http://www.wired.com/news/business/0,1367,50697,00.html By Michelle Delio 2:00 a.m. Feb. 27, 2002 PST America Online users, you have unwanted packages -- due either to the activities of malicious hackers, aggressive pop-up ads or a sudden widespread epidemic of shopping amnesia. AOL has billed thousands of its users for products presented in pop-up ads after users clicked a "no thanks" button to refuse the offer, according to a lawsuit filed last week in U.S. District Court in San Francisco. The charges were made public late Monday. AOL steadfastly maintains there are no glitches in its shopping system that could have resulted in the erroneous charges and shipments. Users insist that they did not mistakenly click "Yes" when they meant to click "No." So who made the purchases? A group of hackers who focus on finding security holes in AOL's systems contend the most likely culprits are a bunch of bored kids who hacked into AOL accounts, perhaps with the assistance of disgruntled AOL employees. Members of this group recently reported two major security holes in AOL's Instant Messenger program. Although it's far from certain that kid-crackers are to blame for the shopping sprees cited in the lawsuit, it's possible that once a cracker has a user's screen name and password, he can log on as the account user and order merchandise through AOL's shopping service. Products ordered through the service are automatically charged to the account holder's credit or debit card. These hackers say AOL passwords are remarkably easy to come by, claiming that they sometimes gain access to accounts with the aid of AOL employees who provide information in exchange for a share of the spoils. "One guy in AOL's Operations Security told me if I used a hacked account to get his girlfriend a $700 necklace from Barneys Online he would get me access to six more accounts," a hacker known as Flyman said. "What it comes down to is that AOL's biggest security risk is corrupt employees who will straight up give away info for a price." But the easiest way to crack an account is by using a password generator that matches a password to an AOL screen name, hackers say. "If a password is an actual word, not a healthy mixture of upper and lower case characters with numbers and even some symbols, it's trivial to figure out the password using one of the hundreds of AOL password crackers and password stealers lurking around on the Internet," said a white-hat hacker known as Mancow. "AOL doesn't want to burden their users by making their password system too complicated for John Q. Public, but by refusing to force users to use strong passwords they have left an important aspect of security solely in the hands of a possibly clueless consumer," Mancow added. "If AOL wants to allow users to use simple passwords, the service should then find some way to verify a users' identity before allowing products to be charged to the credit card associated with the account." AOL spokesman Nicholas Graham declined to comment on any specific allegations, but agreed it was possible that unauthorized charges for merchandise could be the work of malicious hackers. AOL will investigate the possibility, Graham said. Meanwhile, Graham suggested that AOL users visit the service's Neighborhood Watch section for security tips. "Our members have the responsibility to make sure that their passwords and accounts are secure," Graham said. "It certainly seems logical that the problem is more likely to have been caused by hackers, or confused AOL users who perhaps pushed 'Yes, please' instead of 'No, thanks,' than by a glitch in AOL's shopping system," said Nathan Cohen, an attorney who specializes in Internet law. "AOL has about 30 million users now. If there was a glitch, it should have affected more than the 'thousands' of users that the court case cites. A glitch should have affected millions of people." "I can't help but think this is the 2002 version of the old stunt of sending a dozen pizzas to someone who pissed you off," Cohen added. AOL hackers admit their more malicious brethren crack accounts because they are angry at the owner of the account. Once they have access to the account they typically change the password, "muck around with e-mail and order stuff," Flyman said. Sometimes the cracks are random: People with short or "cool" screen names are also prime targets, according to the hackers. "Ninety percent of the account hacks that some people do is because they see a cool screen name and they want to use it," said Solitude, another hacker. The warning signs of account intrusion include e-mail that has been marked as read or deleted that users know they haven't seen, as well as a sudden spike in account activity, say the hackers. They also advise users to disable any unused sub-accounts. AOL members can have six screen names per account, and hackers say seldom-used screen names are ripe for exploitation. Cohen said AOL would not likely be held responsible for the types of security breaches outlined by the hackers. "AOL is following the practices that are standard in the industry," Cohen said. "I don't know of any commercial service that forces users to use secure passwords. While you could rightfully argue that the policies should be changed, I don't see any evidence of negligence." But should the court find AOL responsible for the fraudulent billing, the company would be "in a world of trouble," criminal attorney Frank Anderson said. "I expect that they'd much rather find out that hackers are rampaging through their system than to face charges that a bug in their software is spontaneously billing customers for things they did not order," Anderson said. "But the best outcome of all for AOL would be to discover that they have a bunch of amnesiac shopaholic users." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 02:05:21 PST