Who's Trading Your E-mail Addresses?

Bennett Haselton is back with another piece on e-mail privacy. He starts "On April 14, 2007, I signed up for an AmeriTrade account using an e-mail address consisting of 16 random alphanumeric characters, which I never gave to anyone else. On May 15, I started receiving pump-and-dump stock spams sent to that e-mail address. I was hardly the first person to discover that this happens. Almost all of the top hits in a Google search for "ameritrade spam" are from people with the same story: they used a unique address for each service that they sign up with, so they could tell if any company ever leaked their address to a spammer, and the address they gave to AmeriTrade started getting stock spam. (I don't actually do that with most companies where I create accounts. But after hearing all the AmeriTrade stories, I created an account with them in April just for the purpose of entering a unique e-mail address and seeing if it would get leaked.)" Bennett continues on if you're willing to click the link.

What's surprising is that as far as I can tell, AmeriTrade has taken almost no heat in the media for letting this happen. Despite the abundant testimonials from bloggers who had their addresses leaked, the story never crossed over into the "mainstream" Internet press. In a recent Bloomberg News story, the FBI warned that E*Trade and AmeriTrade users were vulnerable to spyware installed by criminals in hotels and cybercafes to capture accounts and run pump-and-dump stock spams; no mention of the fact that all AmeriTrade e-mail addresses were apparently already in the hands of spammers anyway (although no one knows if usernames and passwords were leaked to the spammers as well).

This doesn't bode well for anyone who uses any type of online service and wants that service to keep their personal information secure. If AmeriTrade got skewered in the media for leaking customers' personal information to spammers, other companies would see that and learn the lesson. On the other hand, if AmeriTrade gets away with it with barely a whisper in the mainstream news, other companies are going to take note of that, too. Besides, spam and identity theft hurt everyone, not just the victims, because the costs are passed on to all of us in terms of higher ISP charges, higher payment processing fees, and more mail lost due to stringent spam filters.

AmeriTrade disclosed in April 2005 that a tape containing some customer information might have been stolen in February of that year, and many spam victims who blogged about their AmeriTrade addresses being stolen, referenced that incident as the likely cause. But after Bill Katz's blog post became a clearinghouse of sorts for complaints about stolen AmeriTrade addresses (probably as a result of being the first match on Google for "ameritrade spam"), several users posted that they had received spam at accounts that were only created with AmeriTrade in summer 2006. And then my e-mail address got leaked between April 14 and May 15, 2007. So it's pretty clear that some attacker has access to the AmeriTrade customer database on an ongoing basis, and the February 2005 tape theft probably had nothing to do with it.

AmeriTrade says that California law required them to notify their California customers of a potential security breach after the tapes were stolen, and that they went further and notified all of their customers anyway. Since there is now proof that their database is more or less perpetually open to some outside attacker, will they send out another notification letter to customers?

An accidental security breach can happen to any responsible company, especially if they are compromised from the inside. But the trail of blogosphere and UseNet posts indicates that several times AmeriTrade has concealed the full extent of the problem from customers who asked them about it, or has given out information that they already knew was wrong. In one thread in October 2005, a user reported that they wrote to AmeriTrade asking why their AmeriTrade-only e-mail address was getting spammed, and AmeriTrade replied that the spammer might have guessed the address using a dictionary attack, adding:

We have no reason to believe that any of our systems have been compromised. Ameritrade deploys state of the art firewalls, intrusion detection, anti-virus software as well as employs a full time staff of employee's dedicated strictly to Information Security and protecting Ameritrade's systems from unauthorized access.

But that was long after February 2005, when AmeriTrade said that tapes containing customer data were stolen. (Even if that turned out not to be the cause of the spam after all, by that point AmeriTrade knew that their customers' addresses had been leaked somehow.)

Then when my friend Art Medlar complained to AmeriTrade this year about the same thing happening, he got a response saying that even if he was getting spammed by an address that he only gave to AmeriTrade, that could be the result of hackers "implanting 'bots' that have the ability to extract e-mail addresses from your computer, even when you have protective spy software engaged". But of course this makes no sense -- if this were the source of the problem, it would affect everyone's e-mail addresses equally, and would not explain why a disproportionate number of complaints were coming from people who created addresses that they gave to AmeriTrade specifically.

When I sent AmeriTrade my own inquiry, I got a response that was identical to a forwarded message that someone else posted to news.admin.net-abuse.email in April. (To their credit, in this version of the message, AmeriTrade is acknowledging responsibility for the problem instead of attributing it to dictionary attacks or botnets. But the e-mail contains the curious piece of advice: "Please be sure to delete any spam you might receive, then empty your e-mail's trash so that it's no longer kept there, either." Huh? As one reader replied to the UseNet thread: "Cynical Translation: Please don't retain any independent evidence.") At first I didn't realize this was a boilerplate response, so I sent back some more questions, asking, for example, whether they would notify their California customers of the data security breach as required by that state's laws. The second response I got was a copy of the old boilerplate that they were sending out two years ago, blaming "dictionary attacks".

Now, compared to the 1,000 spams I already get every day (pre-filtering), the AmeriTrade spams were just a drop in the bucket, and many of their customers are probably in the same boat. And unlike most AmeriTrade customers, at least I can stop all AmeriTrade spam just by de-activating those addresses, since they aren't used for anything else. (Right now I'm keeping them open just to see what else comes in.) But AmeriTrade's database also contains much more valuable information such as names, PIN numbers (do you use the same PIN number everywhere that you sign up?), and Social Security Numbers. When I signed up for my account, informed by dire warnings that federal law required accurate information "to help the government fight the funding of terrorism and money laundering activities", I gave AmeriTrade my real SSN, address, and other personal data, figuring that if I gave them false information, I might get in more trouble than the experiment was worth. But now that the attacker has my e-mail, they might have all of my other information as well. In the coming months I'll probably start checking my credit report more often than I used to.

Probably someone inside AmeriTrade is selling customer data to an outside spammer. (It seems less likely that an attacker would keep breaking into AmeriTrade repeatedly to get updated copies of the customer list. Once you've broken in and gotten the customer database from 2006, why bother breaking in a year later, taking the risk all over again of getting caught and going to jail, just to get the updated 2007 database? Surely the 2006 list would be enough to run any pump-and-dump stock scam that you want!) Two suggestions to AmeriTrade to tighten their security: First, the number of people within the company who can access the customer database, is probably a lot larger than the number who actually need to access the customer database. Limit access to the e-mail database to people who actually need it. Second, in any cases where different employees really need to have access to the list, try giving them different versions of it, where each version is "seeded" with spamtrap addresses at Hotmail and Yahoo Mail. If the spamtrap addresses that start receiving spam are all ones that were used to seed one particular employee's copy of the list, then you've found the source of the leak. That won't stop the spam being sent to addresses that have already been stolen, but it could prevent further leaks from happening.

The SEC recently announced that they would suspend trading of companies whose stocks had been the target of spam campaigns to manipulate the price. Perhaps AmeriTrade could do something similar -- once a stock is identified as being promoted in spams sent to AmeriTrade customers, any customer attempting to buy that stock would be presented with a message saying that AmeriTrade was blocking the transaction for security reasons. (If this runs afoul of some SEC regulation that a brokerage has to let you buy any stock you want any time you want, then at least display a big warning when AmeriTrade users try to buy it through their system, saying that the stock has been the subject of a fraudulent promotion scheme and is an extremely high-risk buy.) However, while this would remove the incentive for stock spammers to target AmeriTrade customers, it's also really just covering up a symptom of the problem, rather than addressing the problem itself, which is that a spammer was able to steal the customer information from AmeriTrade's database in the first place.

But whatever they do, AmeriTrade should stop blowing off the people who complain about the spam, with messages about "dictionary attacks" and "botnets". When customers create specialized spamtrap addresses to detect if their e-mails ever get leaked, those are the tech-savvy customers who (a) know what they're doing, and (b) hate spam more than most people, and giving them misleading information is just poking a stick in their eye. Not a smart move when AmeriTrade has been leaking private customer information and is based, as their name indicates, in the most litigious country in the history of the world.

Solution?

[daeg]

Drop AmeriTrade. I did and couldn't be happier. I couldn't trust my stock (and thus, some of my savings and part of my future financial well-being) to a company that can't even keep an e-mail address secure.

Abusable fix?

[Ruprecht the Monkeyb]

Perhaps AmeriTrade could do something similar -- once a stock is identified as being promoted in spams sent to AmeriTrade customers, any customer attempting to buy that stock would be presented with a message saying that AmeriTrade was blocking the transaction for security reasons. (If this runs afoul of some SEC regulation that a brokerage has to let you buy any stock you want any time you want, then at least display a big warning when AmeriTrade users try to buy it through their system, saying that the stock has been the subject of a fraudulent promotion scheme and is an extremely high-risk buy.)

Wouldn't this also be abusable? Pick a stock, short it, spam the hell out of everybody, watch Ameritrade or whoever blacklist it, and watch the price drop.

Ameritrade is bunk

[linzeal]

As someone who has used both Ameritrade, Etrade and Banc of America for stock trading I would say stick with a company who has more on the line than just a Web 1.0 company. Bricks and mortar Bank of America is not going to fuck over customers to get 10 bucks an email address and their security is run through a group of people who have to protect 100's of billions of dollars. It might cost more but you will sleep better at night.

May be related to TD Waterhouse merger

[hksld99]

I have been a long time AmeriTrade customer and, like the author, used a unique email address for my AmeriTrade account. I never received any spam on that email address until a few weeks after the TD Waterhouse merger last year. Suddenly I started getting tons of pump&dump spam on that address.

Checking the "privacy" settings in my account revealed that somehow my account had been changed from "opt-out everything" to "opt-in everything" -- certainly not by me. I changed everything back to opt-out, assigned a new email address and have not received any spam on that new address since then. The old email address keeps getting spam, so I am hard-filtering it on my SMTP server now.

To me it looks like the TD Waterhouse merger triggered a change in their privacy policy or account handling that caused "opt-in" to be set on at least some accounts.

I doubt email addresses

[sholden]

count as a big enough leak to trigger disclosure laws. If they are just selling email addresses without any other personal details they may be violating there privacy policy but probably not disclosure laws.

gmail mail tracking trick

[TheGreatOrangePeel]

Gmail has got a neat trick you can use to learn who sells your email address...

If your email is xyz@gmail.com and you're registering at site ABC, you can register at that site with the email address xyz+ABC@gmail.com. Gmail still delivers it to you and at the same time allows you to see who sold your email information.

Who's trading e-mail addresses? Everyone!

[TheWoozle]

I always assume that any business that I give my e-mail address to will sell it; that's why I don't give it out. Surprisingly enough, I don't get any spam.

This is why many pundits are saying "email is broken"; and it makes sense if you think about it. The setting up of different accounts for each company/person you interact with goes against the whole point of having an e-mail *address* (i.e., a not-too-frequently-changing place to find you).

Really, the spam problem is a symptom of human nature (look up "tragedy of the commons"), and if any of you think you have the secret of changing *that*, then please share...

Re:Phew!

[99BottlesOfBeerInMyF]

I'm as guilty as the next person for not always RTFA, but his is the first time I couldn't even make it through the posting

Years of television with shorter and shorter times between cut scenes has destroyed your attention span. Why don't you go watch some TV now? Maybe there will be a 30 second blurb on the subject ala "Ameritrade implicated in SPAM delivery... incompetent or criminal... you decide!!!"

Re:Hrm.

[CastrTroy]

I used to do that, but found that I got a lot of extra spam from people just sending email to random addresses at my domain. It was too much trouble so, I went back to configuring my addresses individually. That way it's easier to block certain addresses when they get too much spam, and you know who is sending you the spam.

Re:gmail mail tracking trick

[UbuntuDupe]

Couldn't spammers circumvent this by purging +-type suffixes, (i.e., converting "xyz+ABC@gmail.com" to "xyz@gmail.com") since the email will still get to you?

Never attribute to malice...

[JoeD]

...what can be explained by stupidity.

It's possible that Ameritrade itself is selling the email addresses. What's their privacy policy?

In large companies, it's very easy for someone in one division to do something that people in other divisions don't know about.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Who's trading e-mail addresses? Everyone!

[UbuntuDupe]

No no no, you're hastily attributing the problem to the wrong market failure story! I think the one you're looking for is path dependence [wikipedia.org]: that is, we could convert an email system in which you can't forge sender information, but the costs are too great and the market participants too uncoordinated to make the transition.

Oh, and as a bonus, I'm going to repeat the myth about the Dvorak keyboard as proof of the harms of path dependence.

Re:Who's trading e-mail addresses? Everyone!

[DavidTC]

Yes, but the story here is that Ameritrade is not only spamming, they are spamming stock tips, or at least they are causing that to happen.

A brokerage firm that randomly gives stock tips with the intent of buying the the stock low beforehand, and selling it after a bunch of people purchase it, thus passing the loss on to their customers, is in violation of half a dozen laws and can be subject to large fines and lose its ability to trade stock, which, considering that's all Ameritrade does, would kill it. A firm that lets someone at that firm do it is, instead of the firm itself, is just as culpable.

Screw involving Ameritrade or the media in this, someone needs to inform the SEC of what's going on.

Re:Hrm.

[spyrochaete]

If you create throwaway addresses, don't forget to disable any catchall address so you don't get bombarded with 50 addresses worth of spam!

Re:Hrm.

[grub]

yeah. I think catchalls are over-rated. I see so much spam that's aimed at random user names a catchall would be driving me nuts.

Re:gmail mail tracking trick

[swillden]

Apparenlty some forms are smart enough to check for invalid characters.

You mean: Apperently some forms are dumb enough to deny valid characters.

Go back to digg...

[Anonymous Coward]

please.

BofA's Agressively Anti-Competitive

[mpapet]

This excerpt will probably have more impact.

"... when Visa and MasterCard were building their dominant credit card networks, they imposed exclusionary rules and restrictions on other parties to credit card transactions. In two cases, whose outcomes are described in this section, merchants and the U.S. Department of Justice (DOJ) successfully challenged some of these practices. The decisions in the two cases29 weakened some barriers to competition and reduced the control exercised by the card associations, thus influencing the future of the credit card industry. In fact, the aftereffects of the decisions have already begun appearing."

http://www.fdic.gov/bank/analytical/banking/2005no v/article2.html [fdic.gov]

I wish more people understood how badly de-regulation has screwed the average American banking/stock trading customer.

Why are you still a customer?

[Colin Smith]

If you want Ameritrade to take notice then dump them.

 

A fourth option

[gr8_phk]

d) your own machine has malware on it that intercepted the address.
Don't assume that because you know about malware and run a couple programs to prevent or eradicate it, that you don't have any. Now if you're not running an MS operating system, the likelihood of this is nearly zero, but no matter what you do it's never actually zero. Just very close.

Fighting the pig

[hysterion]

Commendable effort, yet is the knowledge gained worth it? Somehow it brings to mind this observation [paulgraham.com]:

"I got addicted to trying to identify spam features myself, as if I were playing some kind of competitive game with the spammers."

"Norbert Wiener said if you compete with slaves you become a slave, and there is something similarly degrading about competing with spammers. To recognize individual spam features you have to try to get into the mind of the spammer, and frankly I want to spend as little time inside the minds of spammers as possible."

The key is internal data security

[atomic777]

and proper use of privileges, views, etc. to limit access to data is almost a non-existent thing in a lot of companies I've worked for. All it takes is one "power user" with access to all columns in a customer table to have this problem.

Any DBA interested in keeping his job would go out of his way to design an HR database to prevent only key users from accessing the column 'employee.salary'. Qualified email addresses, a valuable commodity when sold on the spam black market, need to be treated the same way.

Make it scientific: add a control!

[noidentity]

"[...] he got a response saying that even if he was getting spammed by an address that he only gave to AmeriTrade, that could be the result of hackers "implanting 'bots' that have the ability to extract e-mail addresses from your computer, even when you have protective spy software engaged". [...] if this were the source of the problem, it would affect everyone's e-mail addresses equally [...]"

This is why you should have done a scientific experiment, where you had at the very least two e-mail addresses of similar random makeup, and only made one available to AmeriTrade. The one you didn't give would be the control. Then you compare the SPAM received between the two, rather than between your single submitted address and an imaginary address that receives none. Perhaps you have a third that you submit to a trusted server you know does not share it (like one you set up yourself with a trusted bandwidth provider).

Re:Phew!

[Kadin2048]

This doesn't make a damn bit of sense. Why would customer's email address be sitting out on a server that "other people can see and may gain access to"?

There's a word for that, it's 'incompetence.'

If they're they stupid about handling email addresses, what makes you think that the rest of your personal information is being protected any better? There's absolutely no reason why this should be happening. Something is very, very wrong at Ameritrade, and as evidenced by the fact that they haven't done anything, my suspicion is that they either can't, or don't know how to. That's not a good thing.

It's inexcusable.

Re:Abusable fix?

[Gospodin]

Every American is born with almost half a million dollars in pre-existing infrastructure...

Source, please? By my calculations that means there is $150 trillion in infrastructure in the US that is publicly available - meaning that you can't count private buildings or land. Since annual tax revenues are under $3 trillion, and not all of this goes to infrastructure, I'm going to go ahead and significantly doubt the accuracy of your figure.

Maybe you're playing with the word "born". Since about 10 million Americans are born per year, that would cut the total value of infrastructure to $5 trillion, which is believable. But then your figure is bogus, because that infrastructure is used over a person's entire lifetime. So the value should be divided by the total population, not by the annual rate of increase.

Re:gmail mail tracking trick

[jfengel]

That works nicely, though you still lose when your true address+personal email address leaks out. Your friends will insist on sending you e-greeting cards, mailing you articles from newspapers, including you on large mailings that get forwarded to some jackass spammer... and once your name leaks out to one, it's leaked out to all of them.

Or maybe I just need smarter friends.

Re:Hrm.

[bill_mcgonigle]

I used to do that, but found that I got a lot of extra spam from people just sending email to random addresses at my domain.

Did you use a subdomain like the GP suggested? I've had plenty of dictionary attacks of the form foo@example.com, but there's no way, other than a harvester, to know about foo@bar.example.com.