I just changed my original unique Ameritrade email address which was getting spammed, to a new unique email address, on my first account on 7/6/2006, and on my second account on 7/14/2006.
Today (7/28/2006) I received a spam at this new address. It is not an easily guessed address (aaaaaa-aaaaa-aaa@ourdomain, where a's are letters, some random). My machines have not been compromised by viruses. The answer is Ameritrade is leaking them, in my opinion.
I complained to them again today, and within 10 minutes I received a form letter response concering Ameritrade's privacy policy, as if that is what I am complaining about. (NOWHERE does it tell me they divulge my email address to raunchy spammers.) I believe their is an employee selling our information, or a security leak at ameritrade. No one seems to believe me, but the thread I referenced above should make someone at Ameritrade wake up before someone with more time than I have decides to get serious, legally.
I have decided to perform an experiment. I have just updated my ameritrade addresses to a set of 47 random characters, drawn from a 38-character pool (a-z, 0-9, dash, and period). Based on how slow someone would have to check addresses to dictionary attack our server, it would take 10^68 YEARS to guess this new email address if you ran through every permutation.
That takes care of the idea that it might be spammer guessing my email address.
I have also taken precautions to make sure this email address never ends up on my computer system. It is only stored in our secured mail server.
That takes care of the idea that it might be a virus divulging my email address.
Add to that that I have a hundred other unique addresses used with other companies, which are NOT being spammed.
I will update this thread when I receive a spam at this new address, if only to amuse myself, as Ameritrade seems willing to wait until they're cutting a check for damages.
> I just changed my original unique Ameritrade email address which was > getting spammed, to a new unique email address, on my first account on > 7/6/2006, and on my second account on 7/14/2006.
> Today (7/28/2006) I received a spam at this new address. It is not an > easily guessed address (aaaaaa-aaaaa-aaa@ourdomain, where a's are > letters, some random). My machines have not been compromised by > viruses. The answer is Ameritrade is leaking them, in my opinion.
So why not just sh%tcan Ameritrade and do business with someone else?
> > I just changed my original unique Ameritrade email address which was > > getting spammed, to a new unique email address, on my first account on > > 7/6/2006, and on my second account on 7/14/2006.
> > Today (7/28/2006) I received a spam at this new address. It is not an > > easily guessed address (aaaaaa-aaaaa-aaa@ourdomain, where a's are > > letters, some random). My machines have not been compromised by > > viruses. The answer is Ameritrade is leaking them, in my opinion.
> So why not just sh%tcan Ameritrade and do business with someone else?
I'm an Ameritrade user (ex TD Waterhouse) and have never been spammed (so far). FWIW.
In article <1154167089.083118.39...@b28g2000cwb.googlegroups.com>,
Thane <m...@ix.netcom.com> wrote: >I'm an Ameritrade user (ex TD Waterhouse) and have never been spammed >(so far). FWIW.
You will be.
I just got several spams to a new TDAmeritrade account (an email account given only to them). I changed the email address they have; let's see how long it takes for the new one to get spammed.
I think it's time to get the NASD and SEC involved; a company with security that bad shouldn't be entrusted with other people's assets.
On 28 Jul 2006 17:01:42 -0700, "Thomas" <tomwin...@gmail.com> wrote:
>I have decided to perform an experiment. I have just updated my >ameritrade addresses to a set of 47 random characters, drawn from a >38-character pool (a-z, 0-9, dash, and period). Based on how slow >someone would have to check addresses to dictionary attack our server, >it would take 10^68 YEARS to guess this new email address if you ran >through every permutation.
Also consider that you might be transiting someone sniffing traffic for email adresses between you and Ameritrade, if any of the traffic is with the email address is enclear. Also consider that Ameritrade's traffic is being sniffed by their upstream or a customer at their upstream doing arp cache poisioning.
However, I agree, the most likely thing is Ameritrade has an insider leaking their mailling lists, followed by a comprimised system within Ameritrade itself.
There are man in the middle attacks that will work with SSL, if you can get the browser to load a certificate.
>>I have decided to perform an experiment. I have just updated my >>ameritrade addresses to a set of 47 random characters, drawn from a >>38-character pool (a-z, 0-9, dash, and period). Based on how slow >>someone would have to check addresses to dictionary attack our server, >>it would take 10^68 YEARS to guess this new email address if you ran >>through every permutation.
>Also consider that you might be transiting someone sniffing traffic >for email adresses between you and Ameritrade,
The next time that happens will be the first.
Someone who could sniff traffic could steal stuff a lot more valuable than email addresses.
Also, they'd have to get them outgoing, since I only tell Ameritrade my email address with https. (And if somebody were sniffing incoming to me, they'd get a lot more tagged addresses.)
>However, I agree, the most likely thing is Ameritrade has an insider >leaking their mailling lists, followed by a comprimised system within >Ameritrade itself.
Right. Either way, Ameritrade is at fault.
>There are man in the middle attacks that will work with SSL, if you >can get the browser to load a certificate.
If somebody could MitM against a stockbroker, they aren't going to steal email addresses.
In article <eagpm5$pc...@reader2.panix.com>, se...@panix.com (Seth Breidbart) wrote:
> In article <1154167089.083118.39...@b28g2000cwb.googlegroups.com>, > Thane <m...@ix.netcom.com> wrote:
> >I'm an Ameritrade user (ex TD Waterhouse) and have never been spammed > >(so far). FWIW.
> You will be.
> I just got several spams to a new TDAmeritrade account (an email > account given only to them). I changed the email address they have; > let's see how long it takes for the new one to get spammed.
> I think it's time to get the NASD and SEC involved; a company with > security that bad shouldn't be entrusted with other people's assets.
I actually began to receive stock spams myself within the last 3 weeks on my ameritrade account as well. I have changed my email to another unique email address and lets see what happens.
>> I have decided to perform an experiment. I have just updated my >> ameritrade addresses to a set of 47 random characters, drawn from a >> 38-character pool (a-z, 0-9, dash, and period). Based on how slow >> someone would have to check addresses to dictionary attack our server, >> it would take 10^68 YEARS to guess this new email address if you ran >> through every permutation.
> Also consider that you might be transiting someone sniffing traffic > for email adresses between you and Ameritrade, if any of the traffic > is with the email address is enclear. Also consider that Ameritrade's > traffic is being sniffed by their upstream or a customer at their > upstream doing arp cache poisioning.
> However, I agree, the most likely thing is Ameritrade has an insider > leaking their mailling lists, followed by a comprimised system within > Ameritrade itself.
> There are man in the middle attacks that will work with SSL, if you > can get the browser to load a certificate.
Ameritrade leaking email addresses?
Could I dare speculate that it is AT&T that has the leaky employee? After all, they are engaged by BigBrother to spy on all internet traffic, ostensibily to catch Ossama and friends and other nere do wells. So, I suppose that an unscrupulous AT&T jerk is as good a candidate as any to attribute the leakage.
Also, given that the NSA is likely to be able to crack even AES256 at this point and that your traffic needs to be in plaintext for BigBrother to use it, I can also easily imagine that the plaintext is readily visible at the AT&T evesdropping points.
On 2006-07-29, Thomas <tomwin...@gmail.com> wrote:
> Today (7/28/2006) I received a spam at this new address. It is not an > easily guessed address (aaaaaa-aaaaa-aaa@ourdomain, where a's are > letters, some random). My machines have not been compromised by > viruses. The answer is Ameritrade is leaking them, in my opinion.
I've also just been spammed at my Ameritrade-only (unique, never-used- elsewhere) address. This follows a similar barrage of spam to that address a week or so ago. In both cases the spam I've received to that address has been stock-related. So I'd agree that Ameritrade is leaking addresses.
I can't be sure if that's intentional or a result of technical incompetence. However, as someone mentioned in the December thread on this same topic, Ameritrade's privacy policy reserves to them the right to share "non-public personal information" with anyone at all. They have an opt out for that, and I always scour web sites for privacy information, opt-outs, and mailing list unsubscriptions, so I would almost certainly have found that one. But corporations like Ameritrade will often add a new opt-out (default to opt-in, of course) without mentioning it--and you don't find out about it until they've already used it against you.
So my presumption is that they simply sold my address, and yours, and presumably many others as well.
> I have decided to perform an experiment. I have just updated my > ameritrade addresses to a set of 47 random characters, drawn from a > 38-character pool (a-z, 0-9, dash, and period).
I've done something similar: changed to a date-stamped address with various pseudo-random stuff in it. Certainly nothing a brute force email generator would ever stumble across. I'm debating now whether to write to the SEC's enforcem...@sec.gov address immediately, or hold off until this new address gets spammed.
I haven't bothered contacting Ameritrade and won't, since I won't add the insult of wasting hours of my time to the injury of them sharing my address with spammers; that time can be more profitably spent searching for a new online broker who doesn't sell personal information.
Recently, I received 3 spams sent to the unique email address I gave Ameritrade. I called them to ask about it and after "investigating", they concluded they don't give out their data to anyone and have no idea how it happened. I said I wanted to close my account and wanted the transfer out fees waived, which they agreed to. I suggest anyone who is concerned about this problem and wants to close their account, ask for the transfer out fee to be waived and feel free to say they did that for me! My account is in the process of being transferred out now, but just today I received more spam to my unique Ameritrade email address. Also, a friend of mine, who also uses unique email addresses for every company he does business with, has been receiving several spams to his Ameritrade address. Sounds they they have a problem keeping their data secure.
