E*Trade Trading Accounts Not Secure, Expert Says
Page 1 of 1
Online traders using E*Trade.com open themselves to major risks, according to a self-appointed Internet security watch dog.
"If someone wanted to take advantage of the security hole, they would be able to trade securities or transfer money away from E*Trade accounts or purchase securities in someone else's name," he said. "I understand this is insured against, but it certainly is a serious problem if your only business is trading securities.
Baker targets high-profile sites that insist their security systems are impenetrable.
Baker declined to provide specifics about the E*Trade hole, saying his goal was to allow users to protect themselves without giving the unscrupulous enough information to take advantage of the hole.
"A number of Web sites that we know of have fixed this problem. We also know there are still Web sites out there that have this problem," said Shawn Hernan, CERT's vulnerability handling team leader.
"There is a lot more to security than many Web sites market on," he added. "Many sites tout their extensive security systems but, in the end, the security of the whole system includes the end user's machine.
"If end user's machine has information that can be easily recovered, then that is an architectural weakness in the whole system," he said.
Between August 17 and August 21, Baker reports he discovered a number of vulnerabilities in the security of the E*Trade system. A summary of his findings was posted Friday on the Bugtraq security mailing list.
"I was in contact with the director of system security and the manager of security threat analysis," wrote Baker in his summary. "Officials indicated they were aware of the security problems but had not fixed them."
Officials at E*Trade had no immediate comment.