RealTime IT News

Experts: E*TRADE Still Not Safe

Two days after E*TRADE claimed it had sealed a security hole that had pointed out to them a month previously, a watch dog said users' safety is still compromised.

It was made known to the public last Friday that one Jeffrey Baker, a software developer who has discovered several JavaScript-related security holes on the Net, found flaws in E*TRADE's system that enable third parties to recover user names and plain-text passwords of any user.

The popular, but often embattled broker, said Sunday it had changed its encryption technology, effectively gluing the loophole shut. But Weld Pond, manager of research and development for Internet security consulting firm @Stake, said even though the company has fixed the hole Baker found, it shows other signs of poor security design, such as six-character limit on passwords. This makes accounts susceptible to what are called "brute force" or "dictionary" password cracking attempts.

"These are just signs that the people who are building the site aren't really experts in security and they haven't had someone come in and do an assessment of the site of the security of the site," Pond said. "So, it's always been a target and it will continue to be a target. This is just one problem that they're fixing -- there are many different problems that Web applications can have so if it has this problem, I would say there is a good chance that it has other problems."

Chief Strategy Officer for Netreo Inc., James Mancini, Tuesday agreed, with Pond's assessment. He said a standard formula for password cracking shows that E*TRADE's six-character password limit and character set does not pass muster for the amount of security needed.

"If you took that same password and just made it eight characters long it would take an average of 50 years to crack the password and a maximum of 101 years to crack the password just by adding 2 extra characters because you increase the potential entropy of the system by that much more," Mancini said. "So by limiting it to six characters and limiting the character set, they're creating an environment where it's practically very possible to brute force the passwords."

E*TRADE did not return calls Tuesday afternoon.

This latest loophole appears to have been caused by the way in which E*TRADE encrypts and stores passwords on users' PCs using a cookie mechanism. By using a "cross-site scripting attack," an attacker could create a Web link allowing access to the cookie and the passwords it contains if an E*TRADE customer were to click on that link.

"If someone wanted to take advantage of the security hole, they would be able to trade securities or transfer money away from E*TRADE accounts or purchase securities in someone else's name," Baker told InternetNews Radio this week. "I understand this is insured against, but it certainly is a serious problem if your only business is trading securities.

Baker had notified E*TRADE of the hole in mid-August, but the firm did not bear down on and command closure until a couple days after news of the flaw was made public on BugTraq.

E*TRADE was besieged by a series of attacks by hackers earlier this year, although no customer accounts were compromised.