May 28, 1998 5:00 AM PDT
AOL security lapse opens accounts
An AOL source who asked to remain anonymous said that more than one person--equipped with user information such as screen name, real name, and address--has been able to call support lines and persuade some customer service representatives to reset an unsuspecting user's password. The hacker, then armed with a new password, is given exclusive access to the account.
The security lapse follows statements by AOL in recent months that it would redouble its efforts to protect private information. It may also explain a series of vandalized company and organization pages featured on the proprietary online service, including last week's attack on the American Civil Liberties Union AOL site.
An AOL spokeswoman said that the lapse was an exception and that the firm is investigating the matter. But others worry that the incident may not have been so unusual.
The process is a "social engineering" hack, so named because it involves a hacker persuading or tricking someone into willingly handing over information, rather than a technological break-in. In this type of case, the culprit apparently convinces a customer service representative that he or she is the account owner without disclosing billing information.
More coverage from CNET Radio
AOL has emphasized that company policy prohibits service representatives from disclosing information without asking for proper proof, which usually comes in the form of a credit card or checking account number.
But in these instances, the source said the hacker, who purportedly goes by the screen name "PhatEndo," convinced an AOL representative that he was the remote staff member who had publishing privileges in the ACLU's AOL site.
"[Endo] got the account by calling AOL, pretending to be the account owner, and having the password reset," said the source, who has been in communication with the ACLU hacker for a few months. "He didn't even give the account owner's name."
Someone using the screen name PhatEndo claimed credit for the hack in online interviews using AOL's Instant Messenger client. He would not comment on how he did it, but he did ask that his cohort be credited.
The customer service representative who compromised the ACLU password has since been identified and terminated, AOL said. The ACLU said it does not blame the company for the incident.
"We are appalled by these acts of deliberate vandalism," AOL spokeswoman Ann Brackbill said. "If this is the same person who compromised the ACLU site as he claims, he apparently has violated federal and state computer fraud and trespassing laws. We are investigating further, working with law enforcement, and will take every action possible to stop this activity."
But it is unclear how often these hacks occur. The source suggested testing out the lapse.
"Got any friends on AOL?" the source asked. "Try it (with permission of course): Call AOL, pretend to be your friend, give them their screen name, say you forgot your password. The rep might ask for your name and address, or they might not."
A CNET NEWS.COM reporter called AOL support to see if he could reset his own password without giving credit card information. Six of seven requests for the data without credit card information failed. But in one call, the AOL representative reset the password after the reporter provided his screen name, full name, street address, and city of residence--but not his credit card information.
In addition, the AOL source and the person who claimed to be the hacker PhatEndo have claimed that technical support volunteer accounts had been taken over in previous instances. In an online interview, PhatEndo said he had been on "Members Helping Members Services" (MHMS) staff accounts. MHMS volunteers are remote AOL members who volunteer to help users with general questions about the service.
Anyone with access to MHMS could pose as a volunteer and lead users astray.
"It would be fun to be able to be the staff that helps you...and [mess] with people," PhatEndo wrote in an AOL instant message.
Earlier this year, the online giant came under fire for revealing the identity of an AOL member who typed "gay" under "Marital Status" in his profile to Navy investigators. The Navy ordered the discharge of officer Timothy McVeigh of Hawaii (no relation to the Timothy McVeigh convicted of bombing the federal building in Oklahoma City) after an AOL employee disclosed his real identity without asking the naval investigator to identify himself. McVeigh has since been reinstated.
"In the wake of that, AOL gave all its subscribers strong assurances that they would redouble their training for people answering phones," said David Sobel, legal counsel for the Electronic Privacy Information Center, referring to the McVeigh incident. "I guess this raises questions about how effective those initiatives are after the McVeigh incident was disclosed."
After the incident drew considerable attention, AOL admitted to the privacy lapse and blamed the incident on "human error under very unusual circumstances."
Still, not everyone was quick to criticize AOL privacy policies. The ACLU, for example, remains confident of the online service's commitment to increasing security.
Although the ACLU considered last week's break-in an inconvenience, the organization maintains that a company the size of AOL is bound to have a weak link.
"I don't blame AOL in any way for having lax security or lax procedures," ACLU spokesman Phil Gutis said. "I know they consider [security] one of their highest priorities and are working to improve this all the time. I'm sure anybody else that has had this situation happen doesn't blame AOL."