http://www.wired.com/news/privacy/0,1848,53208,00.html By Brian McWilliams 2:00 a.m. June 17, 2002 PDT Passwords are Internet users' best defense against online-identity theft. So why is EarthLink exposing customer passwords to tech support staffers? In a break from industry practice, EarthLink, the nation's fourth-largest Internet service, is allowing its support employees to have full access to the passwords of its 4.9 million subscribers. According to EarthLink spokeswoman Carla Shaw, EarthLink service agents are permitted to view customer passwords in order to expedite the handling of one of the ISP's top support issues: forgotten passwords. "How are tech support representatives supposed to troubleshoot a person's account if they can't see the password?" Shaw said. While such a practice may please some customers, experts said EarthLink could be exposing its subscribers to a range of security threats, including attacks from disgruntled or unethical employees. "Giving service reps customer passwords is a security risk, certainly. Service reps could use the passwords to eavesdrop upon or impersonate customers. They could give or sell those passwords to others," said Bruce Schneier, chief technology officer for Counterpane Internet Security. Last year, EarthLink launched a major branding effort touting its protection of users' privacy. According to Shaw, the company remains "very privacy and security oriented," but does not believe its password policy creates a threat to users. In any case, attempts by support reps to gain access to customers' accounts would be logged, she said. At America Online, MSN and United Online -- the top three ISPs, respectively -- stored passwords are off-limits altogether to support staff, according to company officials. "There is no place where our service reps or anyone else at AOL can get access to customer passwords. We specifically train our reps not to ask for or accept passwords or billing information from customers," said AOL spokesman Nicholas Graham. What's more, AOL nags users with a warning every time they check their e-mail or send an instant message: "AOL staff will never ask you for your password!" If you subscribe to AOL and you forget your password, it's history. AOL will issue you a new, temporary one over the phone, but it will instruct you immediately to change it online at the service's password area, according to Graham. With new password-stealing frauds regularly appearing on the Internet, "ISPs need to take a harsh stance against password disclosure and arm their users" against such scams, according to Greg Shipley, director of consulting for security firm Neohapsis. "If users are unclear about when it's OK to give out their password, trouble will follow," Shipley said. At the help section of its site, EarthLink provides the following warning on password security: "Never tell your password to anyone -- with one exception. EarthLink Sprint Technical/Customer Support may ask for it when you call EarthLink Sprint for assistance." According to Shaw, EarthLink sometimes requests a subscriber's password to troubleshoot connection problems, but the company does not use passwords as a way of authenticating telephone callers. Such a confusing password policy could make an ISP's customers easy prey for password scams that involve "social engineering" or trickery, said Shipley. Officials at Microsoft's Internet service appear to agree. Product manager Parul Shah said MSN warns users never to send their passwords by e-mail and never to speak them over the telephone -- not even to MSN support staff. "If someone else knows your password, the consequences can be chilling. Your e-mail is no longer private ... the identity thief may have access to your credit card numbers. Your children may be able to get to Web sites that you've blocked.... The list goes on," states a warning at MSN's help desk site. Should MSN users forget their passwords, the service will issue new ones from a Web form or a toll-free telephone number. Customer service reps do not have access to stored passwords, Shah said. United Online follows a similar password security policy. Created last year by the merger of Juno and NetZero, United does not give service agents access to users' passwords, according to spokesman Peter Delgrosso. United's Juno site allows customers who have forgotten their passwords to receive a new one by e-mail or by phone. The NetZero side of United's operations additionally allows customers to generate new passwords using an online request form, Delgrosso said. In providing its support staff with access to customer passwords, EarthLink appears to be in conflict not only with ISP industry practices, but also with modern software theory, according to Shipley. Rather than saving a plaintext copy of passwords, operating systems like Windows and Unix, as well as commercial applications, only store a "hash" or cryptographic fingerprint of each password on the system, Shipley said. When a user signs on, the program authenticates him or her by comparing the value of the stored hash against the hash of the characters typed in by the user. "If EarthLink's technicians are able to see a password, that means they are storing the actual password and not a hash, and that's a very bad idea" that could enable thieves to pilfer its password databases without the need of a password cracking program, said Shipley. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 06:50:42 PDT