I just changed my original unique Ameritrade email address which was getting spammed, to a new unique email address, on my first account on 7/6/2006, and on my second account on 7/14/2006.
Today (7/28/2006) I received a spam at this new address. It is not an easily guessed address (aaaaaa-aaaaa-aaa@ourdomain, where a's are letters, some random). My machines have not been compromised by viruses. The answer is Ameritrade is leaking them, in my opinion.
I complained to them again today, and within 10 minutes I received a form letter response concering Ameritrade's privacy policy, as if that is what I am complaining about. (NOWHERE does it tell me they divulge my email address to raunchy spammers.) I believe their is an employee selling our information, or a security leak at ameritrade. No one seems to believe me, but the thread I referenced above should make someone at Ameritrade wake up before someone with more time than I have decides to get serious, legally.
I have decided to perform an experiment. I have just updated my ameritrade addresses to a set of 47 random characters, drawn from a 38-character pool (a-z, 0-9, dash, and period). Based on how slow someone would have to check addresses to dictionary attack our server, it would take 10^68 YEARS to guess this new email address if you ran through every permutation.
That takes care of the idea that it might be spammer guessing my email address.
I have also taken precautions to make sure this email address never ends up on my computer system. It is only stored in our secured mail server.
That takes care of the idea that it might be a virus divulging my email address.
Add to that that I have a hundred other unique addresses used with other companies, which are NOT being spammed.
I will update this thread when I receive a spam at this new address, if only to amuse myself, as Ameritrade seems willing to wait until they're cutting a check for damages.
> I just changed my original unique Ameritrade email address which was > getting spammed, to a new unique email address, on my first account on > 7/6/2006, and on my second account on 7/14/2006.
> Today (7/28/2006) I received a spam at this new address. It is not an > easily guessed address (aaaaaa-aaaaa-aaa@ourdomain, where a's are > letters, some random). My machines have not been compromised by > viruses. The answer is Ameritrade is leaking them, in my opinion.
So why not just sh%tcan Ameritrade and do business with someone else?
> > I just changed my original unique Ameritrade email address which was > > getting spammed, to a new unique email address, on my first account on > > 7/6/2006, and on my second account on 7/14/2006.
> > Today (7/28/2006) I received a spam at this new address. It is not an > > easily guessed address (aaaaaa-aaaaa-aaa@ourdomain, where a's are > > letters, some random). My machines have not been compromised by > > viruses. The answer is Ameritrade is leaking them, in my opinion.
> So why not just sh%tcan Ameritrade and do business with someone else?
I'm an Ameritrade user (ex TD Waterhouse) and have never been spammed (so far). FWIW.
In article <1154167089.083118.39...@b28g2000cwb.googlegroups.com>,
Thane <m...@ix.netcom.com> wrote: >I'm an Ameritrade user (ex TD Waterhouse) and have never been spammed >(so far). FWIW.
You will be.
I just got several spams to a new TDAmeritrade account (an email account given only to them). I changed the email address they have; let's see how long it takes for the new one to get spammed.
I think it's time to get the NASD and SEC involved; a company with security that bad shouldn't be entrusted with other people's assets.
On 28 Jul 2006 17:01:42 -0700, "Thomas" <tomwin...@gmail.com> wrote:
>I have decided to perform an experiment. I have just updated my >ameritrade addresses to a set of 47 random characters, drawn from a >38-character pool (a-z, 0-9, dash, and period). Based on how slow >someone would have to check addresses to dictionary attack our server, >it would take 10^68 YEARS to guess this new email address if you ran >through every permutation.
Also consider that you might be transiting someone sniffing traffic for email adresses between you and Ameritrade, if any of the traffic is with the email address is enclear. Also consider that Ameritrade's traffic is being sniffed by their upstream or a customer at their upstream doing arp cache poisioning.
However, I agree, the most likely thing is Ameritrade has an insider leaking their mailling lists, followed by a comprimised system within Ameritrade itself.
There are man in the middle attacks that will work with SSL, if you can get the browser to load a certificate.
>>I have decided to perform an experiment. I have just updated my >>ameritrade addresses to a set of 47 random characters, drawn from a >>38-character pool (a-z, 0-9, dash, and period). Based on how slow >>someone would have to check addresses to dictionary attack our server, >>it would take 10^68 YEARS to guess this new email address if you ran >>through every permutation.
>Also consider that you might be transiting someone sniffing traffic >for email adresses between you and Ameritrade,
The next time that happens will be the first.
Someone who could sniff traffic could steal stuff a lot more valuable than email addresses.
Also, they'd have to get them outgoing, since I only tell Ameritrade my email address with https. (And if somebody were sniffing incoming to me, they'd get a lot more tagged addresses.)
>However, I agree, the most likely thing is Ameritrade has an insider >leaking their mailling lists, followed by a comprimised system within >Ameritrade itself.
Right. Either way, Ameritrade is at fault.
>There are man in the middle attacks that will work with SSL, if you >can get the browser to load a certificate.
If somebody could MitM against a stockbroker, they aren't going to steal email addresses.
In article <eagpm5$pc...@reader2.panix.com>, se...@panix.com (Seth Breidbart) wrote:
> In article <1154167089.083118.39...@b28g2000cwb.googlegroups.com>, > Thane <m...@ix.netcom.com> wrote:
> >I'm an Ameritrade user (ex TD Waterhouse) and have never been spammed > >(so far). FWIW.
> You will be.
> I just got several spams to a new TDAmeritrade account (an email > account given only to them). I changed the email address they have; > let's see how long it takes for the new one to get spammed.
> I think it's time to get the NASD and SEC involved; a company with > security that bad shouldn't be entrusted with other people's assets.
I actually began to receive stock spams myself within the last 3 weeks on my ameritrade account as well. I have changed my email to another unique email address and lets see what happens.
>> I have decided to perform an experiment. I have just updated my >> ameritrade addresses to a set of 47 random characters, drawn from a >> 38-character pool (a-z, 0-9, dash, and period). Based on how slow >> someone would have to check addresses to dictionary attack our server, >> it would take 10^68 YEARS to guess this new email address if you ran >> through every permutation.
> Also consider that you might be transiting someone sniffing traffic > for email adresses between you and Ameritrade, if any of the traffic > is with the email address is enclear. Also consider that Ameritrade's > traffic is being sniffed by their upstream or a customer at their > upstream doing arp cache poisioning.
> However, I agree, the most likely thing is Ameritrade has an insider > leaking their mailling lists, followed by a comprimised system within > Ameritrade itself.
> There are man in the middle attacks that will work with SSL, if you > can get the browser to load a certificate.
Ameritrade leaking email addresses?
Could I dare speculate that it is AT&T that has the leaky employee? After all, they are engaged by BigBrother to spy on all internet traffic, ostensibily to catch Ossama and friends and other nere do wells. So, I suppose that an unscrupulous AT&T jerk is as good a candidate as any to attribute the leakage.
Also, given that the NSA is likely to be able to crack even AES256 at this point and that your traffic needs to be in plaintext for BigBrother to use it, I can also easily imagine that the plaintext is readily visible at the AT&T evesdropping points.
On 2006-07-29, Thomas <tomwin...@gmail.com> wrote:
> Today (7/28/2006) I received a spam at this new address. It is not an > easily guessed address (aaaaaa-aaaaa-aaa@ourdomain, where a's are > letters, some random). My machines have not been compromised by > viruses. The answer is Ameritrade is leaking them, in my opinion.
I've also just been spammed at my Ameritrade-only (unique, never-used- elsewhere) address. This follows a similar barrage of spam to that address a week or so ago. In both cases the spam I've received to that address has been stock-related. So I'd agree that Ameritrade is leaking addresses.
I can't be sure if that's intentional or a result of technical incompetence. However, as someone mentioned in the December thread on this same topic, Ameritrade's privacy policy reserves to them the right to share "non-public personal information" with anyone at all. They have an opt out for that, and I always scour web sites for privacy information, opt-outs, and mailing list unsubscriptions, so I would almost certainly have found that one. But corporations like Ameritrade will often add a new opt-out (default to opt-in, of course) without mentioning it--and you don't find out about it until they've already used it against you.
So my presumption is that they simply sold my address, and yours, and presumably many others as well.
> I have decided to perform an experiment. I have just updated my > ameritrade addresses to a set of 47 random characters, drawn from a > 38-character pool (a-z, 0-9, dash, and period).
I've done something similar: changed to a date-stamped address with various pseudo-random stuff in it. Certainly nothing a brute force email generator would ever stumble across. I'm debating now whether to write to the SEC's enforcem...@sec.gov address immediately, or hold off until this new address gets spammed.
I haven't bothered contacting Ameritrade and won't, since I won't add the insult of wasting hours of my time to the injury of them sharing my address with spammers; that time can be more profitably spent searching for a new online broker who doesn't sell personal information.
Recently, I received 3 spams sent to the unique email address I gave Ameritrade. I called them to ask about it and after "investigating", they concluded they don't give out their data to anyone and have no idea how it happened. I said I wanted to close my account and wanted the transfer out fees waived, which they agreed to. I suggest anyone who is concerned about this problem and wants to close their account, ask for the transfer out fee to be waived and feel free to say they did that for me! My account is in the process of being transferred out now, but just today I received more spam to my unique Ameritrade email address. Also, a friend of mine, who also uses unique email addresses for every company he does business with, has been receiving several spams to his Ameritrade address. Sounds they they have a problem keeping their data secure.
In article <1155273565.336439.172...@h48g2000cwc.googlegroups.com>,
stacey.che...@gmail.com wrote: > Recently, I received 3 spams sent to the unique email address I gave > Ameritrade. I called them to ask about it and after "investigating", > they concluded they don't give out their data to anyone and have no > idea how it happened. I said I wanted to close my account and wanted > the transfer out fees waived, which they agreed to. I suggest anyone > who is concerned about this problem and wants to close their account, > ask for the transfer out fee to be waived and feel free to say they did > that for me! My account is in the process of being transferred out > now, but just today I received more spam to my unique Ameritrade email > address. Also, a friend of mine, who also uses unique email addresses > for every company he does business with, has been receiving several > spams to his Ameritrade address. Sounds they they have a problem > keeping their data secure.
Possibly an inside job. Too bad corporate types are too boneheaded to realize it.
> I just changed my original unique Ameritrade email address which was > getting spammed, to a new unique email address, on my first account on > 7/6/2006, and on my second account on 7/14/2006.
> Today (7/28/2006) I received a spam at this new address. It is not an > easily guessed address (aaaaaa-aaaaa-aaa@ourdomain, where a's are > letters, some random). My machines have not been compromised by > viruses. The answer is Ameritrade is leaking them, in my opinion.
> I complained to them again today, and within 10 minutes I received a > form letter response concering Ameritrade's privacy policy, as if that > is what I am complaining about. (NOWHERE does it tell me they divulge > my email address to raunchy spammers.) I believe their is an employee > selling our information, or a security leak at ameritrade. No one seems > to believe me, but the thread I referenced above should make someone at > Ameritrade wake up before someone with more time than I have decides to > get serious, legally.
> I have decided to perform an experiment. I have just updated my > ameritrade addresses to a set of 47 random characters, drawn from a > 38-character pool (a-z, 0-9, dash, and period). Based on how slow > someone would have to check addresses to dictionary attack our server, > it would take 10^68 YEARS to guess this new email address if you ran > through every permutation.
> That takes care of the idea that it might be spammer guessing my email > address.
> I have also taken precautions to make sure this email address never > ends up on my computer system. It is only stored in our secured mail > server.
> That takes care of the idea that it might be a virus divulging my email > address.
> Add to that that I have a hundred other unique addresses used with > other companies, which are NOT being spammed.
> I will update this thread when I receive a spam at this new address, if > only to amuse myself, as Ameritrade seems willing to wait until they're > cutting a check for damages.
I reserve the right to publicly post or ridicule any abusive E-mail. Reply to domain Patriot dot net user shmuel+news to contact me. Do not reply to spamt...@library.lspace.org
In article <44dc8052$11$fuzhry+tra$mr2...@news.patriot.net>, Shmuel (Seymour J.) Metz <spamt...@library.lspace.org.invalid> wrote:
>In <1155273565.336439.172...@h48g2000cwc.googlegroups.com>, on >08/10/2006 > at 10:19 PM, stacey.che...@gmail.com said:
>>Sounds they they have a problem keeping their data secure.
>Sounds like they're lying, although I admit that they could just be >incompetent.
I vote for incompetent. If they were competent, they'd be selling the addresses to a better class of spammers. (Although the fact that none of the Ameritrade spam I've gotten has been for phishing Ameritrade does seem strange; I'd have thought that was the obvious use for those addresses.)
One more victim here. Not only an unique address but also 2 other regular addresses, one that I used in the past with them , the other that I currently have listed as alternate. All being used for pumping stocks - spam that I never used to get until about a month ago -- Argh !!! I send them an email , will see what they have to say but don t have too much hope. I think the suggestion of switching broker is good however I not convince that any of them are immuned, if it is done by the token disgruntle employee it is very easy to access such data , I used to have access to zillions of credit card number , with expiration date , name and address ....
I searched for and am now posting on this thread because I got 4 such emails over the weekend. Each to a unique address that I have only given to Ameritrade.
Stephane wrote: > One more victim here. Not only an unique address but also 2 other regular > addresses, one that I used in the past with them , the other that I > currently have listed as alternate. > All being used for pumping stocks - spam that I never used to get until > about a month ago -- Argh !!! > I send them an email , will see what they have to say but don t have too > much hope. I think the suggestion of switching broker is good however I > not convince that any of them are immuned, if it is done by the token > disgruntle employee it is very easy to access such data , I used to have > access to zillions of credit card number , with expiration date , name and > address ....
stinky wrote: > In article <1155273565.336439.172...@h48g2000cwc.googlegroups.com>, > stacey.che...@gmail.com wrote:
> > Recently, I received 3 spams sent to the unique email address I gave > > Ameritrade. I called them to ask about it and after "investigating", > > they concluded they don't give out their data to anyone and have no > > idea how it happened. I said I wanted to close my account and wanted > > the transfer out fees waived, which they agreed to. I suggest anyone > > who is concerned about this problem and wants to close their account, > > ask for the transfer out fee to be waived and feel free to say they did > > that for me! My account is in the process of being transferred out > > now, but just today I received more spam to my unique Ameritrade email > > address. Also, a friend of mine, who also uses unique email addresses > > for every company he does business with, has been receiving several > > spams to his Ameritrade address. Sounds they they have a problem > > keeping their data secure.
> Possibly an inside job. Too bad corporate types are too boneheaded to > realize it.
I also started receiving junk email from Ameritrade to a unique account created exclusively for Ameritrade usage six years ago. The account has been dormant for two years (i.e. no logins) and I have received NO email from Ameritrade in approx. 2 years.
Funny, exact same thing happened to me. I have two TDAmeritrade accounts, both with addresses that are IMPOSSIBLE for a brute-force program to figure out. Both addresses were created on my own domain name, using words that can be found in no dictionary, and used ONLY ONCE EVER--to sign up for the account.
I receive spam almost daily. The spams are all the same--a set of random words (to confuse and sabotage heuristic filters), and an image (with a 'hot' stock tip on a GIF image to circumvent spam filters).
It is obviously happening to a lot of us. Unfortunately, enough people (especially with Ameritrade) are gullible and have so little financial knowledge that they will fall for it. It's the old "pump and dump" scheme.
I complained to Ameritrade. A service rep told me to "e-mail the FROM" address. The rep (and whoever is scripting the rep) obviously has no clue that the FROM address is among the easiest things in an e-mail header to forge.
Based on all the other conversations on the Web about this, it is apparent that Ameritrade has no intention of taking this seriously. I wonder if they are part of the scheme? It's definitely something the SEC should really look into. They are no doubt benefitting from it.
If any lawyer is reading this and would like to put a class action suit together, I'm in. I am getting nothing from Ameritrade's customer service.
> I just changed my original unique Ameritrade email address which was > getting spammed, to a new unique email address, on my first account on > 7/6/2006, and on my second account on 7/14/2006.
> Today (7/28/2006) I received a spam at this new address. It is not an > easily guessed address (aaaaaa-aaaaa-aaa@ourdomain, where a's are > letters, some random). My machines have not been compromised by > viruses. The answer is Ameritrade is leaking them, in my opinion.
> I complained to them again today, and within 10 minutes I received a > form letter response concering Ameritrade's privacy policy, as if that > is what I am complaining about. (NOWHERE does it tell me they divulge > my email address to raunchy spammers.) I believe their is an employee > selling our information, or a security leak at ameritrade. No one seems > to believe me, but the thread I referenced above should make someone at > Ameritrade wake up before someone with more time than I have decides to > get serious, legally.
> I have decided to perform an experiment. I have just updated my > ameritrade addresses to a set of 47 random characters, drawn from a > 38-character pool (a-z, 0-9, dash, and period). Based on how slow > someone would have to check addresses to dictionary attack our server, > it would take 10^68 YEARS to guess this new email address if you ran > through every permutation.
> That takes care of the idea that it might be spammer guessing my email > address.
> I have also taken precautions to make sure this email address never > ends up on my computer system. It is only stored in our secured mail > server.
> That takes care of the idea that it might be a virus divulging my email > address.
> Add to that that I have a hundred other unique addresses used with > other companies, which are NOT being spammed.
> I will update this thread when I receive a spam at this new address, if > only to amuse myself, as Ameritrade seems willing to wait until they're > cutting a check for damages.
In article <1155679938.639354.309...@m79g2000cwm.googlegroups.com>,
hcl...@gmail.com wrote: > If any lawyer is reading this and would like to put a class action suit > together, I'm in. I am getting nothing from Ameritrade's customer > service.
Are you an Apex level customer? Apex level customers seem to get more attention. I guess I will have to contact them as an Apex customer.
On Wed, 16 Aug 2006 09:45:31 -0400, stinky wrote: > Are you an Apex level customer? Apex level customers seem to get more > attention. I guess I will have to contact them as an Apex customer.
I guess as an Apex customer , I got "more" attention but the only response I got so far was a cookie cutter email. When I sent my complain as a security issue , I sent detail information containing more than what they asked for in their reply:
"Thank you for reporting that you received spam e-mail at an e-mail address you use with TD AMERITRADE.
We take your privacy very seriously, and are conducting a thorough investigation into this matter.
To help us get to the source of the spam, we would appreciate it if you would reply to this message and provide the following:
- The date the e-mail was received - The address the spam was sent to (your e-mail address) - The e-mail source (the ?from? address) - Whether this was the first occurrence
We sincerely appreciate your cooperation and patience as we work to get to the source of this.
If you?d like to learn about general tips about privacy and security, you can visit the Security enter online. You?ll find it after you log on, under the Account menu.
Thank you,
Jason N. Client Services, TD AMERITRADE Division of TD AMERITRADE, Inc."
In the meantime , I changed my email address with them and opt out of any third party info sharing that I could find. If that email address gets the same SPAM , I am out.
> In article <pan.2006.08.16.18.46.32.329...@dslextreme.com>, > Stephane <steph...@dslextreme.com> wrote:
> > On Wed, 16 Aug 2006 09:45:31 -0400, stinky wrote:
> > > Are you an Apex level customer? Apex level customers seem to get more > > > attention. I guess I will have to contact them as an Apex customer.
> > I guess as an Apex customer , I got "more" attention but the only response > > I got so far was a cookie cutter email.
> I will do the same and lets see what they say.
> Here is a sample of the infected machines the spams have come from.
> 125.190.168.77
....etc. snipped
Never mind the domains, they are undoubtedly the same ones that sendsafe has infected. Look at some of the companies. Many commonalities; in choice of stock promoter, locations of principals (Penticton BC is one that comes up a lot), most are so thinly held it's probably just the owner and close relatives, and many are successors to previously spammed entities, or are connected via shared directors with CWTC.
This isn't only pump and dump spam, a lot of it is create a company, "issue" (declare) shares, publicise some "intent", and price targets, pump, and run.
A number of these companies report no revenues for several years. (never mind profits)
There are even a surprising number of dotcoms with absolutely no net presence I can find (except for spam complaints).
