[ISN] EarthLink's Passwords Are Naked

From: InfoSec News (isnat_private)
Date: Tue Jun 18 2002 - 03:41:32 PDT

  • Next message: InfoSec News: "[ISN] Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server"

    By Brian McWilliams 
    2:00 a.m. June 17, 2002 PDT 
    Passwords are Internet users' best defense against online-identity
    theft. So why is EarthLink exposing customer passwords to tech support
    In a break from industry practice, EarthLink, the nation's
    fourth-largest Internet service, is allowing its support employees to
    have full access to the passwords of its 4.9 million subscribers.
    According to EarthLink spokeswoman Carla Shaw, EarthLink service
    agents are permitted to view customer passwords in order to expedite
    the handling of one of the ISP's top support issues: forgotten
    "How are tech support representatives supposed to troubleshoot a
    person's account if they can't see the password?" Shaw said.
    While such a practice may please some customers, experts said
    EarthLink could be exposing its subscribers to a range of security
    threats, including attacks from disgruntled or unethical employees.
    "Giving service reps customer passwords is a security risk, certainly.  
    Service reps could use the passwords to eavesdrop upon or impersonate
    customers. They could give or sell those passwords to others," said
    Bruce Schneier, chief technology officer for Counterpane Internet
    Last year, EarthLink launched a major branding effort touting its
    protection of users' privacy. According to Shaw, the company remains
    "very privacy and security oriented," but does not believe its
    password policy creates a threat to users. In any case, attempts by
    support reps to gain access to customers' accounts would be logged,
    she said.
    At America Online, MSN and United Online -- the top three ISPs,
    respectively -- stored passwords are off-limits altogether to support
    staff, according to company officials.
    "There is no place where our service reps or anyone else at AOL can
    get access to customer passwords. We specifically train our reps not
    to ask for or accept passwords or billing information from customers,"  
    said AOL spokesman Nicholas Graham.
    What's more, AOL nags users with a warning every time they check their
    e-mail or send an instant message: "AOL staff will never ask you for
    your password!"
    If you subscribe to AOL and you forget your password, it's history.  
    AOL will issue you a new, temporary one over the phone, but it will
    instruct you immediately to change it online at the service's password
    area, according to Graham.
    With new password-stealing frauds regularly appearing on the Internet,
    "ISPs need to take a harsh stance against password disclosure and arm
    their users" against such scams, according to Greg Shipley, director
    of consulting for security firm Neohapsis.
    "If users are unclear about when it's OK to give out their password,
    trouble will follow," Shipley said.
    At the help section of its site, EarthLink provides the following
    warning on password security: "Never tell your password to anyone --
    with one exception. EarthLink Sprint Technical/Customer Support may
    ask for it when you call EarthLink Sprint for assistance."
    According to Shaw, EarthLink sometimes requests a subscriber's
    password to troubleshoot connection problems, but the company does not
    use passwords as a way of authenticating telephone callers.
    Such a confusing password policy could make an ISP's customers easy
    prey for password scams that involve "social engineering" or trickery,
    said Shipley.
    Officials at Microsoft's Internet service appear to agree. Product
    manager Parul Shah said MSN warns users never to send their passwords
    by e-mail and never to speak them over the telephone -- not even to
    MSN support staff.
    "If someone else knows your password, the consequences can be
    chilling. Your e-mail is no longer private ... the identity thief may
    have access to your credit card numbers. Your children may be able to
    get to Web sites that you've blocked.... The list goes on," states a
    warning at MSN's help desk site.
    Should MSN users forget their passwords, the service will issue new
    ones from a Web form or a toll-free telephone number. Customer service
    reps do not have access to stored passwords, Shah said.
    United Online follows a similar password security policy. Created last
    year by the merger of Juno and NetZero, United does not give service
    agents access to users' passwords, according to spokesman Peter
    United's Juno site allows customers who have forgotten their passwords
    to receive a new one by e-mail or by phone. The NetZero side of
    United's operations additionally allows customers to generate new
    passwords using an online request form, Delgrosso said.
    In providing its support staff with access to customer passwords,
    EarthLink appears to be in conflict not only with ISP industry
    practices, but also with modern software theory, according to Shipley.
    Rather than saving a plaintext copy of passwords, operating systems
    like Windows and Unix, as well as commercial applications, only store
    a "hash" or cryptographic fingerprint of each password on the system,
    Shipley said. When a user signs on, the program authenticates him or
    her by comparing the value of the stored hash against the hash of the
    characters typed in by the user.
    "If EarthLink's technicians are able to see a password, that means
    they are storing the actual password and not a hash, and that's a very
    bad idea" that could enable thieves to pilfer its password databases
    without the need of a password cracking program, said Shipley.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 06:50:42 PDT