Who's Trading Your E-mail Addresses? 355
What's surprising is that as far as I can tell, AmeriTrade has taken almost no heat in the media for letting this happen. Despite the abundant testimonials from bloggers who had their addresses leaked, the story never crossed over into the "mainstream" Internet press. In a recent Bloomberg News story, the FBI warned that E*Trade and AmeriTrade users were vulnerable to spyware installed by criminals in hotels and cybercafes to capture accounts and run pump-and-dump stock spams; no mention of the fact that all AmeriTrade e-mail addresses were apparently already in the hands of spammers anyway (although no one knows if usernames and passwords were leaked to the spammers as well).
This doesn't bode well for anyone who uses any type of online service and wants that service to keep their personal information secure. If AmeriTrade got skewered in the media for leaking customers' personal information to spammers, other companies would see that and learn the lesson. On the other hand, if AmeriTrade gets away with it with barely a whisper in the mainstream news, other companies are going to take note of that, too. Besides, spam and identity theft hurt everyone, not just the victims, because the costs are passed on to all of us in terms of higher ISP charges, higher payment processing fees, and more mail lost due to stringent spam filters.
AmeriTrade disclosed in April 2005 that a tape containing some customer information might have been stolen in February of that year, and many spam victims who blogged about their AmeriTrade addresses being stolen, referenced that incident as the likely cause. But after Bill Katz's blog post became a clearinghouse of sorts for complaints about stolen AmeriTrade addresses (probably as a result of being the first match on Google for "ameritrade spam"), several users posted that they had received spam at accounts that were only created with AmeriTrade in summer 2006. And then my e-mail address got leaked between April 14 and May 15, 2007. So it's pretty clear that some attacker has access to the AmeriTrade customer database on an ongoing basis, and the February 2005 tape theft probably had nothing to do with it.
AmeriTrade says that California law required them to notify their California customers of a potential security breach after the tapes were stolen, and that they went further and notified all of their customers anyway. Since there is now proof that their database is more or less perpetually open to some outside attacker, will they send out another notification letter to customers?
An accidental security breach can happen to any responsible company, especially if they are compromised from the inside. But the trail of blogosphere and UseNet posts indicates that several times AmeriTrade has concealed the full extent of the problem from customers who asked them about it, or has given out information that they already knew was wrong. In one thread in October 2005, a user reported that they wrote to AmeriTrade asking why their AmeriTrade-only e-mail address was getting spammed, and AmeriTrade replied that the spammer might have guessed the address using a dictionary attack, adding:
But that was long after February 2005, when AmeriTrade said that tapes containing customer data were stolen. (Even if that turned out not to be the cause of the spam after all, by that point AmeriTrade knew that their customers' addresses had been leaked somehow.)We have no reason to believe that any of our systems have been compromised. Ameritrade deploys state of the art firewalls, intrusion detection, anti-virus software as well as employs a full time staff of employee's dedicated strictly to Information Security and protecting Ameritrade's systems from unauthorized access.
Then when my friend Art Medlar complained to AmeriTrade this year about the same thing happening, he got a response saying that even if he was getting spammed by an address that he only gave to AmeriTrade, that could be the result of hackers "implanting 'bots' that have the ability to extract e-mail addresses from your computer, even when you have protective spy software engaged". But of course this makes no sense -- if this were the source of the problem, it would affect everyone's e-mail addresses equally, and would not explain why a disproportionate number of complaints were coming from people who created addresses that they gave to AmeriTrade specifically.
When I sent AmeriTrade my own inquiry, I got a response that was identical to a forwarded message that someone else posted to news.admin.net-abuse.email in April. (To their credit, in this version of the message, AmeriTrade is acknowledging responsibility for the problem instead of attributing it to dictionary attacks or botnets. But the e-mail contains the curious piece of advice: "Please be sure to delete any spam you might receive, then empty your e-mail's trash so that it's no longer kept there, either." Huh? As one reader replied to the UseNet thread: "Cynical Translation: Please don't retain any independent evidence.") At first I didn't realize this was a boilerplate response, so I sent back some more questions, asking, for example, whether they would notify their California customers of the data security breach as required by that state's laws. The second response I got was a copy of the old boilerplate that they were sending out two years ago, blaming "dictionary attacks".
Now, compared to the 1,000 spams I already get every day (pre-filtering), the AmeriTrade spams were just a drop in the bucket, and many of their customers are probably in the same boat. And unlike most AmeriTrade customers, at least I can stop all AmeriTrade spam just by de-activating those addresses, since they aren't used for anything else. (Right now I'm keeping them open just to see what else comes in.) But AmeriTrade's database also contains much more valuable information such as names, PIN numbers (do you use the same PIN number everywhere that you sign up?), and Social Security Numbers. When I signed up for my account, informed by dire warnings that federal law required accurate information "to help the government fight the funding of terrorism and money laundering activities", I gave AmeriTrade my real SSN, address, and other personal data, figuring that if I gave them false information, I might get in more trouble than the experiment was worth. But now that the attacker has my e-mail, they might have all of my other information as well. In the coming months I'll probably start checking my credit report more often than I used to.
Probably someone inside AmeriTrade is selling customer data to an outside spammer. (It seems less likely that an attacker would keep breaking into AmeriTrade repeatedly to get updated copies of the customer list. Once you've broken in and gotten the customer database from 2006, why bother breaking in a year later, taking the risk all over again of getting caught and going to jail, just to get the updated 2007 database? Surely the 2006 list would be enough to run any pump-and-dump stock scam that you want!) Two suggestions to AmeriTrade to tighten their security: First, the number of people within the company who can access the customer database, is probably a lot larger than the number who actually need to access the customer database. Limit access to the e-mail database to people who actually need it. Second, in any cases where different employees really need to have access to the list, try giving them different versions of it, where each version is "seeded" with spamtrap addresses at Hotmail and Yahoo Mail. If the spamtrap addresses that start receiving spam are all ones that were used to seed one particular employee's copy of the list, then you've found the source of the leak. That won't stop the spam being sent to addresses that have already been stolen, but it could prevent further leaks from happening.
The SEC recently announced that they would suspend trading of companies whose stocks had been the target of spam campaigns to manipulate the price. Perhaps AmeriTrade could do something similar -- once a stock is identified as being promoted in spams sent to AmeriTrade customers, any customer attempting to buy that stock would be presented with a message saying that AmeriTrade was blocking the transaction for security reasons. (If this runs afoul of some SEC regulation that a brokerage has to let you buy any stock you want any time you want, then at least display a big warning when AmeriTrade users try to buy it through their system, saying that the stock has been the subject of a fraudulent promotion scheme and is an extremely high-risk buy.) However, while this would remove the incentive for stock spammers to target AmeriTrade customers, it's also really just covering up a symptom of the problem, rather than addressing the problem itself, which is that a spammer was able to steal the customer information from AmeriTrade's database in the first place.
But whatever they do, AmeriTrade should stop blowing off the people who complain about the spam, with messages about "dictionary attacks" and "botnets". When customers create specialized spamtrap addresses to detect if their e-mails ever get leaked, those are the tech-savvy customers who (a) know what they're doing, and (b) hate spam more than most people, and giving them misleading information is just poking a stick in their eye. Not a smart move when AmeriTrade has been leaking private customer information and is based, as their name indicates, in the most litigious country in the history of the world.
Hrm. (Score:2, Interesting)
I use TDWaterhouse for trading (I'm in
From what I can tell the only sites where unique addresses seem to get out are from BitTorrent trackers. Not a complete surprise I guess.
Protip: if you run your own mail server generate a whack of aliases (ie: bogus000 through bogus999) so you always have a disposable address available.
Re:Hrm. (Score:5, Interesting)
Re: (Score:3, Interesting)
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:3, Informative)
I started out following this tutorial: http://workaround.org/articles/ispmail-sarge/ [workaround.org]
Re:Hrm. (Score:4, Insightful)
Re: (Score:3, Informative)
I had the same problem as the parent with the same config the grandparent was using. Two things helped immensely.
First, a few rules in my Postfix helo_access file:
(Yes, that doesn't trap all ways of writing IP address, and leaves o
Re:Hrm. (Score:4, Insightful)
Did you use a subdomain like the GP suggested? I've had plenty of dictionary attacks of the form foo@example.com, but there's no way, other than a harvester, to know about foo@bar.example.com.
Prefix with initials? (Score:3, Interesting)
They might guess ebay@mydomain.com, slashdot@mydomain.com - but what are their chances of getting 6.y.slashdot? (Not my real initials
Anyone out there who's used this approach, and can say whether it's worthwhile?
Re:Hrm. (Score:4, Insightful)
Re: (Score:2, Insightful)
Re:Hrm. (Score:5, Interesting)
Re:Hrm. (Score:5, Interesting)
I was simply using the account to hold the relatively small stock portfolio I have, so I have no problem moving my account elsewhere.
Re:Hrm. (Score:5, Interesting)
Why can't it be a revenue stream problem? ie they're selling the addresses?
Re: (Score:3, Interesting)
Spamgourmet is even easier. (Score:5, Informative)
Even easier: just go to Spamgourmet.com [spamgourmet.com] and set up an account there (takes about 15 seconds, seriously), and then you can use all the addresses you want of the form [someword].youremail@spamgourmet.com.
E.g., if you're signing up for Ameritrade, you could use the address "ameritradesucks.kadin@spamgourmet.com" (or any other of about 10 different domains, it's not just limited to spamgourmet).
After each address has forwarded a set number of emails through to your real, hidden address, it will shut off and all further messages will be "eaten." (You can re-activate emails if you want, or set up whitelists so that all email from ameritrade.com gets through.)
It's a pretty brilliant system, and it's completely free. If you set up an account and use Spamgourmet dummy addresses everywhere, you can almost totally prevent spam arriving directly to your inbox. Also, you can go in later and see which addresses have been flooded with spam (some of mine have received thousands of messages) and see exactly what services are selling out out. Very cool.
Re: (Score:3, Interesting)
Even easier: just go to Spamgourmet.com and set up an account there (takes about 15 seconds, seriously), and then you can use all the addresses you want of the form [someword].youremail@spamgourmet.com.
Sounds cool. Gmail gives you a similar mechanism; myaddress@gmail.com can be amended to any form of myaddress+somesignupstring@gmail.com.
The downside is that I've run into numerous forms that evaluate the '+' character as invalid in form checking on entered e-mail addresses. My read of RFC [2]822 is that the '+' char is explictly included as atext, so these forms are either written by boneheads or by pricks who don't want to be tracked back to. Either way, it's a Bad Sign of Things to Come from whatev
Phew! (Score:5, Funny)
Re: (Score:2, Insightful)
Years of television with shorter and shorter times between cut scenes has destroyed your attention span. Why don't you go watch some TV now? Maybe there will be a 30 second blurb on the subject ala "Ameritrade implicated in SPAM delivery... incompetent or criminal... you decide!!!"
Re:Phew! (Score:4, Insightful)
There's a word for that, it's 'incompetence.'
If they're they stupid about handling email addresses, what makes you think that the rest of your personal information is being protected any better? There's absolutely no reason why this should be happening. Something is very, very wrong at Ameritrade, and as evidenced by the fact that they haven't done anything, my suspicion is that they either can't, or don't know how to. That's not a good thing.
It's inexcusable.
Re: (Score:3, Funny)
postmaster@ameritrade.com [mailto]
Solution? (Score:5, Insightful)
Re: (Score:3, Interesting)
Regardless of the cause for my email address being leaked by Ameritrade, I have steered several people away from their service with my story. My hope is that others avoid their service as well, especially sin
Re: (Score:3)
I've had exactly the same problem with Ameritrade. I signed up for a new account last fall, and have been getting pump and dump spams ever since. Ameritrade has had this problem for years, as I quickly verified with a google search; it's been discussed on several of the major anti-spam boards. No, it is not a dictionary attack; my address has 13 characters before the @ sign, consisting of a mixture of letters and digits, and has no dictionary words in it; the domain is not a common one either. Yes, it is de
Abusable fix? (Score:4, Insightful)
Wouldn't this also be abusable? Pick a stock, short it, spam the hell out of everybody, watch Ameritrade or whoever blacklist it, and watch the price drop.
Re:Abusable fix? (Score:4, Informative)
CORRECTION (Score:2)
Re: (Score:2)
The purpose I would imagine would be to attempt to limit a competitor's financial flexibility. Even if it does
Re: (Score:2)
Re: (Score:2)
You're forgetting a detail here. Pump&dump works because an idiot sees the spam and buys. The reverse wouldn't work because the said idiot cannot sell stocks he doesn't have. It's not like someone will see "oh, transactions are discouraged -- let's sell short".
Re: (Score:2, Informative)
Re: (Score:3, Informative)
Thoughts like this are the kind of thoughts that convince Libertarians that the marketplace will ALWAYS correct itself. Notice that a protection against one type of unscrupulous behavior becomes an enabler for another type of behavior - which is then protected against.
The net effect of this continuous spy-vs-spy type war is a balanced marketplace that doe
Re: (Score:2)
Re: (Score:3, Insightful)
Source, please? By my calculations that means there is $150 trillion in infrastructure in the US that is publicly available - meaning that you can't count private buildings or land. Since annual tax revenues are under $3 trillion, and not all of this goes to infrastructure, I'm going to go ahead and significantly doubt the accuracy of your figure.
Maybe you're playing with the word "born". Since about 10 million Am
Ameritrade is bunk (Score:5, Insightful)
Re:Ameritrade is bunk (Score:5, Funny)
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
You must be new here.
Please, examine carefully BofA's role in the U.S. financial system before making such a careless statement. Look carefully at who controls Visa and Mastercard.
Among other important things to understand is that BofA profits quite handsomely while consumers bear increased costs for everything purchased at retailers that accepts card payments.
"Despite merchant discontent, card issuers have incentives to maintain or increase interchange fe
BofA's Agressively Anti-Competitive (Score:3, Insightful)
"... when Visa and MasterCard were building their dominant credit card networks, they imposed exclusionary rules and restrictions on other parties to credit card transactions. In two cases, whose outcomes are described in this section, merchants and the U.S. Department of Justice (DOJ) successfully challenged some of these practices. The decisions in the two cases29 weakened some barriers to competition and reduced the control exercised by the card associations, t
Re:Ameritrade is bunk (Score:5, Informative)
Bank of America is pure, concentrated evil. Not only do they have some of the worst customer service on the planet (especially if they feel you are in the wrong) but they were one of the last corporations to pull out of their investments in Apartheid.
Re: (Score:3, Interesting)
Now THAT is funny.
Bank of America [nypost.com] hit Gloria Carlo, 51, a single mom from the South Bronx, with a lawsuit demanding $23,312.04. It's money the bank claims she overdrew in a two-month home-shopping spending spree after already exhausting $38,000 from her own savings.
Bank of America Corp. [cnn.com] and Wachovia Corp. are among the big banks notifying more than 670,000 customers that account information was stolen in what may the biggest security
May be related to TD Waterhouse merger (Score:5, Insightful)
I have been a long time AmeriTrade customer and, like the author, used a unique email address for my AmeriTrade account. I never received any spam on that email address until a few weeks after the TD Waterhouse merger last year. Suddenly I started getting tons of pump&dump spam on that address.
Checking the "privacy" settings in my account revealed that somehow my account had been changed from "opt-out everything" to "opt-in everything" -- certainly not by me. I changed everything back to opt-out, assigned a new email address and have not received any spam on that new address since then. The old email address keeps getting spam, so I am hard-filtering it on my SMTP server now.
To me it looks like the TD Waterhouse merger triggered a change in their privacy policy or account handling that caused "opt-in" to be set on at least some accounts.
Re: (Score:2)
No, more likely their database was compromised, possibly from the inside, and continues to have a mole or hole.
Re: (Score:3, Funny)
Me too...I receive 0% of my email from my SMTP server...
;-)
Re: (Score:3, Informative)
In related news (Score:5, Funny)
I doubt email addresses (Score:4, Insightful)
gmail mail tracking trick (Score:5, Insightful)
Gmail has got a neat trick you can use to learn who sells your email address...
If your email is xyz@gmail.com and you're registering at site ABC, you can register at that site with the email address xyz+ABC@gmail.com. Gmail still delivers it to you and at the same time allows you to see who sold your email information.
Re:gmail mail tracking trick (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3, Informative)
Re:gmail mail tracking trick (Score:4, Insightful)
Or maybe I just need smarter friends.
Re: (Score:2)
I tried it with one site (Amazon IIRC) and got back an error message saying "No no you ninny, we said enter a VALID e-mail address. What are you, an idiot?" or something French like that. Apparenlty some forms are smart enough to check for invalid characters.
Re: (Score:2)
Re: (Score:3, Insightful)
You mean: Apperently some forms are dumb enough to deny valid characters.
Re:gmail mail tracking trick (Score:5, Informative)
And to the grandparent: gmail is not the only mail client that allows this. Mutt and pine definitely do and I am sure there are others, since the use of "+" is perfectly valid. In fact, the ones that don't are non-compliant.
Re: (Score:3, Informative)
Lots of places check for alphanumerics, dot and @ and reject anything else.
Re: (Score:2)
The official RFC for e-mail addresses say that a plus symbol is valid; but roughly half of the web-forms I've interacted with do not consider a plus in a name to be a valid address. Some bigger web-sites (i.e., Xbox Live) don't allow this, and those that do may break if the e-mails they sent are from a listserv. (e.g., unable to unsubscribe, change passwords over e-mail, etc...)
Re:gmail mail tracking trick (Score:5, Interesting)
What I've done instead is to create a catch-all email address in a subdomain and sign up as, ie amazon@subdomain.domain.com. I suppose I could first create a unique 16-character string for each one and add a new address before creating any accounts, but a) that requires additional effort and management and b) when you call, for example, amazon customer support they ask for your email address to identify your account. Good luck communicating 16 random letters and numbers over the phone to level-1 customer support.
Eventually a "dictionary" attack might end up forcing me to shut down the catch-all and be explicit.
Re: (Score:2)
it makes life so much easier
Re: (Score:2)
Use dots/periods with gmail addresses (Score:4, Informative)
use broken regexes is to just insert extra periods in your
mailbox name. Then you can filter based on that. If your
gmail address is johndoe@gmail.com, then you can also use
things like jo.hnd.oe@gmail.com, joh.n.do.e@gmail.com, etc.
Re: (Score:2)
Re: (Score:2)
Tons, unfortunately. That's the problem.
Other explanations (Score:4, Interesting)
I've seen addresses turn up in spam that I wouldn't have believed if I hadn't seen it.
Now, if you are able to confirm that several addreses created by different people & never shared get similar scams that addresses not given to the company DO NOT get, then that might be something interesting.
Who's trading e-mail addresses? Everyone! (Score:4, Insightful)
This is why many pundits are saying "email is broken"; and it makes sense if you think about it. The setting up of different accounts for each company/person you interact with goes against the whole point of having an e-mail *address* (i.e., a not-too-frequently-changing place to find you).
Really, the spam problem is a symptom of human nature (look up "tragedy of the commons"), and if any of you think you have the secret of changing *that*, then please share...
Re: (Score:2, Insightful)
Oh, and as a bonus, I'm going to repeat the myth about the Dvorak keyboard as proof of the harms of path dependence.
Re:Who's trading e-mail addresses? Everyone! (Score:5, Insightful)
Yes, but the story here is that Ameritrade is not only spamming, they are spamming stock tips, or at least they are causing that to happen.
A brokerage firm that randomly gives stock tips with the intent of buying the the stock low beforehand, and selling it after a bunch of people purchase it, thus passing the loss on to their customers, is in violation of half a dozen laws and can be subject to large fines and lose its ability to trade stock, which, considering that's all Ameritrade does, would kill it. A firm that lets someone at that firm do it is, instead of the firm itself, is just as culpable.
Screw involving Ameritrade or the media in this, someone needs to inform the SEC of what's going on.
MOD PARENT UP! (Score:2)
A way to kill the competition! (Score:2, Interesting)
The SEC recently announced that they would suspend trading of companies whose stocks had been the target of spam campaigns to manipulate the price.
Does anyone else see the problem with that?
If I want to kill my competitor's stock, all I have to do is launch a pump and dump scam using it as the target?
Re: (Score:3, Informative)
Strangely enough (Score:4, Informative)
Someone with your address on their list will try to sell it for $.50 or up to $5/10 if they can get it providing it is a valid address. There is money in selling such information. THAT is why you get spam. If they could figure out how to make all drivers of any vehicle made before 2000 as they drive down the highway, people would sell that to autodealers... Its all about Ad revenues, and your email address is just another pageview sort of thing for people buying the lists.
There is no method to prevent this. If one person at company X illegally sells a list of clients of that company, it will be out in the wild, nothing to stop it from being resold dozens of times.
long time customer (Score:4, Interesting)
There's another possibility (Score:5, Informative)
Dell does this. I know this for a fact - I gave Dell my information while setting up a business account for a small consultancy that I was running a few years back out of my house. I hadn't yet formalized the business legally, but gave Dell the name that I was going to use for my business. Within weeks, I began to receive snail-mail spam using the business address that I had only given to Dell. No one within Dell was stealing my information - Dell sells information about their customers to make a buck.
AmeriTrade very likely does the same thing. After you give your email, snail mail, phone, etc info to them, they turn around and earn a buck or two by selling your information to other companies.
Never attribute to malice... (Score:5, Insightful)
It's possible that Ameritrade itself is selling the email addresses. What's their privacy policy?
In large companies, it's very easy for someone in one division to do something that people in other divisions don't know about.
Re: (Score:2, Insightful)
Good point (Score:2)
A fourth option (Score:4, Insightful)
Don't assume that because you know about malware and run a couple programs to prevent or eradicate it, that you don't have any. Now if you're not running an MS operating system, the likelihood of this is nearly zero, but no matter what you do it's never actually zero. Just very close.
Domain. (Score:2)
slashdot_org@mydomain.com
Naturally, all the mail @ mydomain.com forwards to my real email account which is elsewhere. Thus, if someone is sleazy and starts spamming my account, I can easily setup a filter to get rid of it. This is akin to andy rooney's use of creative misspellings of his own name in the 70s to track down junk mail.
As you can see... (Score:2)
The good news is I haven’t seen any spam from any of the other addresses I’ve used, meaning that of the hundred or more distinct entities I’ve given an email address to, only p
Inside Job (Score:5, Informative)
That would be my guess. There's probably not a whole lot Ameritrade (or any company) can do about it other than figure out a way to deeply restrict access to the email addresses. But when you need customer service/marketing/administration departments to have access to customer's email addresses, it can get a little hairy.
I can remember back in '99 going to work for a rather large ISP. My first day there they created an email account for me. After four days of orientation and I started to actually do work, I checked my email and found it loaded with spam. This account had been on no mass mailings, has had nothing sent out, and had received no communication from within the company. The name wasn't anything close to what you'd find in a dictionary. As far as I could tell, the only way spammers could have gotten their fingers on the address was if someone inside the company was selling the address out.
Re: (Score:2)
Was this a rigorous test? (Score:2, Interesting)
Another example, this logic seems flawed...
he got a response saying that even if he was getting spammed by an address that he only gave to AmeriTrade, that could be the result of hackers "implanting 'bots' that have the ability to extract e-mail addresses from your computer, even when you have protective spy software engaged". But of course this makes no sense -- if this were the source of the problem, it would affect everyone's e-mail addresses equally, and would not explain why a disproportionate number of complaints were coming from people who created addresses that they gave to AmeriTrade specifically.
How would anyone know if or how much other email was affected? Most likely it would be trashed by a spam filter anyway, and even if it wasn't how could they compare "every
Customers have no recourse (Score:2)
Anyone signing up for an Ameritrade account has to sign away their right to sue the company for damages. They're all like that now. So, who cares if customer data slips out? It's not like you can sue them for the actual cost of the loss or credit monitoring.
It's just a big yawner to Ameritrade. You can't do anything and they know it. So they can BS, soft shoe, deny and all you can do is have a passive-aggressive little snit fit.
No (Score:2, Funny)
Edited for the time impaired (Score:3, Funny)
2. Gets pump and dump spam at that address.
3. Profit!
The balance of the article:
a) outlines a variety of conspiratorial possibilities
b) finds that other Ameritrade customers get pump and dump spam
c) makes repeated reference to a lost customer data tape from 2005.
d) Ameritrade has poor customer service.
I reported this to the SEC, but not much happened (Score:4, Informative)
The first time I received spam, not ads for "partner" companies, but pump-and-dump image spam, and such, I reported Ameritrade to the SEC. After contacting Ameritrade and receiving a big "so what" from them, I filled in the SEC's online complaint form, detailing the problem. A week or two later I received a letter (on paper) from them asking me to e-mail them more information and any additional evidence. I sent them a detailed explanation of the problem, along with information about why it was extremely unlikely that the e-mail address was stolen from my end (none of my other unique addresses were receiving spam), and a copy of all of the spam messages that had been sent to my ameritrade address.
Since that time I've not heard anything back from the SEC. I didn't really expect to, but I was hoping that if 10-20 people complained about the same thing, and provided evidence, they might actually start an investigation. That was August, 2006, so maybe they really are doing something, and I should just be more patient.
A friend who was also receiving the ameritrade spam convinced ameritrade to waive the account transfer fee, and moved all of his stuff to Scottrade. I changed my ameritrade e-mail address, and haven't received spam to the new address, so I thought perhaps the leak had been fixed. Now that I see the problem is still occurring, I'll take the time to move my accounts.
Assume the worst... (Score:5, Informative)
In other words, for any email address you use, assume that it will at some point fall into the hands of spammers.
So, given these assumptions, what are you to do?
Yes, this may sound paranoid. But unfortunately until the technology is changed to allow tracking spammers down, and the laws are changed to allow dealing with spammers effectively (.30-06 is effective), these are the sorts of measures needed to keep your inbox relatively clean.
couldn't agree more (Score:3, Interesting)
Why are you still a customer? (Score:5, Insightful)
Re:Why are you still a customer? (Score:4, Funny)
Fighting the pig (Score:4, Insightful)
Make it scientific: add a control! (Score:4, Insightful)
This is why you should have done a scientific experiment, where you had at the very least two e-mail addresses of similar random makeup, and only made one available to AmeriTrade. The one you didn't give would be the control. Then you compare the SPAM received between the two, rather than between your single submitted address and an imaginary address that receives none. Perhaps you have a third that you submit to a trusted server you know does not share it (like one you set up yourself with a trusted bandwidth provider).
Re:Why is this on the frontpage? (Score:5, Funny)
Re: (Score:2, Troll)
Re: (Score:2)
Another culprit would certainly be if any of these folks used public terminals to log in and check their portfolios, or even Wi-Fi in public places that a hacker could sniff out. Trading needs to be done in the privacy of your own home, behind an excellent firewall, through a physical connection or encrypted Wi-Fi.
Re: (Score:2)
With a public terminal, it is possible that there's a keylogger installed on the computer, but since all of the online trading companies that I've seen use SSL, I don't think there's much chance your email address could fall into the hands of a hacker via a public wifi connection just because you logged in to check your portfoli
Re:My vote goes to spyware! (Score:5, Interesting)
A virus and spyware is certainly a possibility for leaking an address, and I know I've had my address leaked when somebody elses computer, who has received an e-mail from me, gets infected with spyware.
In this case though, both a friend and myself started getting spam to our unique Ameritrade addresses at the same time. Both of us use Linux for our primary desktop OS (no e-mail reading from a Windows vmware session, etc.) Neither of us received spam to our many other unique addresses. If it had been spyware infecting one of our machines and stealing our e-mail list, then I would have expected spam to my e-trade, amazon, newegg, etc. unique addresses, but only the ameritrade address received the spam.
It could still be a spyware or virus infection at a machine at Ameritrade. Somebody keeps the full list of e-mail addresses on their laptop, which goes outside all the fancy firewalls and IT oversite and gets infected, and has the data stolen.