http://www.newsbytes.com/news/01/170924.html By Brian Krebs, Newsbytes WASHINGTON, D.C., U.S.A., 08 Oct 2001, 4:11 PM CST America Online has fixed a security hole that for years allowed a cadre of cognoscenti hackers to create bogus AOL accounts and hack away in relative obscurity, but has yet to patch a little-known vulnerability that allows anyone with an AOL account to switch many phone customers' long-distance providers. According to information obtained by Newsbytes, the exploit allows the switcher to view the victim's calling and billing records all without ever notifying the victim or asking his or her permission. The method for creating a ghost AOL account has become something of an open secret among the subculture of more sophisticated AOL-hacker types, but the process for doing so is fairly straightforward. When new users signed up for an AOL account online, they could opt to pay via check or credit card, but because it is extremely difficult to verify checking information online, the signup process transparently stored the information in a buffer and flagged the account as "OK-to-create," leaving the user with a message to contact AOL support in order to verify the checking account information. But if the new users then returned to the billing page and changed the billing method to "credit" and entered a random credit card number created by any one of several credit card number-generating tools available on hacker sites, the users effectively evaded the next step in the account creation process the address verification system (AVS). The exploit worked because by the time AOL's AVS system learned that the supplied credit card number did not match any current billing records, the account had already been activated. "Previously, AOL accounts would be shut down after 72 hours if they didn't have valid billing," said Adrian Lamo, a freelance security consultant and founder of Inside-AOL.com, a site dedicated to keeping tabs on security lapses at AOL. "But in an effort to increase the total number of registered members, AOL stopped shutting down accounts with bogus billing and just let them live and receive daily pop-up reminders that the billing information was invalid," Lamo told Newsbytes in a recent interview. Roughly two months ago, Lamo became aware of another buffer problem in AOL's network that allows any user to exploit the company's relationship with online local and long-distance provider Talk America Holdings Inc., (http://www.talk.com). By simply entering their phone number in an online application, AOL users can switch their long-distance provider to Talk.com, and receive all of their billing and calling statements by entering keyword "LD Member" via the AOL dial-up home page. The problem, Lamo said, is that during signup the system automatically assumes the phone number entered corresponds to the user's AOL account billing information, when in fact neither may be accurate. In effect, the system never verifies whether the phone number being switched to Talk.com actually belongs to the subscriber. Normally when someone switches their long-distance carrier, the carrier assuming the service sends a letter within 30 days notifying the subscriber of the service change. "But with Talk.com, it's never actually seen by the subscriber - they never get anything in the mail," Lamo said. "So once you've switched over the person's carrier, you have access to all the information about calls they made, and they would never notice a thing. Except for the maybe fact that they would stop getting phone bills." Working with other subscribers who agreed to test the Talk.com hack, Lamo was able to verify that accounts belonging to several other AOL subscribers had been switched. "In fact, you could sign up phone number in multiple different cities and it would sail right through," Lamo said. "If someone were profit-minded, they could definitely take a year or two off from work just by selling this information out to private investigators." Both activities raise interesting questions about the effectiveness of federal law enforcements recent interest in gaining easier access to Internet service provider records in the wake of the Sept. 11 attacks. Accounts with arbitrary, made-up information totally break the purpose of (the FBIs e-mail snooping device) Carnivore, and render the subpoena process useless, Lamo said. AOLs negligence in this regard may have single-handedly frustrated more investigations of its subscribers than deliberate obstruction could in twice the time. AOL spokesman Nicholas Graham said the company was unaware of member reports related to either issue and "that there are no indications of widespread use of the techniques." "These activities are not 'hacks' - they are serious crimes. Any of the described scenarios, if attempted, are clear violations of federal and state laws governing credit card fraud, privacy and slamming practices," Graham said. "As has been our policy, AOL consistently reaches out and cooperates with efforts by law enforcement to prosecute individuals using the AOL service to violate such laws." Lamo said he was skeptical of AOL's non-denial denial. "If I become aware of something like this, it means that it's been used in the wild. AOL spends more time than it used to on internal security, and it's doing a better job at it, but it still seems to think that security and public relations are somehow interchangeable," he said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 10 2001 - 02:41:55 PDT