AOL 8.0 is more secure? Compared to what?

I know a lot of people who use AOL as their ISP and I often harass them to switch as I tend to view AOL as being the last great refuge of the common idiot. After reading Hackers Run Wild and Free on AOL over at Wired News I’ll be encouraging folks to switch just to try and protect their data.

Using a combination of trade tricks and clever programming, hackers have thoroughly compromised security at America Online, potentially exposing the personal information of AOL’s 35 million users.

The most recent exploit, launched last week, gave a hacker full access to Merlin, AOL’s latest customer database application. As a security measure, Merlin runs only on AOL’s internal network, but savvy hackers have found a way to break in.

The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library. When the file is executed, the Trojan horse connects the user who launched it to an Internet relay chat server, which the hacker can use to issue commands on the targeted machine. This allows the hacker to enter the internal AOL network and the Merlin application.

Apparently not only is AOL used mainly by idiots, but it’s technical support centers are manned by idiots. It doesn’t take a bunch of sophisticated trojan horse programming knowledge to break into the average AOL account, though. All it takes is a screen name and the ability to mumble.

While many of these hacks utilize programming bugs, most hackers are finding it far easier and quicker to get access or information simply by calling the company on the phone.

These so-called social engineering tactics involve calling AOL customer support centers and simply asking to have a given user’s password reset. Logging in with the new password gives the intruder full access to the account.

In a telephone interview, two hackers using the handles Dan and Cam0 explained that security measures (such as verifying the last four digits of a credit card number) can be bypassed by mumbling.

A third hacker, using the name hakrobatik, confirmed the mumbling method.

“I kept calling and pretending I just had jaw surgery and mumbling gibberish,” hakrobatik said. “At first I had no info except the screen name, then I called and got the first name and last name by saying, ‘Could you repeat what I just said?’ Then each time that I got information I called back making the real information understandable, and everything else I just mumbled.”

In the end, hakrobatik said, service reps he talked to got so frustrated having to ask him to repeat information that they’d give up and reset the password. Hakrobatik later proved he could compromise any AOL account armed only with its screen name.

“You can basically get any account information from AOL by just calling and pestering,” hakrobatik said.

So, screen name and mumble and you’ve got the keys to just about any AOL account you could want. Do any banking online using AOL? Check your stocks online using AOL? Bought anything with a credit card online using AOL? Well all of that info could be compromised by a 14 year old who can mumble effectively and who happens to have seen your screen name someplace.

Why hasn’t AOL let users know about the site’s rampant security problems? “Every now and then something flashy happens, but AOL keeps it quiet pretty effectively,” Lamo said.

The reason, Lamo said, is that AOL rarely prosecutes hackers.

“They tend to employ technical countermeasures and otherwise ignore intruders,” he said. “There’s an oft-stated perception that no one has ever been busted for hacking an AOL account.”

AOL did not return repeated calls requesting comment for this story.

“You see all those commercials saying AOL 8.0 is so secure,” said Dan. “If people knew how insecure their data was they probably wouldn’t use it.”

So for all of you AOL users out there whom I’ve given a hard time in the past over your choice of ISP let me just say that I was kidding and just ribbing you about AOL’s image as an idiot haven. In light of this new revelation, however, you may want to reconsider your choice of ISPs.

21 thoughts on “AOL 8.0 is more secure? Compared to what?

  1. Oh, man, I’ve always yelled at folks who use AOL as their ISP for reasons just like this one. It’s too freaking scary once you realize what’s at state.

    Sure, ISP’s can be a bit difficult at first if all you’ve ever known is AOL, but the payoff is worth it.

  2. You can call me bobcat ironic as it may seem
    to send this message I am using AOL as my isp
    If you feel like sueing the bastards feel free to
    send me an email comment. The big shots at times
    warner aol combo, are probably quite oblivious
    to the amount of harm they they are doing to the
    the most advantageous tech. breakthrough that
    has ever happened since the dawn of time.
      I have a lot more so get back to me.BOBCAT

  3. I’ll tell you what.  Aol is doomed.  All those discs they send me, I keep reusing one, and use the rest for coasters.  Basically, I sign up for 45 days… at 44 days, cancel…  they don’t usually want you to cancel so… 2 MONTHS FREE…  day before 2 months ends..  try to cancel again… usually 2 MORE MONTHS FREE!…  if not..  proceed with cancel…  start new account with the SAME DISC.. that afternoon..  This is coming from a guy who’s had free aol for 2 years…  This is AORape… and they must like it!

  4. A typical ignorant post. I work for AOL tech support, and i have 4 years under my belt as a network adminstrator. I am a fully qualified security specialist/net-admin, certified by both ms and ciw.

    90% of tech support staff at my local AOL Support centre are college graduates or currently studying computer science at uni. I believe their knowledge is way higher than your average computer user.

    Just because one user accepted a trojan via a file transfer, does not make all staff there “idiots”.

    99% of our calls due to downtime issues are from moronic idiots who cannot install modem drivers correctly and allow windows to install generic drivers, yet they blame AOL because they can’t get online. Go figure.

    The only reason why you bash AOL

  5. is because it is a trend. I’m sure members have had problems, much like other ISP’s, but nothing out of the ordinary.

    Now back to AOL’s security.
    You cannot enter the building via any entry point without a magnetic card to access areas.

    You cannot login to any database, application or even your instant messenger without a username,password and a secure ID which changes every minute. This is a 3-part credential system, far stronger than even a high-end security model.

    This attack was pretty good social engineering, which could happen any company, and nothing more. Now shut the fuck up you moronic tool rambling about shit you have no idea of. I’m sure you you tried to maintain an AOL network here, you wouldn’t of making it any more secure.

  6. LOL! Dude, you can’t even get an entire comment entered on the first try and you’re attempting to tell me how competent you people are? That’s hilarious! 😀

  7. Hmm AOL great ISP if you like having SPYWARE(TM) bundled with your browser!!! I have several AOL discs all used as coffee cup mats, thanks AOL you keep my desktop coffee ring free!!!

    99% of our calls due to downtime issues are from moronic idiots…

    Well if you offer a retarded service what kind of customers do you expect? wink

    who cannot install modem drivers correctly and allow windows to install generic drivers, yet they blame AOL because they can

  8. Hi Folks

    I’m fm india, i am a tech support guy for IBM, i have operated AOL i believe they r a good s/w, but they keep releasing versions too often which often mug up systems.

  9. Never going back to AOL.

    My experience with them is summed up by the second to last conversation I had with them— “look, you dipshit, I do not want another free month.  You might as well offer me a free turd.  I don’t want it.  I’ve told you ten times, I want to cancel my service.  What part of “no” do you not get?  Do you or do you not have the authority to cancel my subscription?  Do you need to get a manager’s authorization in order to cancel my account? Cancel it already!”

    And, of course, my final conversation with them.

    ‘How can you be sending me a bill for a service I practically had to pull teeth to cancel?  Three months ago, at that?  Did it occur to you, when you weren’t able to collect for six straight months that maybe I had closed my account?  Or did you really think I was keeping an account open so that I could NEVER use it.  Mm hmm.  right,  mm hmm.  No, I clearly remember canceling my subscription because I had to ask your stupid operator like ten freakin times, and he couldn’t grasp the concept that I didn’t want the free month.  It sounded like he was a native English speaker, so I can only assume you’ve started hiring the mentally challenged as some sort of charitable outreach program. . .”

    Followed by another 15 minutes of me telling her exactly why I wasn’t going to give them a dime, and finally, escalating to a manager who became reasonable only after threats of 1) class action lawsuits for illicit billing practices and 2) my physically hunting her down and setting fire to her socks.

    So no.  I’m not what you would consider a satisfied ex-customer.  I think AOL sucks.

  10. Oh wow, Mr. Penfold is trying to sell us on the idea that TECH SUPPORT for AOL is primarily consistent of college graduates?  What a joke!

    Anyone that’s EVER worked in tech support knows that customer service and tech support teams consist primarily of POTHEADS and DRUG USERS!  I know, because I worked tech support for many years, and I used to be a POTHEAD and DRUG USER.

    In fact, one of my roommates worked for Earthlink/Mindspring, right during the merger between the two.  Mindspring tech support and customer service was notorious for hiring people who did drugs, and Earthlink was notorious for having high turnover due to their stringent drug screening process.

    This caused much concern amongst the employees at Mindspring, but since the VP had an open door policy on employee concerns, he was recieving a flood of emails requesting the status of MS/EL’s drug testing policy after the merger.

    The VP replied with a BROADCAST email to ALL techs and customer service employees on the floor with this: “A lot of email has been directed to me lately wanting to know the status of company drug testing policy.  I want to allay all fears for you—if any employees have drugs they think need testing, feel free to bring them to my office, I and my team will test them out for you.”

    Of course, after Elink basically took over after the merger, it became a crappy company to work for with a strict drug policy ( which = high turnover ), and the VP guy went on to work for a big pharmeceutical company, irony of ironies.

  11. There is an AOL call center in the city where I live and I know several people who work there.
    One of the issues mentioned in previous comments is how difficult it is to cancel memberships.
    There is a whole division called customer retention that has a sole mandate to prevent customers from closing their account. The employees are working on a quota/bonus structure. If they fall below a 40% retention rate they are terminated. Conversely, if they hit upper levels that exceed the norms they can earn monthly bonuses.

  12. The AOL connection would not allow me to connect to a third party smtp server! I was getting “Unknown TCP/IP problem, could not connect to server, contact your ISP…” every time I tried to send something through Outlook. If they intentionally block that, they’re EVIL. I used another ISP and everything works fine.  If ti was not AOL’s fault, it means I’m stupid. (yes, I was using a free account)  death to corporate monopoly!

  13. Yesterday something extrodinary happened to me. I got a free AOL 9.0 cd in the mail. No, I wasn’t thinking “sweet! Internet!” I was thinking “hmm, what should I do with this one?” Well, you know what I did? I took out my 6-inch pocket knife and carved the words SATAN into the back of the CD. Than, I continued with ripping apart the case with the knife (they reinforce these things with 2 inches of solid wood now, I guess I’m not the only one that’s mildly psychotic these days) After I was done with that, I stabbed the CD 2 or 3 hundred times. Then went into my backyard and FRIED the cd with a welding gun.

    That made my day, needless to say. smile


  15. what can i do to get into my aol account that has expired. My screenname and password has been blocked, obviously of non-payment.
    I have another aol account which i set up February this year and which is still good. However the aol account that was set up last year has expired, screenname and password no good, screen comes up to re-register and make payment. The thing is – i have and am still receiving mails in that aol account. Anyway that i could get in using the old screenname and password?

  16. Well, and this is very bold and risky, you could try paying for the account once more. That just might do it.

  17. I don’t get it! Comparing college graduates to potheads and drug users. Now days, whats the difference?

  18. well as on a post more than one year ago, the 90% of our calls are involved on aol “new users” that there are not related to PC´s, i agree on that, there are much better ISP´s, but the aol is…. for dummies, or people who really likes aol and aol has excellent features ( yeah i work for them and really that´s true), but i prefer to use MY AOL on a high speed connection due to price and speed, AOL tech CCC

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.