E*Trade Trading Accounts Not Secure, Expert Says

Online traders using E*Trade.com open themselves to major risks,
according to a self-appointed Internet security watch dog.

Flaws in the E*Trade system make it possible for a remote third party to
recover user names and plain-text passwords of any user, according to
Jeffrey Baker, a San Francisco-based software developer who has discovered
several
JavaScript-related security holes on the Net.

“If someone wanted to take advantage of the security hole, they would be
able to trade securities or transfer money away from E*Trade accounts or
purchase securities in someone else’s name,” he said. “I understand this is
insured against, but it certainly is a serious problem if your only business
is trading securities.

Baker targets high-profile sites that insist their security systems are
impenetrable.

“The sites that tell people they are most secure, generally are not,”
Baker told InternetNews
Radio
. “I am getting sick and tired of seeing security rhetoric in the
glossy manuals but not getting any demonstrated ability to secure things.”

Baker declined to provide specifics about the E*Trade hole, saying his
goal was to allow users to protect themselves without giving the
unscrupulous enough information to take advantage of the hole.

He did acknowledge, however, that the vulnerability is based in part on
“cross-site
scripting,”
which is a known, JavaScript-based attack. In February of
this year, the Computer Emergency Response Team (CERT) issued
an advisory
describing how a malicious user could introduce executable code into another
user’s Web session.

“A number of Web sites that we know of have fixed this problem. We also
know there are still Web sites out there that have this problem,” said Shawn
Hernan, CERT’s vulnerability handling team leader.

“There is a lot more to security than many Web sites market on,” he
added. “Many sites tout their extensive security systems but, in the
end, the security of the whole system includes the end user’s machine.

“If end user’s machine has information that can be easily recovered, then
that is an architectural weakness in the whole system,” he said.

Between August 17 and August 21, Baker reports he discovered a number of
vulnerabilities in the security of the E*Trade system. A summary of his
findings was posted Friday on the Bugtraq security mailing list.

“I was in contact with the director of system security and the manager of
security threat analysis,” wrote Baker in his summary. “Officials indicated
they were aware of the security problems but had not fixed them.”

Officials at E*Trade had no immediate comment.

News Around the Web