Who's Trading Your E-mail Addresses?

Bennett Haselton is back with another piece on e-mail privacy. He starts "On April 14, 2007, I signed up for an AmeriTrade account using an e-mail address consisting of 16 random alphanumeric characters, which I never gave to anyone else. On May 15, I started receiving pump-and-dump stock spams sent to that e-mail address. I was hardly the first person to discover that this happens. Almost all of the top hits in a Google search for "ameritrade spam" are from people with the same story: they used a unique address for each service that they sign up with, so they could tell if any company ever leaked their address to a spammer, and the address they gave to AmeriTrade started getting stock spam. (I don't actually do that with most companies where I create accounts. But after hearing all the AmeriTrade stories, I created an account with them in April just for the purpose of entering a unique e-mail address and seeing if it would get leaked.)" Bennett continues on if you're willing to click the link.

What's surprising is that as far as I can tell, AmeriTrade has taken almost no heat in the media for letting this happen. Despite the abundant testimonials from bloggers who had their addresses leaked, the story never crossed over into the "mainstream" Internet press. In a recent Bloomberg News story, the FBI warned that E*Trade and AmeriTrade users were vulnerable to spyware installed by criminals in hotels and cybercafes to capture accounts and run pump-and-dump stock spams; no mention of the fact that all AmeriTrade e-mail addresses were apparently already in the hands of spammers anyway (although no one knows if usernames and passwords were leaked to the spammers as well).

This doesn't bode well for anyone who uses any type of online service and wants that service to keep their personal information secure. If AmeriTrade got skewered in the media for leaking customers' personal information to spammers, other companies would see that and learn the lesson. On the other hand, if AmeriTrade gets away with it with barely a whisper in the mainstream news, other companies are going to take note of that, too. Besides, spam and identity theft hurt everyone, not just the victims, because the costs are passed on to all of us in terms of higher ISP charges, higher payment processing fees, and more mail lost due to stringent spam filters.

AmeriTrade disclosed in April 2005 that a tape containing some customer information might have been stolen in February of that year, and many spam victims who blogged about their AmeriTrade addresses being stolen, referenced that incident as the likely cause. But after Bill Katz's blog post became a clearinghouse of sorts for complaints about stolen AmeriTrade addresses (probably as a result of being the first match on Google for "ameritrade spam"), several users posted that they had received spam at accounts that were only created with AmeriTrade in summer 2006. And then my e-mail address got leaked between April 14 and May 15, 2007. So it's pretty clear that some attacker has access to the AmeriTrade customer database on an ongoing basis, and the February 2005 tape theft probably had nothing to do with it.

AmeriTrade says that California law required them to notify their California customers of a potential security breach after the tapes were stolen, and that they went further and notified all of their customers anyway. Since there is now proof that their database is more or less perpetually open to some outside attacker, will they send out another notification letter to customers?

An accidental security breach can happen to any responsible company, especially if they are compromised from the inside. But the trail of blogosphere and UseNet posts indicates that several times AmeriTrade has concealed the full extent of the problem from customers who asked them about it, or has given out information that they already knew was wrong. In one thread in October 2005, a user reported that they wrote to AmeriTrade asking why their AmeriTrade-only e-mail address was getting spammed, and AmeriTrade replied that the spammer might have guessed the address using a dictionary attack, adding:

We have no reason to believe that any of our systems have been compromised. Ameritrade deploys state of the art firewalls, intrusion detection, anti-virus software as well as employs a full time staff of employee's dedicated strictly to Information Security and protecting Ameritrade's systems from unauthorized access.

But that was long after February 2005, when AmeriTrade said that tapes containing customer data were stolen. (Even if that turned out not to be the cause of the spam after all, by that point AmeriTrade knew that their customers' addresses had been leaked somehow.)

Then when my friend Art Medlar complained to AmeriTrade this year about the same thing happening, he got a response saying that even if he was getting spammed by an address that he only gave to AmeriTrade, that could be the result of hackers "implanting 'bots' that have the ability to extract e-mail addresses from your computer, even when you have protective spy software engaged". But of course this makes no sense -- if this were the source of the problem, it would affect everyone's e-mail addresses equally, and would not explain why a disproportionate number of complaints were coming from people who created addresses that they gave to AmeriTrade specifically.

When I sent AmeriTrade my own inquiry, I got a response that was identical to a forwarded message that someone else posted to news.admin.net-abuse.email in April. (To their credit, in this version of the message, AmeriTrade is acknowledging responsibility for the problem instead of attributing it to dictionary attacks or botnets. But the e-mail contains the curious piece of advice: "Please be sure to delete any spam you might receive, then empty your e-mail's trash so that it's no longer kept there, either." Huh? As one reader replied to the UseNet thread: "Cynical Translation: Please don't retain any independent evidence.") At first I didn't realize this was a boilerplate response, so I sent back some more questions, asking, for example, whether they would notify their California customers of the data security breach as required by that state's laws. The second response I got was a copy of the old boilerplate that they were sending out two years ago, blaming "dictionary attacks".

Now, compared to the 1,000 spams I already get every day (pre-filtering), the AmeriTrade spams were just a drop in the bucket, and many of their customers are probably in the same boat. And unlike most AmeriTrade customers, at least I can stop all AmeriTrade spam just by de-activating those addresses, since they aren't used for anything else. (Right now I'm keeping them open just to see what else comes in.) But AmeriTrade's database also contains much more valuable information such as names, PIN numbers (do you use the same PIN number everywhere that you sign up?), and Social Security Numbers. When I signed up for my account, informed by dire warnings that federal law required accurate information "to help the government fight the funding of terrorism and money laundering activities", I gave AmeriTrade my real SSN, address, and other personal data, figuring that if I gave them false information, I might get in more trouble than the experiment was worth. But now that the attacker has my e-mail, they might have all of my other information as well. In the coming months I'll probably start checking my credit report more often than I used to.

Probably someone inside AmeriTrade is selling customer data to an outside spammer. (It seems less likely that an attacker would keep breaking into AmeriTrade repeatedly to get updated copies of the customer list. Once you've broken in and gotten the customer database from 2006, why bother breaking in a year later, taking the risk all over again of getting caught and going to jail, just to get the updated 2007 database? Surely the 2006 list would be enough to run any pump-and-dump stock scam that you want!) Two suggestions to AmeriTrade to tighten their security: First, the number of people within the company who can access the customer database, is probably a lot larger than the number who actually need to access the customer database. Limit access to the e-mail database to people who actually need it. Second, in any cases where different employees really need to have access to the list, try giving them different versions of it, where each version is "seeded" with spamtrap addresses at Hotmail and Yahoo Mail. If the spamtrap addresses that start receiving spam are all ones that were used to seed one particular employee's copy of the list, then you've found the source of the leak. That won't stop the spam being sent to addresses that have already been stolen, but it could prevent further leaks from happening.

The SEC recently announced that they would suspend trading of companies whose stocks had been the target of spam campaigns to manipulate the price. Perhaps AmeriTrade could do something similar -- once a stock is identified as being promoted in spams sent to AmeriTrade customers, any customer attempting to buy that stock would be presented with a message saying that AmeriTrade was blocking the transaction for security reasons. (If this runs afoul of some SEC regulation that a brokerage has to let you buy any stock you want any time you want, then at least display a big warning when AmeriTrade users try to buy it through their system, saying that the stock has been the subject of a fraudulent promotion scheme and is an extremely high-risk buy.) However, while this would remove the incentive for stock spammers to target AmeriTrade customers, it's also really just covering up a symptom of the problem, rather than addressing the problem itself, which is that a spammer was able to steal the customer information from AmeriTrade's database in the first place.

But whatever they do, AmeriTrade should stop blowing off the people who complain about the spam, with messages about "dictionary attacks" and "botnets". When customers create specialized spamtrap addresses to detect if their e-mails ever get leaked, those are the tech-savvy customers who (a) know what they're doing, and (b) hate spam more than most people, and giving them misleading information is just poking a stick in their eye. Not a smart move when AmeriTrade has been leaking private customer information and is based, as their name indicates, in the most litigious country in the history of the world.

Hrm.

[grub]

I use TDWaterhouse for trading (I'm in .ca) and have never had a problem.

From what I can tell the only sites where unique addresses seem to get out are from BitTorrent trackers. Not a complete surprise I guess.

Protip: if you run your own mail server generate a whack of aliases (ie: bogus000 through bogus999) so you always have a disposable address available.

Re:Hrm.

[rherbert]

If you run your own mail server, set up a subdomain where every address goes to your inbox.... That way, it's fairly obvious when you get spam to ameritrade.com@bills.mydomain.com. I caught EmigrantDirect that way, although I was simply shocked when they never responded to my e-mail about it.

Re:Hrm.

[grub]

I just use aliases :) That way if the spam starts to flow I just comment out that alias and that address no longer works.

Other explanations

[Craig Ringer]

The test you did is not conclusive by any means. You must also prove that the address was never exposed in any other way (stolen by malware on your machine, leaked through other communications, sold by a corrupt mail server administrator, etc), OR you need to find conclusive evidence that the leaked address came from the company's end.

I've seen addresses turn up in spam that I wouldn't have believed if I hadn't seen it.

Now, if you are able to confirm that several addreses created by different people & never shared get similar scams that addresses not given to the company DO NOT get, then that might be something interesting.

A way to kill the competition!

[DoohickeyJones]

From the article:
The SEC recently announced that they would suspend trading of companies whose stocks had been the target of spam campaigns to manipulate the price.

Does anyone else see the problem with that?
If I want to kill my competitor's stock, all I have to do is launch a pump and dump scam using it as the target?

long time customer

[hb253]

Lone anecdotal datapoint: I'm a long time TD Ameritrade customer. I don't get any spam to the email address I've registered with them.

Re:gmail mail tracking trick

[horatio]

You're right, and that works great except for most sites that I've come across use a regex which disallows the use of a '+' sign in the email address.

What I've done instead is to create a catch-all email address in a subdomain and sign up as, ie amazon@subdomain.domain.com. I suppose I could first create a unique 16-character string for each one and add a new address before creating any accounts, but a) that requires additional effort and management and b) when you call, for example, amazon customer support they ask for your email address to identify your account. Good luck communicating 16 random letters and numbers over the phone to level-1 customer support.

Eventually a "dictionary" attack might end up forcing me to shut down the catch-all and be explicit.

Re:My vote goes to spyware!

[JeffL]

A virus and spyware is certainly a possibility for leaking an address, and I know I've had my address leaked when somebody elses computer, who has received an e-mail from me, gets infected with spyware.

In this case though, both a friend and myself started getting spam to our unique Ameritrade addresses at the same time. Both of us use Linux for our primary desktop OS (no e-mail reading from a Windows vmware session, etc.) Neither of us received spam to our many other unique addresses. If it had been spyware infecting one of our machines and stealing our e-mail list, then I would have expected spam to my e-trade, amazon, newegg, etc. unique addresses, but only the ameritrade address received the spam.

It could still be a spyware or virus infection at a machine at Ameritrade. Somebody keeps the full list of e-mail addresses on their laptop, which goes outside all the fancy firewalls and IT oversite and gets infected, and has the data stolen.

Was this a rigorous test?

[ReekRend]

I feel like there needs to be more information about the "test". Did the Ameritrade-unique addresses *only* get stock spam, or spam in general (including stocks)? The former would of course be highly suspicious, but the latter would indicate all possibilities should be fairly examined.

Another example, this logic seems flawed...

he got a response saying that even if he was getting spammed by an address that he only gave to AmeriTrade, that could be the result of hackers "implanting 'bots' that have the ability to extract e-mail addresses from your computer, even when you have protective spy software engaged". But of course this makes no sense -- if this were the source of the problem, it would affect everyone's e-mail addresses equally, and would not explain why a disproportionate number of complaints were coming from people who created addresses that they gave to AmeriTrade specifically.

How would anyone know if or how much other email was affected? Most likely it would be trashed by a spam filter anyway, and even if it wasn't how could they compare "everyone's" email spam to see who gets what?! And obviously the "explanation" of the Ameritrade complaints being prominent is because those people were specifically looking for spam on those accounts to complain about. That says nothing else about which other email addresses also got spam or even the same spam.

Furthermore why is a large company like Ameritrade any more suspect of selling out (or having a leak) than any given email provider? Was there a control group of email addresses created and not being given out to at all?

I'm not saying TFA is wrong, but if they wanted to publicly prove guilt they need to provide more thorough evidence.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Same thing I found out two years ago

[Starwanderer]

I've always used targeted addresses of random letters and numbers with Ameritrade and I ran into this same thing two years ago. I let them know and I got the same excuse of a dictionary attack. When I complained that such a long address of random letters and numbers was expressly designed to avoid a dictionary attack, and that I strongly suspected that someone on the inside was selling/using email addresses for the pump and dump spam, I suddenly stopped receiving any replies to my emails. I can only conclude that TDAmeritrade is aware of this problem, but just doesn't care. I wish I could say I'm surprised, but I'm not.

Re:Hrm.

[It doesn't come easy]

On the other hand, I also use TDWaterhouse and I also always use a unique email address for every system where I have an account, including for TDWaterhouse. And at the same time TDWaterhouse combined with Ameritrade, I started getting pump & dump stock scams sent to my TDWaterhouse email address (which was the same email address I was using before TDWaterhhouse and Ameritrade combined). It seems to me that pretty much confirms that Ameritrade has some kind of ONGOING security problem. And since access to my TDWaterhouse (now TDAmeritrade) account means access to my money, I will be moving my accounts ASAP.

Re:Ameritrade is bunk

[YrWrstNtmr]

Bricks and mortar Bank of America is not going to fuck over customers

Now THAT is funny.
Bank of America [nypost.com] hit Gloria Carlo, 51, a single mom from the South Bronx, with a lawsuit demanding $23,312.04. It's money the bank claims she overdrew in a two-month home-shopping spending spree after already exhausting $38,000 from her own savings.

Bank of America Corp. [cnn.com] and Wachovia Corp. are among the big banks notifying more than 670,000 customers that account information was stolen in what may the biggest security breach to hit the banking industry.

Users of the Bank of America's Visa Buxx prepaid debit cards [networkworld.com] are being warned that they may have had sensitive information compromised following the theft of an unencrypted laptop computer.

Re:Hrm.

[LoadStar]

I opened a TD Ameritrade account a couple of months ago, and I too started getting slammed with pump-and-dump spam. The problem for me is that I went IN PERSON to a TD Ameritrade branch and opened the account, so it's not like a "man in the middle" attack, unless this hypothetical man in the middle is actually opening up brick-and-mortar branches.

I was simply using the account to hold the relatively small stock portfolio I have, so I have no problem moving my account elsewhere.

Re:Solution?

[Anonymous Coward]

I caught Ameritrade the same way, approximately 6 months ago. I used the domain name ameritrade@(mydomain).com and the address became a spam magnet approx. 1 month after I canceled my account with Ameritrade. Given the timing, my feeling was that they sold my email address after quitting the service.

Regardless of the cause for my email address being leaked by Ameritrade, I have steered several people away from their service with my story. My hope is that others avoid their service as well, especially since I found the trading interface to be poorly designed.

I am primarily using Scottrade, but am also evaluating the following trading service:
https://www.zecco.com/trading/signin.aspx [zecco.com]
As of yet Zecco seems ideal for small investors: 10 free trades a day, 40 free trades a month. Transaction fees only apply after the free trades are used.

Employee theft most likely cause ...

[Anonymous Coward]

The most likely cause is rouge employees that have access to the companies database. Several years ago I created a Hotmail account to test incoming email at my company email address. The only thing I ever did with that account was send myself test messages. Within a few days I noticed the account started getting spam, so I notified MS. I tried many times but NEVER could get thru to those idiots what I was trying to report. They only responded with the canned "spam comes from lots of sources" crap. Although there are a couple other potential causes, I believe most of these cases are caused by a greedy/dumb/both person with admin rights to the host systems. I'm not sure how much such espionage could bring in, but it must be perceived to be worth the risk.

Re:Hrm.

[NatasRevol]

Why does everyone assume it's a security problem?

Why can't it be a revenue stream problem? ie they're selling the addresses?

Prefix with initials?

[6Yankee]

One thing I'm thinking of trying on my next change of email address: Prefixing with my initials, and shitcanning anything that doesn't start with those characters. Bye-bye vladimir.rodriguez and all the other unlikely names!

They might guess ebay@mydomain.com, slashdot@mydomain.com - but what are their chances of getting 6.y.slashdot? (Not my real initials :P )

Anyone out there who's used this approach, and can say whether it's worthwhile?

Re:Spamgourmet is even easier.

[ericferris]

There is even a spamgourmet user who created a unique address for ameritrade and received spam, thus confirming the trend. See http://www.spamgourmet.com/bbs/viewtopic.php?t=81& postdays=0&postorder=asc&start=60 [spamgourmet.com]. The user complained and got the same kind of letter as everyone else.

Re:Hrm.

[It doesn't come easy]

The thing is I originally accepted TD Waterhouse's explanation that the email was probably intercepted via some wayspot server forwarding the email as it traveled to my email account. However, the discussion concerning Ameritrade's issues let me reach a much more plausible explanation, that being that the difference was that I started receiving the spam once TD Waterhouse hooked up with Ameritrade. Since Ameritrade account owners are still complaining of the same issues (and I was unaware of the Ameritrade problems before now), I must assume the problem is still around, hence it's time to move the money.

couldn't agree more

[ClioCJS]

I've had the same email address for 14 years, and I get fewer than 5 spams in my inbox daily. It's all over usenet and has been googleable since, well.. since before google :) GP is paranoid and has too much free time to devote.

Re:Spamgourmet is even easier.

[vic-traill]

Even easier: just go to Spamgourmet.com and set up an account there (takes about 15 seconds, seriously), and then you can use all the addresses you want of the form [someword].youremail@spamgourmet.com.

Sounds cool. Gmail gives you a similar mechanism; myaddress@gmail.com can be amended to any form of myaddress+somesignupstring@gmail.com.

The downside is that I've run into numerous forms that evaluate the '+' character as invalid in form checking on entered e-mail addresses. My read of RFC [2]822 is that the '+' char is explictly included as atext, so these forms are either written by boneheads or by pricks who don't want to be tracked back to. Either way, it's a Bad Sign of Things to Come from whatever you're signing up for.

This doesn't appear to be a problem for Spamgourmet.com. Cool. Thanks for the tip.