* Ian G.:
R.A. Hettinga wrote:
<http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&artic leId=217623> Have questions? Search AOL Help articles and tutorials: ..... If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service.
To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode.
OK. So all I have to do is craft a good reason to get people to reset their PassCode, craft it into a phishing mail and send it out?
I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens ` la SecurID can only help if the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented. (Traditional IPsec XAUTHis problematic for the very same reason, even with a SecurID token lookalike.)