me that he leaked my data he added:
"Please be assured that UserIDs and passwords are not included in this database, and we can confirm that your assets remain secure at TD AMERITRADE. "
This is good, but even if they were exposed:
- if the passwords were "hashed" with nonces (like they should be) I have nothing to fear.
- if they were stored in cleartext or without nonces and if I had a weak password, I could just go and change it.
He continues to say:
"You continue to be covered by our Asset Protection Guarantee..."
and that is good because even if the password scheme and password were weak and the crook logged in before I changed my password, I am protected. Awesome! And so far so good, except that I would expect this announcement to being with an apology for leaking my data.

But reading further I start to get nervous:
"While Social Security Numbers are stored in this particular database, we have no evidence to establish that they were retrieved or used to commit identity theft."
On their FAQ page they say:
"After extensive investigations involving outside forensics experts, we have no evidence that this sensitive personal information was taken. That is one of the reasons why we have also hired ID Analytics. Its initial investigation has concluded that there is no evidence of identity theft as a result of this issue.Because of our ongoing investigation, we will not provide additional details."
In another place they say:
"In fact, we have been able to conclude that this sensitive information belonging to our legacy TD Waterhouse retail and institutional clients was not retrieved."
I wonder how they established this and already alienated by the rest of the PR material I am inclined to believe that this is misinformation as well.

They use the terms "extensive", "initial", "continuing" to describe their investigation depending on what they are trying to say. They use "initial" and "continuing" when trying to convince me that they cannot tell me how the forensic experts reached the conclusions they did but they use "extensive" when they want to convince me that these conclusions have been reached.

TD Ameritrade having no evidence that my sensitive information was leaked or of identity theft does nothing to calm my nerves. The crooks could still have this information. They could have covered their tracks so that there is no evidence. They may have left behind evidence which TD Ameritrade will never find (infact TD Ameritrade has a lot to gain by not finding this evidence and a lot to loose by finding it). They may not have used this information yet knowing the heightened alert level right now. What stops them from using this information later? The legal system is clearly not on my side as depicted by this ruling in another data leak case:
"Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy."
How would I ever be able to tie a future ID theft to TD Ameritrade's leak?

Why can TD Ameritrade get away with this? This is because my security is not their concern. It is an externality for them. The only way to solve this recurring problem is to change that and no advance in security technology can change the law. Meanwhile, not using immutable and leakable information for authentication will help ease some of the pain.

Now there is news coverage (Sep 17)

Add to Technorati Favorites
Add to Technorati Favorites
Add to Technorati Favorites

1 comment:

Elvey said...

Why can TD Ameritrade get away with this? This is because my security is not their concern. It is an externality for them.
Well, they're not getting away with it. I sued them, which is why they finally fessed up on Friday, even though they knew about the problem in '05. And when the judge determines damages (or there's a settlement), the externality will become a cost. Taking 2 years to address the problem suggests gross negligence to me. I wonder if their insurance will cover it. Hope not. The point of the suit is to send a message that it doesn't pay to be really sloppy about security.