"It's embarassingly easy," says one AOL watcher. "Even your kids could do it - and maybe they are."
"Thank you for calling America Online, may I have your screen name please?" "Yes ma'am, it's 'SteveCase,' and I seem to have forgotten my password..."
Ever wanted to sign on to your best friend's screen name, and see what's in their e-mail? Or maybe even play on a forum leader's account? You can, and AOL's customer service representatives seem more than happy to help you.The latest in AOL's nightmare of security problems? Their own employees, ironically; and the military's Timothy McVeigh isn't even the beginning. AOL hackers are getting bolder -- and the McVeigh case h asn't tightened the lips of those with access to member information.
The current trend among hackers on AOL is rapidly gaining popularity, and leaving large numbers of unsuspecting victims -- including Community Leaders, AOL's remote workers -- in its path. The trick? Call the AOL tech support line, pretend to be the owner of a staff account, and have the AOL representative reset the password. In many cases, the perpetrators need only a startlingly small amount of information -- the victim's screen name, full name, and city of residence -- all of which can be obtained fro m the member's profile. Seconds later, the account is in the hands of miscreants, and the damage is done. The results are clear -- more hacked content areas, and more headaches for those who are charged with cleaning up the mess.
While there are many questions to be asked, one rings clear above the rest: Why is it so easy?AOL's customer service representatives are supposedly trained to verify as much information as possible before making modifications to an account. Members who call regarding their AOL service are supposed to be asked for their name, address, telephone number, and a portion of the credit card number used for billing. Support staff are also required to have the caller list all screen names on their account before speaking with them. AOL staff have an additional security check in place, a four-digit PIN number - if the caller can't provide this number, the representative is supposed to deny assistance.
Perhaps not surprisingly, a lack of training - or motivation to follow the rules - is rampant. Responses from several unhappy AOL staff indicated that the public customer service line isn't even aware of the special security checks for employees.
To those who get their kicks carrying out this scheme, it seems the theoretical security measures are a farce. "Representatives [at the AOL 1-800 number] are easy to social engineer," said one hacker, who admits to using this method to gain access to staf f accounts. The hacker, who wishes to remain anonymous, claims to have commandeered eleven accounts in the past month. "You just give them some story, pretend your busy and pissed, and they don't ask for the info... Their job is to help you, and if you make it sound like you're upset or you have work to do on your screen name, they skip the rules. Make it sound like you know their boss, and you're in. They don't want you calling their boss. Or if you call the regular line, they're not gonna ask for the pin anyways, because they don't know about it."
Joe Becker, a security consultant who lives not far from AOL's Jacksonville, Florida offices, agrees. "AOL's security operation leaves a lot to be desired. Seems every day there are ... AOL hackers in the news." He's right. Content hacks - the logical offspring of account takeovers - are becoming commonplace, with occurrences showing up almost daily. When asked about the problem with technical support representatives, Becker concluded: "It's like locking up your front door, but leaving the back wide open, with your valuables in full view."
While AOL refuses to comment on the issue, the looming threat worsens:
Who's next?
Until next time: Samson Randle