RealTime IT News

E*Trade Trading Accounts Not Secure, Expert Says

Online traders using E*Trade.com open themselves to major risks, according to a self-appointed Internet security watch dog.

Flaws in the E*Trade system make it possible for a remote third party to recover user names and plain-text passwords of any user, according to Jeffrey Baker, a San Francisco-based software developer who has discovered several JavaScript-related security holes on the Net.

"If someone wanted to take advantage of the security hole, they would be able to trade securities or transfer money away from E*Trade accounts or purchase securities in someone else's name," he said. "I understand this is insured against, but it certainly is a serious problem if your only business is trading securities.

Baker targets high-profile sites that insist their security systems are impenetrable.

"The sites that tell people they are most secure, generally are not," Baker told InternetNews Radio. "I am getting sick and tired of seeing security rhetoric in the glossy manuals but not getting any demonstrated ability to secure things."

Baker declined to provide specifics about the E*Trade hole, saying his goal was to allow users to protect themselves without giving the unscrupulous enough information to take advantage of the hole.

He did acknowledge, however, that the vulnerability is based in part on "cross-site scripting," which is a known, JavaScript-based attack. In February of this year, the Computer Emergency Response Team (CERT) issued an advisory describing how a malicious user could introduce executable code into another user's Web session.

"A number of Web sites that we know of have fixed this problem. We also know there are still Web sites out there that have this problem," said Shawn Hernan, CERT's vulnerability handling team leader.

"There is a lot more to security than many Web sites market on," he added. "Many sites tout their extensive security systems but, in the end, the security of the whole system includes the end user's machine.

"If end user's machine has information that can be easily recovered, then that is an architectural weakness in the whole system," he said.

Between August 17 and August 21, Baker reports he discovered a number of vulnerabilities in the security of the E*Trade system. A summary of his findings was posted Friday on the Bugtraq security mailing list.

"I was in contact with the director of system security and the manager of security threat analysis," wrote Baker in his summary. "Officials indicated they were aware of the security problems but had not fixed them."

Officials at E*Trade had no immediate comment.