AOL Watch: Password Thieves

David Cassel (
Sat, 06 Jun 1998 01:15:41 -0400

		      P a s s w o r d   T h i e v e s


AOL will turn over control of your account to anyone who can provide your
name and home address. 

That's the conclusion being reached by hackers who've tested AOL's
security -- and their concerns are valid.  In a test phone call by AOL
Watch, AOL's billing representative changed the password on an account
with no additional information -- on the very first attempt.  "Our
consultant will need to verify your billing information,"  AOL's
voice-mail system warned -- adding "please have your credit card or
checking account number ready."  But the representative who answered the
phone changed the password after being given only a name and home address
-- and C|Net reports the same thing.  Giving only a name and home address,
their reporter discovered AOL would still change their password...,4,22512,00.html

"It appears that we got hit too," one AOL Watch reader reported this
morning.  After reading C|Net's story, they attempted to log onto their
business account -- only to find their password had been reset. 
( ) 

In fact, hackers may have been exploiting this for several days.  "There
is a security hole in AOL which lets me get on almost anyone's account," a
hacker named "Endo" scrawled into the member profile of a reporter's
account this weekend -- after changing its password.  And last week AOL's
ACLU area bore a new title:  "Hey, did Endo hack me?"

The remaining ACLU content was replaced by a white window containing a
single sentence. 

"Yes he did!"

For over an hour, Endo's question-and-answer remained in place of the
ACLU's content.  By 7:30 p.m. EST, keyword ACLU began returning the
message "Keyword not found".  The area remained unavailable for nearly 24
hours, coming back on-line at 5:00 May 19 -- with its original message. 
("Warning: Free Speech Zone Ahead...") 

Responding to the ACLU attack, AOL told C|Net passwords could be obtained
when members downloaded password-stealing "Trojan Horse" programs.  
(,4,22267,00.html )  But Endo sees it
differently.  In the reporter's profile, he wrote that AOL wouldn't reveal
the real technique being used because "it would make them look really bad. 
They just use the old Trojan excuse..." 

It's the latest incident in a long history of failures to protect personal

In January, discharge proceedings were initiated against a Navy sailor 
( ) after AOL revealed his
real-life name.  Steve Case described it as "a mistake for which we take
complete responsibility" in a letter to members -- but went on to claim
that "we protect the privacy of our members with great care and with
stringent rules."

Then how did Case explain the McVeigh incident?  "This should not have
happened, and we deeply regret it."  But AOL's phone representatives
"understand the importance of not disclosing any account information to
anyone who is not the verified account holder," Case claimed.  "The
verification process is sophisticated, and our policies are effective,
clear and well communicated to all of our employees." 

The experience of the C|Net reporter -- and AOL Watch -- suggest this
simply isn't true. Though Case promised AOL would remind their staffers
and give them more training and testing, these measures could be thwarted
by a high turnover rate at AOL's customer service facility.  Case also
announced AOL would institute a policy of obtaining written
acknowledgments that their staff understood the privacy policy -- but it's
not clear how written acknowledgments would benefit members.  (Though it
would help AOL in the event of a lawsuit...)  "AOL's commitment to
protecting the privacy of our members is stronger than ever," Case wrote
in January -- but just months later, access to member accounts seems just
a phone call away... 

That's just the tip of the iceberg, according to the Village Voice, which
presents reports that thousands of AOL customers -- and some AOL employees
-- have lost control of their accounts, as well as some credit card
numbers, to "a nationwide network of teenage computer hackers."  Since
last spring, the paper reports, the FBI has been investigating the
"massive deployment of a password-stealing program" targeting AOL
accounts.  Armed with stolen credit card numbers, on-line troublemakers
even purchased merchandise to send to their rivals -- including flowers,
FAX machines, refrigerators, and a microwave oven, according to the paper. 
One inter-hacker dispute ultimately triggered an incident in late February
in which hundreds of death threats were sent.

It shouldn't be surprising.  The Washington Post reported that in one
three-month period in 1996, AOL cancelled 370,000 accounts for "credit
card fraud, hacking, etc."  This month Steve Case's Community Update
states that AOL is "aware" of public policy challenges like "safeguarding
privacy and security" -- but this awareness apparently isn't helping. 
"Giving someone (even unintentionally) your password -- especially online
-- is like handing over your wallet, keys, and other valuables to complete
strangers," Steve Case warned members in a 1996 letter.  But now AOL seems
to be doing it.  "The McVeigh case hasn't tightened the lips of those with
access to member information," writes one long-time AOL watcher.

It's not the first time AOL has downplayed security holes.  In 1995 AOL
was resisting safer procedures, apparently because of concerns that the
negative publicity would affect their image.  
( )  After Steve Case sent e-mail to
users warning them not to reveal their passwords, Corey Bridges, a
security documentation staffer for Netscape, expressed cynicism on the
CypherPunks mailing list.  Forwarding the e-mail, he added, "Looks like
AOL is being dragged, kicking and screaming, into the world of security." 

Ironically, the National Computer Security Association recently published
their interview with AOL's "Vice President of Integrity Assurance,"
Tatiana Gau.  "Were implementing changes right now to our proprietary
publishing tool that will make it harder for someone who gains access to
it to publish from it," Gau boasted -- though days later, hackers were
bypassing the safeguards and publishing their own content at keyword ACLU.

The security incidents illustrate yet another instance of deteriorating
AOL service.  Nearly 20% of calls placed to AOL in March failed to
connect, according to Inverse Technologies-- even more than in the
previous month.  For every five calls to AOL that failed to connect in
February, six failed to connect in March, newly-released statistics
suggest.  And AOL has shown a worse connection rate than the industry
average -- not just for March, but consistently, for the last fifteen

Tuesday Inverse Technologies rated the performance of the major internet
services -- and AOL didn't appear on their charts for "Evening
Call-failure Rate", "Web Throughput", and "Web Failures".  "As a rule,
although we grade ISPs on A+, A, B, C and D;  we only publish the details
of those receiving a B or better," one Inverse Technology spokesperson
told AOL Watch.  "Obviously those not mentioned but measured, received a C
or D..." 

Despite the decreasing performance, the next month AOL began asking their
customers for more money to dial in to AOL.  But subscribers find that the
performance issues are beginning to affect them. "I sent an e-mail to my
boss on Sunday evening to let him know that I was going to be late on
Monday morning," one AOL Watch reader reports.  "Thanks to AOL, he never
received the e-mail until about 4:00 in the afternoon on Monday." 

"From now on, I will not use my AOL account for important messages." 

But the insult-to-injury price hike is just the beginning.  In June, AOL
subscribers will be required to pay AOL to post classified ads.  The day
after Case's letter, a message posted to AOL's Hobby message boards
announced that "Beginning June 1st, 1998, all buying and selling folders
throughout the Interests Channel will be closed." 

Users were referred to a new pay-to-advertise area-- and though some
two-day ads will remain free, the board's users were furious.  The Dayton
Daily News reports that "Hobbyists and collectors who use AOL's boards to
buy, sell and trade everything from ham radios to Beanie Babies are
outraged and many have said they'll quit the service en masse June 8."

"To raise their rates, and then remove a VERY popular feature, is wrong," 
one subscriber told C|Net.,4,22351,00.html

"They raised our rates, and now want to cut more of our services,"
complains one web site.

"How many times will AOL try to drag extra money from its subscribers
before every intelligent user cancels?" one AOL Watch reader asked.  Even
AOL's own staffers apparently can't stomach the policy.  "I do not fell
that it is in the best interest of either AOL or it's members to stop all
the buying/selling that is done on the Hobby Boards," reads one post to an
AOL hobby message board.  "And because of that I do not feel I can be the
one to remove buy/sell post from the board I was Hosting/Monitoring.  For
that reason I'm giving you my resignation...effective May 15, 1997." 

Another poster noted significantly that free internet newsgroups -- whose
audiences aren't restricted to just AOL members -- are available to all
AOL users at keyword Usenet.  Ironically, one document in AOL's remote
staff area contrasts AOL with other on-line services through the years,
arguing that "They nailed your credit card if you placed a classified ad." 
It boasted that "AOL's tradition of high-quality, non-surcharged services
like e-mail, internet access, chat, classifieds, and database access dates
right to the beginning."  But no more... 

It's part of a trend to surcharge various parts of the service.  Six
months after AOL's move to flat-rate pricing, news of a $2.00-per-hour
pricing for new games hit subscribers.  
( )  AOL began charging users
$19.95 to hold on- line wedding ceremonies at keyword "CyberChapel" in
January. ( )  And though AOL charges 
users $35 to participate in AOL's Fantasy Sports Leagues, "AOL promised
FREE fantasy sports more than 2 years ago," reports AOL Watch reader Brian
Youngerman -- "but failed to deliver on this promise."  In "The Grandstand
Gazette" (April 1996) the General Manager of AOL Sports had announced that
"All fantasy leagues now offered through AOL Sports will be FREE." 

More discouraging news greeted visitors to keyword "NYT Classifieds" in
January.  "We regret to inform you that as of January 1, 1998, the New
York Times Sunday classified ads will no longer be available on The New
York Times on America Online," an announcement read.  "This decision has
been made by America Online."  It then pointed users to their free
classified ads on the web.  ( )  

In fact, 44 state attorneys general announced today that they'd spent two
years investigating AOL practices -- including allegations that AOL
"misrepresented the price of its unlimited use plan."  AOL agreed to
forfeit $2.6 million to state investigators and consumer educators to
settle allegations that they'd violated state Consumer Protection Laws. 

What were those allegations?  Complaints that AOL

    * Failed to accept notices of cancellation from some subscribers.

    * Made unauthorized charges to subscribers' credit cards and/or bank
      accounts for service beyond requested cancellation dates.

    * Made unauthorized charges to some subscribers' credit cards and 
      bank accounts for books, software and other goods and services.

    * Falsely advertised that telephone access numbers provided 
      for service were all local telephone numbers.

Questions over whether AOL misled subscribers in their advertising
culminated with AOL promising to issue written confirmation of
cancellation requests -- and five additional steps.  In a statement, the
Pennsylvania Office of the Attorney General notes that AOL "denies any
wrongdoing" as part of the settlement -- but also notes that "This is the
third settlement Pennsylvania has reached with AOL since 1996. As a result
of the states' negotiations including the two previous settlements, AOL
has paid $34 million in restitution to consumers." 

That's only the beginning of AOL's problems.  AOL's move to flat-rate
pricing was supposed to be balanced by an increase in money from
advertising.  Unfortunately, some of their past deals provided
questionable value to advertisers.  Bloomberg News notes that the Tel-Save
long-distance service -- which reportedly shares 50% to 70% of their
pre-tax profits with AOL -- ended their third quarter with a
"wider-than-expected" loss, nearly triple what was expected.  (Nine cents
vs. three cents per diluted share...)

To jump-start their advertising efforts, AOL may purchase the ICQ software
competing with their "Instant Messenger" product -- a move which outraged
ICQ users.  "To protest I have -- and I urge everyone who has a
ICQ-centered home page -- to blacken the page in protest of this tragic
event," one web site announced this week.  "AOL has a well deserved
reputation for offering very poor service to its members at inflated
prices.  They create poor quality software, and with AOL running the show
the quality of ICQ can only go down."

One user trying to set up AOL's product Sunday received a message stating
"We are unable to complete your registration process.  Please try again
later..."  A reputation for spotty service may shadow AOL's efforts.  "AOL
executives realize that slapping their logo on the ICQ service could
alienate many of ICQ's existing users," the Washington Post reported.

But the problems run deeper.  AOL's acquisition of the ICQ company would
be a way to eliminate an ad-free competitor -- and then allow AOL to
exploit the users themselves.  ("It's an extra 11 million people to send ads
to," an industry analyst told C|Net.),4,22339,00.html

Ironically, AOL's policy prohibits members from placing advertisements in
their own member profiles, according to the policies at keyword "I Need
Help".  One subscriber reading the text realized it was impossible to
comply.  "I check my own profile... and what do I find?  An advertisement. 

"Not one that I had put up, rather, one that AOL had." 

AOL apparently does what they please with personal information -- whether
it's profiles or passwords. 


"There was a chat with the cast members of 'Road Rules' in January this
year," remembers one AOL Watch reader.  Roni, Tara, Anne, Dan, Noah, and
Jon were all scheduled to appear in AOL's MTV area -- but only four made
it on-line as the event started.  Though Dan eventually showed up, the
emcee told the crowd that "They're having tech difficulties on the West
coast," -- delaying the appearance of castmember Tara. 

"Damn AOL," typed Noah.  

     David Cassel
     More Information -,4,22538,00.html,4,22512,00.html,4,22267,00.html


    Please forward with subscription information.   To subscribe to this
    list, type your correct e-mail address in the form at the bottom
    of the page at -- or send e-mail to

    To unsubscribe from the list, send a message to MAJORDOMO@AOLWATCH.ORG
    containing the phrase UNSUBSCRIBE AOLWATCH.