I was pleasantly surprised when I read last week that a judge refused TD Ameritrade's laughable settlement offer for the compromise of millions of accounts. TD Ameritrade's proposed settlement would have done nothing for the victims of the breach. I just wish the judge had indicated that he really understands something about computer security.
In September 2007, Ameritrade announced that the names, addresses, phone numbers and trading information of as many as all of its more than 6 million retail and institutional customers at that time had been compromised by an intrusion into one of its databases. The stolen information was later used to spam those customers. Did that hack result in a more serious compromise?
Only the criminal knows the full extent of what he did. But there was definitely a breach, and anytime customer data is compromised, the customers are at risk. That's why some enterprising lawyer put together a class-action lawsuit, leading to the ruling this week.
TD Ameritrade's offer came down to proposing that it hire a firm to determine who, if anyone, suffered more serious compromises. It would then give those customers a one-year licence for antivirus software. It also proposed performing a penetration test to look for other potential vulnerabilities.
I hope you weren't drinking anything when you read that; I told you the offer was laughable. Let's get the obvious out of the way first. It is nearly impossible to definitively figure out whether a particular identity theft was the result of a specific breach. Sadly, there are just too many breaches in the world to do that. By requiring this proof, TD Ameritrade seemed to be trying to eliminate all potential victims.
If anything, the offer of antivirus software is even more ridiculous. There is absolutely no way that antivirus software can stop someone's identity from being stolen if a criminal already has all of their identifying information. TD Ameritrade might as well give each victim a box of chocolates, which might at least help relieve the stress of having their credit ruined.
I am heartened that US District Court Judge Vaughn Walker in San Francisco seems to have recognised to some extent that TD Ameritrade was attempting to get away with doing what amounts to nothing for its customers. In his 13-page ruling, Walker described the additional security measures that Ameritrade proposed as "routine practices" that any reputable company should be taking anyway.
Nonetheless, I'm a bit leery that he added: "Penetration tests provide a reliable way for companies to detect the sort of security weaknesses that led to the Ameritrade breach." That just isn't true.
Penetration tests are essentially covert tests with little cooperation from the target. Only full-scope vulnerability assessments come close to reliably finding vulnerabilities. A full vulnerability assessment has the cooperation of the target, and allows for more complete assessment of the environment.
Also, a penetration test is limited in the potential vulnerabilities it can turn up. The testers use their standard methodologies, whereas criminals can use whatever methodology they choose. Criminals can put unlimited time and effort into compromising an organisation, whereas the testers have a limited scope and typically operate under rules of engagement that are irrelevant to criminals.
I hope the judge doesn't let penetration tests become the centerpiece of the eventual settlement. They are something that a company like TD Ameritrade should regularly perform anyway, and they aren't nearly as effective as things like the audits required under the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act.
But what would be proper restitution? For starters, the settlement should do an end run around the limitations of class-action lawsuits. Such lawsuits are basically a transfer of wealth between the defendant and the plaintiffs' attorney, with the actual victims getting little, if anything.
I would suggest that TD Ameritrade provide identity theft protection and response for all clients, no questions asked. TD Ameritrade might balk at the potential expense, but the truth is that few people would actually take advantage of such an offer, because it's too much of a hassle or because they already are well protected on their own. But at least those who were truly vulnerable would be compensated in some meaningful way.
Additionally, TD Ameritrade should undertake vulnerability assessments at least every six months, with mini-assessments/penetration tests performed every three months. It should also be required to implement vulnerability management tools and services, along with systems that detect potential compromises.
We'll see just how information security-savvy Judge Wilson is when this case is finally settled.
Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his website, irawinkler.com