AOL Help : About AOL� PassCode
http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&articleId=217623
Have questions? Search AOL Help articles and tutorials:
How To:
Billing
Channels
Communicating Online
E-Mail
More Subjects
Products and Services
AOL.COM
AOL® Computer Check-Up
AOL Deskbar
AOL® Calendar
AOL® File Backup
AOL® PassCode
AOL® Privacy Wall
inStore
Money Alerts
Technical Support
More Help:
Help Tutorials
Auto Fixes
Pop-Up Controls
Spam & Mail Controls
Anti-Virus Center
AOL Help Community
Safety, Security & Privacy
AOL Voice Services
Products and Services >> AOL® PassCode
About AOL® PassCode
After purchasing and receiving your AOL® PassCode, go to AOL Keyword:
PassCode and this screen appears, allowing you to secure your screen name
to your AOL PassCode. On this screen you can also release your screen name
from AOL PassCode, change service plans and order additional AOL PassCodes.
Account Status
This area lists your current AOL PassCode service plan, including the
secured and unsecured screen names within the plan. If the maximum number
of screen names in your service plan are secured to your AOL PassCode, the
Manage Service Plan button will appear.
View PassCode Account Activity
Displays a screen listing a summary of your AOL PassCode account activity,
such as the date you purchased your subscription, ordered AOL PassCode
devices and details such as the price plan ordered and the quantity of AOL
PassCodes ordered.
Secure Screen Name
To help protect your screen name with AOL PassCode, you need to secure your
screen name to your specific AOL PassCode device. Each AOL PassCode has a
unique serial number engraved on its back. By associating your screen name
with a specific AOL PassCode serial number, the AOL service will know which
six-digit number needs to be entered at each sign-on, helping to protect
your screen name from unauthorized access.
To secure a screen name to your AOL PassCode
1. Sign on to the AOL® service with the screen name you want to
secure to your AOL PassCode.
2. Go to AOL Keyword: PassCode.
3. Click Secure Screen Name.
4. Type the eight-digit serial number engraved on the back of your
AOL PassCode.
5. Type the six-digit number displayed on the front of your AOL
PassCode.
6. Click Save. A confirmation screen appears. This change takes
effect immediately and will be enforced the next time you sign on to the
AOL service. Whenever you sign on to the AOL service using the screen name
that you secured to AOL PassCode, you will be required to enter the
six-digit number on the front of your AOL PassCode.
Release Screen Name
When the screen name you signed on to the AOL service with has already been
secured to your AOL PassCode, the Secure Screen Name button changes to
Release Screen Name.
If you no longer want to use AOL PassCode, you must release your screen
name from your AOL PassCode so that you will no longer need to enter a
six-digit code when you sign on to any AOL service.
To release your screen name from your AOL PassCode
1. Sign on to the AOL service with the screen name you want to
release from your AOL PassCode.
2. Go to AOL Keyword: PassCode.
3. Click Release Screen Name. The Secure Screen Name button changes
to Release Screen Name when that particular screen name is secured to AOL
PassCode.
4. Enter the answer to your account security question. For more
information, see What is an Account Security Question.
5. Type the eight-digit serial number engraved on the back of your
AOL PassCode.
6. Type the six-digit number displayed on the front of your AOL
PassCode.
7. Click Save. This change takes effect immediately, and removes the
AOL PassCode protection for subsequent sign-ons.
Manage Service Plan
Displays a screen with AOL PassCode service plan options, allowing you to
change your current service plan.
Order more PassCodes
Displays a screen allowing you to order additional AOL PassCodes.
Live Customer Support
Contact AOL 24 hours a day, seven days a week!
Chat With Us:
Technical SupportBilling Support
Call Us:
Talk to an expert.
AOL Help Main | Manage Your Account | Safety & Security | Anti-Virus |
Upgrade Center | Feedback | Privacy Policy
Copyright © 2004 America Online, Inc. All rights reserved.
Back to Top
AOL 9.0 SE/LE
Change Version
--
-----------------
R. A. Hettinga
Hey RAH, don't forget to include the 182000 hours free download image. Or the AOL user agreement. Or their logo. I mean, we wouldn't want to be *uninformed* or anything, right? Shit, you make a rotten Choate substitute. -- Yours, J.A. Terranson sysadmin@mfn.org 0xBD4A95BF Civilization is in a tailspin - everything is backwards, everything is upside down- doctors destroy health, psychiatrists destroy minds, lawyers destroy justice, the major media destroy information, governments destroy freedom and religions destroy spirituality - yet it is claimed to be healthy, just, informed, free and spiritual. We live in a social system whose community, wealth, love and life is derived from alienation, poverty, self-hate and medical murder - yet we tell ourselves that it is biologically and ecologically sustainable. The Bush plan to screen whole US population for mental illness clearly indicates that mental illness starts at the top. Rev Dr Michael Ellner
R.A. Hettinga wrote:
http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&articleId=217623 Have questions? Search AOL Help articles and tutorials: ..... If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service.
To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode.
OK. So all I have to do is craft a good reason to get people to reset their PassCode, craft it into a phishing mail and send it out? -- News and views on what matters in finance+crypto: http://financialcryptography.com/
On Tue, Jan 04, 2005 at 08:44:11PM +0000, Ian G wrote: | R.A. Hettinga wrote: | | >http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&articleId=217623 | >Have questions? Search AOL Help articles and tutorials: | >..... | >If you no longer want to use AOL PassCode, you must release your screen | >name from your AOL PassCode so that you will no longer need to enter a | >six-digit code when you sign on to any AOL service. | > | >To release your screen name from your AOL PassCode | > 1. Sign on to the AOL service with the screen name you want to | > release from your AOL PassCode. | > | | OK. So all I have to do is craft a good reason to | get people to reset their PassCode, craft it into | a phishing mail and send it out? Nope! All you have to do is exploit your attack and steal money in realtime. A securid has no way to authenticate its server, and what's really needed to stop phishing is server auth. Adam
* Ian G.:
R.A. Hettinga wrote:
<http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&artic leId=217623> Have questions? Search AOL Help articles and tutorials: ..... If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service.
To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode.
OK. So all I have to do is craft a good reason to get people to reset their PassCode, craft it into a phishing mail and send it out?
I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens ` la SecurID can only help if the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented. (Traditional IPsec XAUTHis problematic for the very same reason, even with a SecurID token lookalike.)
Florian Weimer wrote:
I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens ` la SecurID can only help if
Indeed.
the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented.
So, PassCode and similar forms of authentication help against the current crop of phishing attacks, but that is likely to change if PassCode gets used more widely and/or protects something of interest to phishers. Actually I have been waiting for phishing with MITM to appear for some time (I haven't any yet - if somebody has, I'd be interested to hear about), because it has some advantages for the attacker: * he doesn't have to bother to (partially) copy the target web site * easy to implement - plug an off-the-shelf mod_perl module for reverse proxy into your apache and add 10 minutes for configuration. You'll find the passwords in the log file. Add some simple filters to attack PassCode. * more stealthy, because users see exactly, what they are used to, e.g. for online banking they see account balance etc. To attack money transfers protected by PassCode, the attacker could substitute account and amount and manipulate the server response to show what was entered by user. Assuming that MITM phishing will begin to show up and agreeing that PassCode over SSL is not the solution - what can be done to counter those attacks? Mutual authentication + establishment of a secure channel should do the trick. SSL with client authentication comes to my mind...
Joerg Schneider wrote:
So, PassCode and similar forms of authentication help against the current crop of phishing attacks, but that is likely to change if PassCode gets used more widely and/or protects something of interest to phishers.
Actually I have been waiting for phishing with MITM to appear for some time (I haven't any yet ...
By this you mean a dynamic, immediate MITM where the attacker proxies through to the website in real time? Just as a point of terms clarification, I would say that if the attacker collects all the information by using a copy of the site, and then logs in later at leisure to the real site, that's an MITM. (If he were to use that information elsewhere, so for example creating a new credit arrangement at another bank, then that technically wouldn't be an MITM.) Perhaps we need a name for this: real time MITM versus delayed time MITM? Batch time MITM?
Assuming that MITM phishing will begin to show up and agreeing that PassCode over SSL is not the solution - what can be done to counter those attacks?
The user+client has to authenticate the server. Everything that I've seen over the last two years seems to fall into that one bucket.
Mutual authentication + establishment of a secure channel should do the trick. SSL with client authentication comes to my mind...
Maybe. But that only addresses the MITM, not the theft of user information. -- News and views on what matters in finance+crypto: http://financialcryptography.com/
participants (6)
-
Adam Shostack -
Florian Weimer -
Ian G -
J.A. Terranson -
Joerg Schneider -
R.A. Hettinga