I know a lot of people who use AOL as their ISP and I often harass them to switch as I tend to view AOL as being the last great refuge of the common idiot. After reading Hackers Run Wild and Free on AOL over at Wired News I’ll be encouraging folks to switch just to try and protect their data.
Using a combination of trade tricks and clever programming, hackers have thoroughly compromised security at America Online, potentially exposing the personal information of AOL’s 35 million users.
The most recent exploit, launched last week, gave a hacker full access to Merlin, AOL’s latest customer database application. As a security measure, Merlin runs only on AOL’s internal network, but savvy hackers have found a way to break in.
The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library. When the file is executed, the Trojan horse connects the user who launched it to an Internet relay chat server, which the hacker can use to issue commands on the targeted machine. This allows the hacker to enter the internal AOL network and the Merlin application.
Apparently not only is AOL used mainly by idiots, but it’s technical support centers are manned by idiots. It doesn’t take a bunch of sophisticated trojan horse programming knowledge to break into the average AOL account, though. All it takes is a screen name and the ability to mumble.
While many of these hacks utilize programming bugs, most hackers are finding it far easier and quicker to get access or information simply by calling the company on the phone.
These so-called social engineering tactics involve calling AOL customer support centers and simply asking to have a given user’s password reset. Logging in with the new password gives the intruder full access to the account.
In a telephone interview, two hackers using the handles Dan and Cam0 explained that security measures (such as verifying the last four digits of a credit card number) can be bypassed by mumbling.
A third hacker, using the name hakrobatik, confirmed the mumbling method.
“I kept calling and pretending I just had jaw surgery and mumbling gibberish,” hakrobatik said. “At first I had no info except the screen name, then I called and got the first name and last name by saying, ‘Could you repeat what I just said?’ Then each time that I got information I called back making the real information understandable, and everything else I just mumbled.”
In the end, hakrobatik said, service reps he talked to got so frustrated having to ask him to repeat information that they’d give up and reset the password. Hakrobatik later proved he could compromise any AOL account armed only with its screen name.
“You can basically get any account information from AOL by just calling and pestering,” hakrobatik said.
So, screen name and mumble and you’ve got the keys to just about any AOL account you could want. Do any banking online using AOL? Check your stocks online using AOL? Bought anything with a credit card online using AOL? Well all of that info could be compromised by a 14 year old who can mumble effectively and who happens to have seen your screen name someplace.
Why hasn’t AOL let users know about the site’s rampant security problems? “Every now and then something flashy happens, but AOL keeps it quiet pretty effectively,” Lamo said.
The reason, Lamo said, is that AOL rarely prosecutes hackers.
“They tend to employ technical countermeasures and otherwise ignore intruders,” he said. “There’s an oft-stated perception that no one has ever been busted for hacking an AOL account.”
AOL did not return repeated calls requesting comment for this story.
“You see all those commercials saying AOL 8.0 is so secure,” said Dan. “If people knew how insecure their data was they probably wouldn’t use it.”
So for all of you AOL users out there whom I’ve given a hard time in the past over your choice of ISP let me just say that I was kidding and just ribbing you about AOL’s image as an idiot haven. In light of this new revelation, however, you may want to reconsider your choice of ISPs.