bbs.spamgourmet.com

Thanks to SpamGourmet for inviting me post this Announcement. It's regarding legal action against TD Ameritrade that I think users who provided Ameritrade with spamgourmet addresses should join. In particular, the laws are such that at least one class representative is needed who resides in Alabama, Kansas, Illinois, Florida, Michigan, Missouri, New Jersey, Washington, Wisconsin, and/or West Virginia. There's some info and a FORM-CLICK HERE.

I use SpamGourmet-like disposable email addresses (DEAs), and used one with my TD Ameritrade account. It got spammed. A cycle began wherein I switched to other DEAs, and and they got spammed too. All the spam was promoting penny stocks, part of a typical pump-n-dump (See http://www.sec.gov/answers/pumpdump.htm) scam, except that Ameritrade was involved.

I brought it to their attention. I was very patient and thorough and clear in trying to explain the situation, so that they would be aware of the evidence and scope of the problem. It became clear that they didn't think maintaining the confidentiality or security of their customer databases was their responsibility. I posted about it on usenet, and confirmed that I was not alone. I bit the bullet, contacted and retained a lawyer. A class action claim has been filed against TD Ameritrade in my name. You can sign on as well. Join the fight! It's since become clear that Ameritrade has been made aware of the ongoing problem many many times over the years.

Again, there's some info and a FORM at http://www.eplaw.us/ameritrade.html ; you can fill out if you might want to join the suit. Mention your handle here if you fill out the form.

For more info, just google ameritrade spam! Questions/comments welcome here or via PM if necessary for privacy reasons.

Also, if you've received spam since June '07 to an address you provided only to TD Ameritrade, please let me know, e.g. mention it here and/or IM me a copy.

Also, if an admin could make this an announcement, that would be great.

I filled out the form, but I wasn't sure what they meant by asking if I would be a "class representative". That sounds almost as if I would be executing the actions or something.

Class Representative: A person named in the complaint as the plaintiff (the person doing the suing) and who has been determined by the court to be a legally "adequate" person to represent the interests of the class.

Look up the definition of 'class action' for more info.

I got a nice apology from Ameritrade telling me about their problem.

Jim27106 wrote:I got a nice apology from Ameritrade telling me about their problem.

Do they provide details about how their customers' email addresses were compromised?

"unauthorized code" that bypassed anti-virus software (no surprise - it was custom).

userID's and passwords were not in the database.

No evidence that anyone used the SS#'s, but they hired ID Analytics to make sure.

It is on http://www.hundzor.org/lj/ameritrade.pdf

Jim27106 wrote:"unauthorized code" that bypassed anti-virus software (no surprise - it was custom).

userID's and passwords were not in the database.

No evidence that anyone used the SS#'s, but they hired ID Analytics to make sure.

It is on http://www.hundzor.org/lj/ameritrade.pdf

The 'no evidence' claim is false; my identity was stolen using my SS# and the only lead is this breach, and they know that. On the other hand, they're claiming that there's evidence that makes them confident the data isn't being systematically abused. But since the 'no evidence' claim is conclusively bullshit, I don't really trust their claim about evidence that the data isn't being systematically abused.

They repeatedly lied to me; I don't trust their statements now, and that's being factored into my negotiation demands.

So, what's the latest on the lawsuit?

scifiguy wrote:So, what's the latest on the lawsuit?

I'm mostly in the dark about what's been going on, despite extensive efforts to keep informed.

Plus, my lawyers say because negotiations are sensitive, I need to not write publicly about what they do tell me to avoid disrupting them.

Some, but not all public stuff is here: http://news.justia.com/cases/featured/c ... 52/192623/

A proposed settlement has been made public in court filings. Reactions?

Elvey wrote:A proposed settlement has been made public in court filings. Reactions?

I'm not part of the class but I think reactions would require knowing what the proposed settlement is. I would hope it includes some assurances that policies will be put into place to stop this from happening again (and those assurances given teeth from the settlement itself, so if they fail to follow through they're in trouble). Given the nature of their business at a minimum they should be offering free credit report monitoring for a year or so to be on the safe side. I'm guessing they won't be offering a cash settlement to the class members (but I'm sure the lawyers will get one ).

It doesn't have what you propose.

Click Here for a copy.

You probably want to skip to page 35 of the PDF (marked Page 35 of 74 in blue at the top of the page) to read starting with the key section: "Benefits provided to class members under the settlement".

Well like I said, I'm not a member of the class, but here's my thoughts for what they're worth:

• The free year of Trend Micro Internet Security Pro isn't too bad, no complaints about that part.
  
• I don't know how obvious the announcements section of users' home pages are. This section gives a lot of wiggle room because it doesn't specify anything about how obvious the notice should be. If the announcement section is very obvious then this is fine, if not I'd be asking that some specificity be added to this section.
  
• Biannually's not too bad for penetration testing, the only concern I have with this section is will any kind of summary of the results of said testing be made public ever? It doesn't have to be detailed, could simply be "found X vulnerabilities rated Y on a scale of Z" and released well after they've fixed them. Companies have a tendency to sweep things like this under a rug and not do what they're supposed to do (like not actually fix the vulnerabilities). They probably won't budge on this, but it can't hurt to raise it.
  
• I have no clue what the account seeding is about so I can't comment on this.
  
• I'm a bit leery of the "organized misuse" part. This doesn't appear to be defined in the settlement at all and I can tell you that I have no idea what they might or might not consider "organized". I'd definitely ask that this be defined clearly.
  
• I think 6 is fair, as long as the above definition is addressed.
  
• I don't have any problems with the entire section B. I see that there will a form approved by the class used with notices sent so sounds like they're going to be thorough if they have to send them. The 30 day reply time is reasonable in that case.
  
• The charitable donations are good, and will go towards useful projects.

Those are my thoughts, take them as you may. Hopefully they'll prove to be useful.

And on an different note, I was a bit surprised that they have an appendix that's the firm's resumes.

Please see my comments on Wired.com's Threat Level (form 27b/6):
http://digg.com/security/It_sucks_Class ... reach_Deal
and other news coverage:

http://news.google.com/news?q=ameritrade+settlement

As usual, the press often gets it wrong, but fortunately, I've been able to correct misconceptions via the comments that most news media now allow to be made regarding articles. I'm going to start shifting my comments to a blog I've set up: http://caringaboutsecurity.wordpress.com/ , aka http://amtd.elvey.com

I'm now getting email that's sent to an altered version of my ameritrade email address. My keyword was simply "ameritrade", and now the spam is sent using the keyword "+._-ameritrade"

I'm curious as to how a keyword can contain a period, considering sg uses the period as a field separator.