What TD Ameritrade is doing about security
What you can do about security
Protect yourself against identity theft
What TD Ameritrade is doing about security
The TD Ameritrade Security Statement
TD Ameritrade is strongly committed to providing its clients with one of the highest levels of security in the industry. Protecting your information and assets is one of our top priorities.
How secure is your information?
TD Ameritrade employs a dedicated staff of information-security professionals and has made a significant investment in leading-edge security software, systems, and procedures. They're specially designed to safeguard your trading environment, your personal information and financial assets. And we continue to monitor, refine, and upgrade our security operations as new tools and techniques become available.
From the minute you open a TD Ameritrade account, we go to great lengths to protect your security. For example, TD Ameritrade clients are required to create unique UserIDs and alphanumeric passwords to log on to the secure Web site. Also, the TD Ameritrade secure Web site encrypts all the information sent between your Web browser and our computers.
TD Ameritrade offers security preferences that you can control. The site timeout setting defaults to 55 minutes. If you log on to the secure site and do not take any action for 55 minutes, the system will log you off. (Please re-enter your UserID and password to log on again.) The review page timeout default is 90seconds; trades that are not confirmed within 90 seconds are automatically cancelled. Additionally, if someone submits an incorrect UserID and password combination ten times, the Web site will lock the user out. «
What are the added protection measures?
TD Ameritrade also utilizes state-of-the-art firewall and intrusion detection technology to keep unauthorized parties from having access to your account and personal information. The public Web servers are kept physically separated from the servers that contain your account and personal information. That means they can't be accessed directly from the Web. Access is allowed only through well-defined scripts and is firewall-controlled.
Internally, client information is protected through industry-standard security mechanisms and policies that limit employee access to personal information on a need-to-know basis. «
Why are cookies important?
The TD Ameritrade trading Web site uses a common technique, HTTP-header cookies. These cookies do not contain any personal or account-identifying information. They simply enable the TD Ameritrade system to recognize that a request sent to it is coming from someone who has already logged on.
The information in the cookie is temporarily stored in memory and available to TD Ameritrade only while you're logged on to our Web site. Once you log off or close down your browser, the information is removed from your computer.
What is encryption and how is it used?
Encryption is used to protect messages from eavesdropping, tampering, or message forgery over the Internet. It's a mathematical process that transforms a message so its meaning is concealed from everyone except the intended recipient. Encryption technology is used in many e-commerce applications for such things as securely transmitting account information over the Internet.
The TD Ameritrade secure Web site will encrypt the transmission of all personally identifiable, Web-based financial information that is transmitted between our Web site and your computer. «
What is Secure Sockets Layer (SSL)?
One way we protect your information is by using a security standard known as a "Secure Sockets Layer" (SSL). It's the leading standard for securing Web transmissions and is supported by the leading browsers: Apple Safari™, Microsof® Internet Explorer, and Netscape®, among others. «
How can you tell that SSL is in effect?
The Uniform Resource Locator (URL) or Web address of a secure document begins with "https://." The additional "s" on the end of the familiar "http" indicates a secure, encrypted connection to the Web site. Also, every secure page on the TD Ameritrade Web site has been identified with a digital certificate.
To view this certificate, just click the image of the closed lock or the solid key (depending on your browser) on the bottom bar of your browser window. A small frame displaying site security information will appear. If you use Internet Explorer, click "Subject" to verify the Web site. Then click "Issuer"' to verify the site certification authority, making sure it's "Issued to" a URL that ends in ameritrade.com. If you use Netscape Navigator, click "View Certificate" to see information on the subject and issuer.
How secure is SSL?
SSL uses encryption "keys" which can be various sizes - the larger the key length, the greater the number of possible combinations. Likewise, the more difficult it is for someone to decrypt the message, the more secure the message.
While the TD Ameritrade secure site operates using the maximum level of encryption supported by your browser, those wishing to maximize the security of their Web activities are encouraged to obtain a browser with a 128-bit SSL encryption key, where allowed by law. You can download these browsers from either Microsoft or Netscape at no cost except connect time. «
What doesn't SSL do?
SSL, by itself, does not ensure complete privacy. For example, the lock icon on Internet Explorer and the key icon on Netscape Navigator only indicate that your browser has established a secure connection with a server on the Internet. There's no guarantee that you're connected to the server you wanted. If you're in doubt, you should check the certificate.
Also, SSL does not protect your computer from intrusions such as key loggers, spyware, Trojan horses, viruses, or worms. «
What you can do about security
Although TD Ameritrade does everything possible to ensure security, there are many steps you can take to protect your TD Ameritrade accounts. First, let's take a look at some of the major threats to computers. «
Major threats to computers
The ultimate goal of an identity thief is to steal your personal information and eventually, your money. The methods that identity thieves employ fall into several categories. It helps to understand the different types of attacks so you can see why one form of protection, such as an anti-virus program, does not substitute for another, such as a firewall.
A system compromise can be any number of issues including a virus, worm or Trojan, but may also be a direct compromise by a hacker. A system compromise can happen locally (physical access to the computer) or over a network connection (office network or over the network). A computer may be compromised many different ways including exploiting an unpatched weakness on the computer or a misconfigured network share directly rather than by using a piece of software such as a Trojan. «
Viruses and malicious code
The term "virus" is often used to describe any type of harmful attack on a computer system. But really, viruses are just one form of attack. Other attacks include Trojan horses, worms, and system breaches.
The definitions below are based on how the attack is carried out and spreads, not why. For each method, the purpose may range from a simple prank to attempting to destroy a computer or network, to recording and stealing information from the computer. «
A virus is a small piece of computer code that requires user interaction to infect a piece of software, embedding itself and using the software to reproduce and spread. «
Unlike viruses, worms are stand-alone programs, they do not embed themselves into another piece of software. Worms spread by duplicating themselves without the intervention of a user. «
A Trojan horse, sometimes referred to just as a Trojan, is a stand-alone program that spreads itself masquerading as a harmless file or program and tricking the user into installing it on his or her machine. Many Trojans come to a user appearing to be a picture, screensaver, e-mail attachment, or a file downloaded from the Internet. Once a user opens the attached file, the Trojan installs itself on the computer and may take over the computer's e-mail program or use its own e-mail program for malicious purposes. «
Operating system and application updates
Operating systems (like Microsoft Windows® and MAC OS® X) and applications (such as Internet Explorer, Safari and Outlook®) leave your computer vulnerable to hackers, viruses, worms, and other system compromises.
Updated operating systems like Windows XP enable the user to take advantage of free, automatic updates for all Windows products. The free Windows Update software can scan your machine for any un-installed Microsoft updates. Windows Update can also be configured to automatically search for and download new updates daily (recommended) or on your own schedule so you'll be able to protect your computer against the latest Internet security threats. Visit http://www.microsoft.com/ to download Windows Update.
With Macintosh® operating systems 10.0 and higher, users can update their systems and set their preferences for automatic updates by choosing System Preferences from the Apple menu, opening "Software Update" and setting the automatic update schedule or initiating a search for updates directly.
TD Ameritrade does not recommend or endorse, and cannot warrant performance of any particular software product.
For information on updates for other operating systems and applications, consult the documentation accompanying the software, or review the manufacturer's Web site.
Regardless of what company provides the software, all operating systems and applications should be updated as soon as updates become available. «
Safeguarding your computer
There are many steps you can take to protect your TD Ameritrade accounts. For example, don't share your PINs and passwords with anyone. Make sure no one is watching when you enter your PINs and passwords. It is also important to log off of the TD Ameritrade secure Web site and exit the browser when leaving the computer.
Certain companies may offer to provide services to you by accessing your accounts through our site. If TD Ameritrade does not have a relationship with the company that provides the proper protocol for access, the security of your account can be at risk.
Moreover, that company's use of your PIN and password will be governed by its own policies. Anytime you disclose your information to third parties, you are opening yourself up to unauthorized use or access for which TD Ameritrade cannot take responsibility.
If you forget your PIN or password, please send a signed form to TD Ameritrade to have a new PIN or password issued to you. Meanwhile, here are some other precautions you can take: «
Even if your personal information is not stored on your computer, some programs known as key loggers can record the information you enter into Web sites. Viruses, worms, and Trojans often contain key logger programs. You should use an anti-virus program with up-to-date virus definitions to minimize the risk of viruses, worms, key loggers, or Trojans on your computer.
While TD Ameritrade does not recommend or endorse, and cannot warrant performance of any anti-virus product, the following companies produce popular anti-virus software:McAfee®, Symantec®, Trend Micro™.
Anti-virus software can be configured to automatically search for and download new virus updates daily (recommended) or on your own schedule. The Web sites of each company mentioned above also provide free scanning service so you can immediately check your computer for viruses.
Such scans are not an adequate substitute for maintaining up-to-date, anti-virus software on each computer you own. Also, scanning services will not protect your computer from becoming infected in the future with a virus. In addition, scanning services may be blocked by a firewall or router deployed by you or your Internet service provider (ISP) and may not return accurate results. «
To ensure privacy, use a relatively current and efficient browser.
The browser requirements for the TD Ameritrade Web site are:
Personal Computer (PC): Microsoft Internet Explorer 5.5 or later, Netscape 7.1, Mozilla 1.5
Macintosh: Mozilla 1.7.2 or later, Safari 1.2
If you are an AOL® user, we suggest you consider downloading use one of the browsers listed above to use the TD Ameritrade secure Web site. «
An Internet connection puts your PC and any information it may contain at risk for hackers, viruses, worms, key loggers, Trojan horses, and other system compromises. You should use a personal firewall, especially if you are using "always on" broadband Internet access (cable or DSL).
A firewall controls traffic between a computer and a network to ensure only legitimate traffic takes place. Also, a firewall disguises and hides the presence of computers behind it (or simply protects one individual machine), making it more difficult for a hacker to find and attack computers.
There are two types of firewalls: software and hardware. Software firewalls are programs that run in the background on a computer and monitor the activity in and out of that computer. Hardware firewalls are physical devices that are placed between a computer or local network and the Internet. Most home networking routers include an integrated hardware firewall.
A software firewall should be installed on all your computers, regardless of your connection type - broadband or dial-up. In addition, it is recommended that you use a router for additional protection when using an "always on" broadband Internet connection. Your computer is constantly exposed to attacks from hackers and worms with a broadband connection because it is always hooked up to the Internet.
While TD Ameritrade does not recommend, endorse, or warrant the performance of any particular product, the following companies provide popular products:
Personal firewall software:McAfee®, Symantec®, Zone Labs™.
Operating systems: The Windows XP operating system with the latest service pack updates enables the user to take advantage of the built-in, free Windows firewall with inbound and outbound traffic control.
Personal hardware firewall/router:Linksys®,D-Link®. «
One of the most effective and easiest ways to protect your personal information and financial assets is to create and use strong, unique passwords for each of your online accounts. TD Ameritrade clients are required to create unique UserIDs and alphanumeric passwords to access the secure Web site (in place of an account number and PIN). «
A strong password should include both alpha (A-Z) and numeric (0-9) characters, and be at least seven characters in length. Be sure to choose a password that is easy for you to remember but hard to guess and not personally associated with you in any way. Also, change all of your passwords frequently.
Do not use:
Do not store or save passwords on your computer. Also, don't use any sort of automated system to remember or fill in your passwords, including the auto-fill function included with some Web browsers. Try to memorize your passwords, rather than writing them down. But if you do write them down, keep them in a safe, secure place, preferably away from your other financial information. «
Birth dates, anniversary dates, etc. as part of your password.
Addresses, phone, or Social Security numbers as part of your password.
Your name or the names of pets and relatives as part of your password.
Celebrity names, sports teams, license plate numbers, or any word (spelled backward or forward) that you can find in the dictionary.
Your UserID as part of your password.
Be on the lookout for e-mail scams. For example, many of the e-mail scams today may appear to come from a trusted source, such as a friend, bank, or large corporation. If you're asked for personal information (such as account numbers, Social Security numbers, passwords or other sensitive information), you may have received a fake e-mail. Don't reply to it.
In a scam known as "phishing," an imposter sends out a large quantity of spam e-mails that are made to appear as if they come from a legitimate organization, such as TD Ameritrade. But in reality, they're an attempt to gather account and other personal information under false pretense.
You might be asked to reply to the e-mail. Or there could be links to a Web site created by the imposter, where you might enter the information without knowing the Web site was fraudulent.
Please be aware that TD Ameritrade will never send you an e-mail requesting account numbers, UserIDs, PINs, passwords, or other personal information. If you're concerned about an e-mail, do not enter any of your account or personal information into the Web site that's provided in the e-mail, or reply to the e-mail itself. It is best not to reply to any suspicious e-mail. A reply may encourage further attempts to defraud. «
Any e-mail attachments that you receive could potentially contain a virus or Trojan. For that reason, you should be skeptical of all e-mail attachments, even if you recognize the sender of the e-mail. Do not open an attachment unless you were expecting to receive it.
Before you open an attachment, you should check with the person who sent you the e-mail to confirm that they actually intended to send you a file. The sender of a virus-infected attachment may not realize that his or her computer is infected with a virus or know that an attachment was included in the e-mail. He or she may not have even sent the e-mail, as some viruses generate e-mails automatically.
Furthermore, viruses can now disguise, "trick" or "spoof" an e-mail address to make it appear that the e-mail came from a particular person, when in fact, it was sent by a virus from an entirely different computer. This is how hackers are able to hide the source of the virus infection, avoid detection and keep the virus from being cleaned off of the infected machine. «
There are several commercial and non-commercial products that, much like the anti-virus applications available to counter viruses, will locate and remove spyware. While anti-virus applications will detect and remove some well-known spyware, their primary focus is not to protect against spyware, and they should not be relied on to do so.
Since new products like this are developed every day, TD Ameritrade cannot recommend or endorse any particular product. It is best to obtain any spyware products from a trusted source, such as a computer retailer or a reputable download source. «
Protect yourself against identity theft
Identity theft background
Identity theft is one of the fastest growing crimes of our times. In 2003, losses from fraud amounted to more than $400 million. That same year, the Federal Trade Commission received over 500,000 consumer fraud and identity theft complaints. That's more than three times the number of complaints reported in 2002.
By 2005, it's estimated that one in four individuals will fall victim to identity theft. Our goal is to help educate our clients about identity theft and the precautions to take in protecting their personal information. We've also included some steps you can take to protect your credit and identity if you should ever become a victim of identity theft. «
What identity theft means
Identity theft isn't as simple as someone stealing your wallet and shopping with your credit cards. It involves much more; it's the crime of actually assuming someone's identity by acquiring information about that person (such as Social Security number, driver's license, or credit card number) for the purpose of committing fraudulent acts.
For example, a thief may be able to obtain a new credit card, apply for a loan, purchase a new car or home, and even file for a tax refund - all in your name. And by the time you find out about it, the damage could be severe. It can be very costly and time-consuming to unravel the damage done to your credit and reputation when your identity has been compromised.
Measures have been taken by the government to raise awareness, address this crime, and provide assistance to victims. But these actions do little to prevent the problem before the damage starts. «
Ways to protect yourself
Here are some other steps you can take to protect your personal information:
Do not use public computers. Public computers (such as in airports, hotels, libraries, or restaurants) may be infected with key loggers that record the information you enter.
Check your credit. Order a copy of your credit report at least once a year and review it for any inaccurate or fraudulent activity. (By law, a credit bureau cannot charge you more than $9 for a copy of your credit report, and in many states, must provide a copy for free upon request at least once per year.) Immediately report any unauthorized accounts or usage. If you discover that your information or account(s) have been compromised, contact one of the major credit reporting bureaus.
Watch for and check your statements. Pay attention to your billing cycles and contact the creditor if your bill does not show up on time. Review and reconcile your financial statements each month, and report any entry you do not recognize.
Keep good records. Keep a list of all your accounts and credit cards in a safe place. Be sure to include account numbers, expiration dates, telephone numbers of client service and fraud departments, and any other pertinent information you may need in case of an emergency.
Use passwords/PINs and protect them. Place a password/PIN on each of your credit, bank, and phone accounts and memorize them. One of the most effective and easiest ways to protect your personal information and financial assets is to create and use strong, unique passwords for each of your online accounts.
Protect your credit cards and other documents. Never leave your purse or wallet unattended. Don't carry extra credit cards, or your Social Security card, birth certificate, or passport with you unless it's absolutely necessary. Limit the number of credit cards you have and cancel any inactive accounts. Keep your personal information in a safe place in your home, especially if you're having work done in your household, employ help inside your home, or have roommates.
Watch what you say on the phone. Never give any bank, credit card, securities, Social Security number, or other personal information over the telephone unless you know who the caller is. If the call seems suspicious, take the name and telephone number of the individual, and use a phone number you are familiar with to call back and verify the caller's identity.
Safeguard your mail. Consider installing a lockable mailbox at your residence to reduce the chance of mail theft. Leave outgoing mail in post office collection boxes or at the post office.
Keep track of your checks. If possible, pick up your new checks at the bank. If they are shipped to you, make sure they're all accounted for. One common method of identity theft is to steal a check from the bottom of a box of checks.
Shred important papers. Be sure to destroy:
Any blank checks that you have after you've closed a bank account.
Courtesy credit card checks that you do not intend to use.
All credit card receipts.
Debit and ATM receipts.
All personal documents (e.g., insurance or physician statements, credit applications, etc.) and bill statements, especially financial statements.
Anything with your Social Security number on it.
Beware of scams. Watch for promotional and prize scams designed to gain access to your personal information. Beware of credit repair scams and offers for free credit reports.
Check at work. Inquire about the information security practices in your workplace and verify that personnel records have restricted access and are stored in a secure location. «
Questions to ask about the use of your Social Security number
When someone asks you for your Social Security number, be sure to ask these questions:
Some businesses may require your Social Security number for wage and tax reporting purposes, or may need the information for credit checks pertaining to loans. If you do not provide your Social Security number, some businesses will not be able to provide you with the services you would like. Other businesses want your Social Security number for internal usage. «
- Why do you need my Social Security number?
- How will my Social Security number be used?
- How do you protect my Social Security numbers?
- If I do not provide my Social Security number to you, what will happen?
What to do if you're a victim of identity theft
If you notice any unauthorized activity or accounts, act immediately so you can minimize the damage and protect your credit. You can arrange to have a fraud alert placed on your credit report by calling one of the major credit bureaus toll-free. The two other credit bureaus will automatically be notified and will place a fraud alert on their credit reports as well. «
Contacting credit bureaus and Social Security office
Contact the fraud departments of the three major credit bureaus and the Social Security Administration. While requesting a fraud alert to any one credit bureau will result in the alert being placed on your report at all three, it is important to contact all three to ensure that you have identified all potential fraudulent activity.
|TransUnion Fraud Victim Assistance Department
|PO Box 6790
|Fullerton, CA 92834-6790
|Equifax Consumer Fraud Division
|PO Box 740241
|Atlanta, GA 30374-0241
|Experian National Consumer Assistance
|PO Box 9532
|Allen, TX 75013
|Social Security Administration fraud line
When you report identity theft to the credit bureaus, you'll be given a free credit report from each so you can verify the information in the accounts that are associated with your personal information.
- Review your credit reports for unexplained debts, accounts that you did not open and credit inquiries that you did not initiate.
- Review and confirm that your personal information (such as Social Security number, address, name, and employer) is correct. Inaccuracies may or may not be an indicator of identity theft. But the credit bureaus should be notified of any changes in writing and by phone.
- Periodically review your credit report for inaccuracies and fraudulent activity, especially in the first year after you've discovered identity theft. After you receive your initial reports, you will have to contact each of the credit bureaus separately to receive additional copies of your credit reports and further fraud reports.
Please note: Residents of Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, and Vermont are entitled to a free annual credit report. Regardless of the state that you live in, you can get a free report if you are a victim of identity theft, unemployed, or have been turned down for credit or a job because of a negative report. California residents who are identity-theft victims are entitled to a free monthly report for one year. «
Other organizations to contact
Banks and other financial institutions - Contact all the financial institutions you deal with and ask for an accounting of any current activity so you can verify it. Close any accounts that have been tampered with. Be sure to fill out a fraud dispute form if you discover any fraudulent activity.
Other companies - If you notice an unauthorized account or any unauthorized activity, contact the company that billed you. Close any accounts that have been opened fraudulently. Ask if the company accepts the ID Theft Affidavit or if it has its own fraud dispute form.
Police - Contact authorities, such as your local police department and the police in the city in which the identity theft occurred. Keep a copy of the police report or report number to validate your claims to creditors.
For more information, visit the following Web sites: