Schwab Admits Web Accounts Not Secure From Hackers

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

Schwab Admits Web Accounts Not Secure From Hackers

Vanessa Hua and Verne Kopytoff, Chronicle Staff Writer Friday, December 8, 2000 2000 San Francisco Chronicle

URL: http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/12/08/BU160646.DTL&type=tech_article

Financial services giant Charles Schwab acknowledged yesterday that a security problem could allow hackers to gain control of the online accounts of its customers.

It marks the second time in three months that this kind of problem has surfaced in the online brokerage industry. ETrade acknowledged such a flaw in September.

A San Francisco computer programmer first alerted the world's largest online broker in late August of the problem. After not seeing a fix, Jeffery Baker posted information on Wednesday about the problem on Bugtraq (www. securityfocus.com), a security mailing list.

Baker said the problem involves the use of "cross-site scripting" that enables an intruder to manipulate an account.

Baker, who investigates security as a hobby, decided to post the flaws because of Schwab's inaction.

"I told their security division and didn't receive any response for 11 weeks," Baker said.

Officials at Schwab, which has 4.2 million active online accounts, emphasized the security risk was minimal and said there have not been any known attacks. The San Francisco online broker has 7.4 million accounts.

To break into an account, a hacker would have to know the customer's name and e-mail address and act when the Schwab client is logged on, said spokesman John Sommerfield.

He said the company has implemented some temporary measures to deal with the problem and is working on a permanent solution that should be in place by the end of the year.

Sommerfield said the company takes security issues seriously. "We are always on the lookout for potential threats. But we need to balance it with functionality," he said. "Say you have a car, you can put 500 locks on it -- would you want to use that car?"

Security experts first warned of the cross-site scripting flaw in February and said it could affect hundreds of Web sites.

Online account holders can take protective measures to deal with the problem. While they are logged on to their accounts, they should turn off the browser's JavaScript and avoid surfing other Web sites or opening e-mail. In addition, after finishing using their accounts, they should remember to log off and shut their browser.

Chronicle staff writer Verne Kopytoff contributed to this report. / E-mail Vanessa Hua at vahua@sfchronicle.com.

-- Martin Thompson (mthom1927@aol.com), December 10, 2000


Moderation questions? read the FAQ