# Tos



## Causalien (Apr 4, 2009)

Today, I got the call center run around trying to get my security token replaced. 1 hour and 30 minutes and 6 transfer later, they figured out that TOS canada aka TDW doesn't issue security tokens anymore.

I am saddened by the decrease in security (as if Canadians are less likely to be hacked) and also by the drop in their support quality. Everything TD touches, seems to change the corporate culture to an impersonal one. From my experience, when a broker reaches this point, it is usually down hill from here as they focus more on profit margin. (Amount of calls per agent per hour. Average length of calls etc.)

Otherwise, their platform is still great. Now if only I can find one with the same great platform. Time for me to hunt for a new broker again and see if anything better is out there.


----------



## Eclectic12 (Oct 20, 2010)

Causalien said:


> Today, I got the call center run around trying to get my security token replaced. 1 hour and 30 minutes and 6 transfer later, they figured out that TOS canada aka TDW doesn't issue security tokens anymore.
> 
> I am saddened by the decrease in security (as if Canadians are less likely to be hacked) and also by the drop in their support quality. Everything TD touches, [ ... ]
> 
> Otherwise, their platform is still great. Now if only I can find one with the same great platform. Time for me to hunt for a new broker again and see if anything better is out there.


I take it by TDW you mean TD Waterhouse discount brokerage in Canada.

If so, I'm confused because as a customer of many years, I've *never* had a security token.

Then too - my impression is that *security has increased*. Long gone are the days when I could switch computers with the account number and password as the only gatekeeper. Now I have to respond to security questions as well.


Out of curiosity - do any other discount brokerages, bank or other financial institutions provide a security token? 

The ones I've received have been from employers.


Cheers


----------



## m3s (Apr 3, 2010)

TOS came from the US and therefore had a physical security device before TDW changed things. My US based IB account and Euro based accounts also have physical devices, besides just a pw and basic security questions that anyone can figure out. I looked into TOS but it has been unavailable for new accounts in Canada


----------



## Causalien (Apr 4, 2009)

I don't get why they take away the security token when a brokerages move to Canada. Is it a law or something? Question to those working in the industry. Does your IT know how easy it is to hack the accounts secured by password only? When there is money behind those password, the hackers have a motivation.


----------



## humble_pie (Jun 7, 2009)

hunt away. In the end you'll come to the same writing on the wall. Ozymandias. No one broker can be all things to all clients, it says. Look on my works ye mighty & despair.

btw little birdie tells me that TOS is not tdw's big green future after all. This is going to be another platform, bird says. There are some cost obstacles to work on.

in the meantime td's activetrader & webbroker platforms outstrip most others, esp when one figures in that IB doesn't have registered accounts. TD waterhouse is most definitely *not* declining.


----------



## ddkay (Nov 20, 2010)

OTP hardware tokens might cost money, but there are cheaper solutions like client-side software key generators or SMS.

What could explain that they scrapped the system entirely other than terrible regulation? They won't spend money unless they have to.

In the rest of the world two-factor authentication is standard for all financial services because of effective regulation.

It's like they want to make it easy for criminals here...

also what's so special about Active Trader? It's an overpriced version of AxisPro. They won't even give you "free" access to it unless you pay $1500/quarter in commissions.


----------



## Causalien (Apr 4, 2009)

I thought about this some more and realized that what I need to do, is open an account with TD Ameritrade in the US and all my problems are solved.

Thinking back, all the problem started when I was forcibly pulled into Canadian legislation due to my address. If TD Ameritrade remained as great as it was before and that my service only went downhill because I am categorized as TDW canada. Then the conclusion is obvious. Our laws made it so... somehow.


----------



## humble_pie (Jun 7, 2009)

cause if you live here in canada you won't be able to open an account with an american broker. Vice versa also applies. They have all these reciprocal agreements ...

from time to time i run into somebody whose case has fallen between the cracks & they have accounts in both countries. But the financial houses involved are always small & obscure, & frankly they should know better.

a big outfit like the td, owner of both td ameritrade & td waterhouse canada, will never let you get away with it


----------



## Four Pillars (Apr 5, 2009)

Eclectic12 said:


> Out of curiosity - do any other discount brokerages, bank or other financial institutions provide a security token?


I had a business checking account at HSBC which had a token.


----------



## Eclectic12 (Oct 20, 2010)

mode3sour said:


> TOS came from the US and therefore had a physical security device before TDW changed things. My US based IB account and Euro based accounts also have physical devices, besides just a pw and basic security questions that anyone can figure out. I looked into TOS but it has been unavailable for new accounts in Canada


Okay ... then it makes more sense as to why it would be an irritation. 

From a Canadian financial industry perspective, I suspect not many are providing tokens.

As for the "basic security questions that anyone can figure out" - that's only if you stick to the script when saving the answer.

In my case, a hacker can search for my mother and father's maiden name all they want, the answer I put in is neither. Even if it were, I'm not so sure they'd figure out that what in my memory is "Smith" was saved as "$mith".


IAC, security tokens have also been hacked.
http://bits.blogs.nytimes.com/2009/08/20/how-hackers-snatch-real-time-security-id-numbers/
http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars


Cheers


----------



## Eclectic12 (Oct 20, 2010)

Four Pillars said:


> I had a business checking account at HSBC which had a token.


Interesting .... that's one.

Anyone else?

< ... Inquiring Minds Want to Know .... >


Cheers


----------



## ddkay (Nov 20, 2010)

.. & I use 24 character alphanumeric and special character passwords where I'm allowed. However, if you got key logged on a compromised computer none of that matters. Randomly generated OTPs with time expiry have their purpose, it may not be the best security (there's no such thing, in the end the greatest fault is human error), but it's the best we have.

That RSA embarrassment was human error, there is nothing inherently wrong with the system's design. Organisations can generate and manage their own seed records and program their own tokens. So the lesson is never trust 3rd parties with your customer's sensitive data.


----------



## Causalien (Apr 4, 2009)

It's the key loggers installed from a malicious flash/script that I am worried about. Normal fishing operation involves getting a compromised page with search terms that are popular amongst investors. Then get them to execute the script on your browser.

I just recently had to clean my production PC because of a new infection. I had ad/flash/script blocker on. Different browser for bank,browsing,production and tiered password randomly generated. And I am very careful. Yes I caught it. But I know tech. Imagine the tech challenged general population.


----------



## Causalien (Apr 4, 2009)

humble_pie said:


> cause if you live here in canada you won't be able to open an account with an american broker. Vice versa also applies. They have all these reciprocal agreements ...
> 
> from time to time i run into somebody whose case has fallen between the cracks & they have accounts in both countries. But the financial houses involved are always small & obscure, & frankly they should know better.
> 
> a big outfit like the td, owner of both td ameritrade & td waterhouse canada, will never let you get away with it


So a guy from China can open one and get the full benefit, but not me. This is just twisted.


----------



## TDCanada (Mar 17, 2011)

Hi All. It's Chris from TD. We understand your concerns about security and want to provide some info. First, we want to assure you that our web services are secure, whether it's Web Broker or EasyWeb. We wouldn't offer online services if we couldn't guarantee your security, so each is covered by our Online Security Guarantee. For Web Broker, you can read more at http://bit.ly/AzDtuD. It's not just about your password(s) though. Your password is only one part of the process. To read more about all we do (ie; additional trading password, IdentificationPlus, 24/7 monitoring, etc) please give http://bit.ly/x4jsN5 a read. Good security also depends on you, so we offer tips and advice to help you protect yourself as well at http://bit.ly/syafBm. We hope this info and links help and provide some reassurances. If you have any questions or further feedback, please feel free to email us at [email protected]. ^CT


----------



## m3s (Apr 3, 2010)

I think I should be on a first name basis with TD's 24/7 monitors. For someone who travels constantly it gets pretty old. Having fake security question responses to "prove your identity" is a good idea, but I don't think many Canadians do that.

TD asks Canadian: "To prove your identity, please name your favourite team" That's a tough one to guess!

All in all it's safe enough for me, but I think physical security devices are smart to have. It's not that they can't be hacked (anything can be hacked) It's that you need both a physical device (like a key) as well as a pin/pw


----------



## Causalien (Apr 4, 2009)

Hi TD,

You guys migh want to remove the security token tab option in TOS web account management under account --> change password.

Also the phone number listed on that page is for TD ameritrade in the US


----------



## CanadianCapitalist (Mar 31, 2009)

TDCanada said:


> Hi All. It's Chris from TD.


Hello TD. If you are going to come in here and make a post, at least try and address the issues that OP is having. If all you are ever going to post is corporate rah-rah, then we'll have to ban your account.


----------



## TDCanada (Mar 17, 2011)

Causalien said:


> Hi TD,
> 
> You guys migh want to remove the security token tab option in TOS web account management under account --> change password.
> 
> Also the phone number listed on that page is for TD ameritrade in the US


Hey Causalien. Thanks for the feedback and tip. We don't have direct access to TD Waterhouse services, and while we can forward them feedback, it may be a good idea for you to contact them so they completely understand where you're coming from. They'll be best able to review and take any required action. You can email them at [email protected] with the info you've provided in your post or call the EBS Helpdesk at 1-800-667-6299, available 24/7. Any feedback that helps us improve is good feedback  Thanks! ^CT


----------



## TDCanada (Mar 17, 2011)

Causalien said:


> Hi TD,
> 
> You guys migh want to remove the security token tab option in TOS web account management under account --> change password.
> 
> Also the phone number listed on that page is for TD ameritrade in the US


Hi Causalien. Chris again from TD. As a followup, let me know if you experience any further frustrations when you follow the contact steps we've provided. We're here to help. ^CT


----------



## Mockingbird (Apr 29, 2009)

humble_pie said:


> cause if you live here in canada you won't be able to open an account with an american broker. Vice versa also applies. They have all these reciprocal agreements ...
> 
> from time to time i run into somebody whose case has fallen between the cracks & they have accounts in both countries. But the financial houses involved are always small & obscure, & frankly they should know better.
> 
> a big outfit like the td, owner of both td ameritrade & td waterhouse canada, will never let you get away with it



The US brokers cannot open accounts for Canadians unless they are registered ($$$$) with our regulators. And we know each province has its own regulatory body.

The typical account opening disclaimer will be something like this...
"We cannot open accounts for the residents of Cuba, Iran, Iraq, North Korea, Somalia,... and Canada." 

MB


----------



## Eclectic12 (Oct 20, 2010)

ddkay said:


> [ ... ]
> 
> That RSA embarrassment was human error, there is nothing inherently wrong with the system's design. Organisations can generate and manage their own seed records and program their own tokens. So the lesson is never trust 3rd parties with your customer's sensitive data.


While that is good to know, the NY Times blog says that RSA is just a vulnerable to malware or a regular password. It is a 2009 article so hopefully a fix has been developed by RSA, in addition to finding a way for Anti-Malware software to protect against it.


Cheers


----------



## Causalien (Apr 4, 2009)

TOS switched to something else after the leak. But the scheme is to protect against keyloggers mainly. Hey, if they broke the RSA encryption, I worry even less, because I know it's not me who will be liable to reimburse my loss.

You know how US politicians protect themselves against Chinese data theft when they visit China? That's what I have to do now with all my Canadian online broker. 

Then again, I am just paranoid. But big brother DO eavesdrop on your phone conversations. A concept that was still incredulous 10 years ago.


----------



## Causalien (Apr 4, 2009)

Mockingbird said:


> The US brokers cannot open accounts for Canadians unless they are registered ($$$$) with our regulators. And we know each province has its own regulatory body.
> 
> The typical account opening disclaimer will be something like this...
> "We cannot open accounts for the residents of Cuba, Iran, Iraq, North Korea, Somalia,... and Canada."
> ...


Thanks Mockingbird,

That was the hint I needed to how to open a US account.


----------

