More City life« an older post
a newer one »What a P.O.S...

Ameritrade privacy policies are clearly bunk


I've had an account at Ameritrade since they first opened. I'm not sure why I keep that particular account, but suffice it to say, I have made them a lot of money over the last eight or so years. They claim to have this wonderful security system, that no one can get through, many IT guys working around the clock to ensure all of their clients' personal information is secure, blah blah blah.

So imagine my surprise when I received a virus/spam email address to the email address that I use for my Ameritrade account.

As in, I use that email address for only communication with Ameritrade.

The email I send to them with that email address is encrypted from my system to theirs. The only way, as far as I can tell, for that email address to get out is either from some leak on my Linux box that's been turned off for the last 10 months, or some leak in their internal systems.

As I've done with a dozen other sites and businesses that "lose" one of my very specific email addresses, I contacted them to let them know they had a problem with their systems, please look into it. Usually I get a response back the following day denying the incident, and I respond with a, "no, no, here's the system you need to look at," quoting a particular IP address. Thus far, each and every company I've contacted has eventually responded with an apology and an admittance of a virus.

Not so with Ameritrade. Instead, they let me know that the problem was clearly a bruteforce attack of spammers, by going alphabetically through the dictionary and appending my domain name to the words, they've magically come upon my secret Ameritrade email address (which, by the way, contains no dictionary words in it - none), so clearly there's no virus inside their hallowed firewalls.

Complete and utter bullsh*t.

Any network that is 1. attached to the Internet in general and 2. has people actually using it is not 100% secure, and no one, absolutely no one will ever convince me otherwise. Too many reports (which, admittedly, I should track down so that I have proof of the following statement, but at the moment, I'm distracted) detailing social engineering break-ins, "innocent" downloads or even malicious jpg images, and, well, just plain stupid people in the world to be able to guarantee a completely secure network.

Flippant answers, canned answers and completely wrong answers all annoy me. Tragically, I have little faith any of the other trading houses are going to be any more diligent in their security, or even their customer responses. Hell, a "let me forward this to our security specialists, even though I really don't think this is a problem" is better than a patronizing, "clearly you're wrong if you think there's a problem with our security" reply.

Allow me to say this will document the beginning of the Ameritrade security hole that will most likely be disclosed within the year.