AOL Help : About AOL� PassCode
<http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&articleId=217623> Have questions? Search AOL Help articles and tutorials: How To: Billing Channels Communicating Online E-Mail More Subjects Products and Services AOL.COM AOL® Computer Check-Up AOL Deskbar AOL® Calendar AOL® File Backup AOL® PassCode AOL® Privacy Wall inStore Money Alerts Technical Support More Help: Help Tutorials Auto Fixes Pop-Up Controls Spam & Mail Controls Anti-Virus Center AOL Help Community Safety, Security & Privacy AOL Voice Services Products and Services >> AOL® PassCode About AOL® PassCode After purchasing and receiving your AOL® PassCode, go to AOL Keyword: PassCode and this screen appears, allowing you to secure your screen name to your AOL PassCode. On this screen you can also release your screen name from AOL PassCode, change service plans and order additional AOL PassCodes. Account Status This area lists your current AOL PassCode service plan, including the secured and unsecured screen names within the plan. If the maximum number of screen names in your service plan are secured to your AOL PassCode, the Manage Service Plan button will appear. View PassCode Account Activity Displays a screen listing a summary of your AOL PassCode account activity, such as the date you purchased your subscription, ordered AOL PassCode devices and details such as the price plan ordered and the quantity of AOL PassCodes ordered. Secure Screen Name To help protect your screen name with AOL PassCode, you need to secure your screen name to your specific AOL PassCode device. Each AOL PassCode has a unique serial number engraved on its back. By associating your screen name with a specific AOL PassCode serial number, the AOL service will know which six-digit number needs to be entered at each sign-on, helping to protect your screen name from unauthorized access. To secure a screen name to your AOL PassCode 1. Sign on to the AOL® service with the screen name you want to secure to your AOL PassCode. 2. Go to AOL Keyword: PassCode. 3. Click Secure Screen Name. 4. Type the eight-digit serial number engraved on the back of your AOL PassCode. 5. Type the six-digit number displayed on the front of your AOL PassCode. 6. Click Save. A confirmation screen appears. This change takes effect immediately and will be enforced the next time you sign on to the AOL service. Whenever you sign on to the AOL service using the screen name that you secured to AOL PassCode, you will be required to enter the six-digit number on the front of your AOL PassCode. Release Screen Name When the screen name you signed on to the AOL service with has already been secured to your AOL PassCode, the Secure Screen Name button changes to Release Screen Name. If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service. To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode. 2. Go to AOL Keyword: PassCode. 3. Click Release Screen Name. The Secure Screen Name button changes to Release Screen Name when that particular screen name is secured to AOL PassCode. 4. Enter the answer to your account security question. For more information, see What is an Account Security Question. 5. Type the eight-digit serial number engraved on the back of your AOL PassCode. 6. Type the six-digit number displayed on the front of your AOL PassCode. 7. Click Save. This change takes effect immediately, and removes the AOL PassCode protection for subsequent sign-ons. Manage Service Plan Displays a screen with AOL PassCode service plan options, allowing you to change your current service plan. Order more PassCodes Displays a screen allowing you to order additional AOL PassCodes. Live Customer Support Contact AOL 24 hours a day, seven days a week! Chat With Us: Technical SupportBilling Support Call Us: Talk to an expert. AOL Help Main | Manage Your Account | Safety & Security | Anti-Virus | Upgrade Center | Feedback | Privacy Policy Copyright © 2004 America Online, Inc. All rights reserved. Back to Top AOL 9.0 SE/LE Change Version -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
Hey RAH, don't forget to include the 182000 hours free download image. Or the AOL user agreement. Or their logo. I mean, we wouldn't want to be *uninformed* or anything, right? Shit, you make a rotten Choate substitute. -- Yours, J.A. Terranson sysadmin@mfn.org 0xBD4A95BF Civilization is in a tailspin - everything is backwards, everything is upside down- doctors destroy health, psychiatrists destroy minds, lawyers destroy justice, the major media destroy information, governments destroy freedom and religions destroy spirituality - yet it is claimed to be healthy, just, informed, free and spiritual. We live in a social system whose community, wealth, love and life is derived from alienation, poverty, self-hate and medical murder - yet we tell ourselves that it is biologically and ecologically sustainable. The Bush plan to screen whole US population for mental illness clearly indicates that mental illness starts at the top. Rev Dr Michael Ellner
R.A. Hettinga wrote:
<http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&articleId=217623> Have questions? Search AOL Help articles and tutorials: ..... If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service.
To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode.
OK. So all I have to do is craft a good reason to get people to reset their PassCode, craft it into a phishing mail and send it out? -- News and views on what matters in finance+crypto: http://financialcryptography.com/
On Tue, Jan 04, 2005 at 08:44:11PM +0000, Ian G wrote: | R.A. Hettinga wrote: | | ><http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&articleId=217623> | >Have questions? Search AOL Help articles and tutorials: | >..... | >If you no longer want to use AOL PassCode, you must release your screen | >name from your AOL PassCode so that you will no longer need to enter a | >six-digit code when you sign on to any AOL service. | > | >To release your screen name from your AOL PassCode | > 1. Sign on to the AOL service with the screen name you want to | > release from your AOL PassCode. | > | | OK. So all I have to do is craft a good reason to | get people to reset their PassCode, craft it into | a phishing mail and send it out? Nope! All you have to do is exploit your attack and steal money in realtime. A securid has no way to authenticate its server, and what's really needed to stop phishing is server auth. Adam
* Ian G.:
R.A. Hettinga wrote:
<http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&artic leId=217623> Have questions? Search AOL Help articles and tutorials: ..... If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service.
To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode.
OK. So all I have to do is craft a good reason to get people to reset their PassCode, craft it into a phishing mail and send it out?
I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens ` la SecurID can only help if the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented. (Traditional IPsec XAUTHis problematic for the very same reason, even with a SecurID token lookalike.)
Florian Weimer wrote:
I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens ` la SecurID can only help if
Indeed.
the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented.
So, PassCode and similar forms of authentication help against the current crop of phishing attacks, but that is likely to change if PassCode gets used more widely and/or protects something of interest to phishers. Actually I have been waiting for phishing with MITM to appear for some time (I haven't any yet - if somebody has, I'd be interested to hear about), because it has some advantages for the attacker: * he doesn't have to bother to (partially) copy the target web site * easy to implement - plug an off-the-shelf mod_perl module for reverse proxy into your apache and add 10 minutes for configuration. You'll find the passwords in the log file. Add some simple filters to attack PassCode. * more stealthy, because users see exactly, what they are used to, e.g. for online banking they see account balance etc. To attack money transfers protected by PassCode, the attacker could substitute account and amount and manipulate the server response to show what was entered by user. Assuming that MITM phishing will begin to show up and agreeing that PassCode over SSL is not the solution - what can be done to counter those attacks? Mutual authentication + establishment of a secure channel should do the trick. SSL with client authentication comes to my mind...
Joerg Schneider wrote:
So, PassCode and similar forms of authentication help against the current crop of phishing attacks, but that is likely to change if PassCode gets used more widely and/or protects something of interest to phishers.
Actually I have been waiting for phishing with MITM to appear for some time (I haven't any yet ...
By this you mean a dynamic, immediate MITM where the attacker proxies through to the website in real time? Just as a point of terms clarification, I would say that if the attacker collects all the information by using a copy of the site, and then logs in later at leisure to the real site, that's an MITM. (If he were to use that information elsewhere, so for example creating a new credit arrangement at another bank, then that technically wouldn't be an MITM.) Perhaps we need a name for this: real time MITM versus delayed time MITM? Batch time MITM?
Assuming that MITM phishing will begin to show up and agreeing that PassCode over SSL is not the solution - what can be done to counter those attacks?
The user+client has to authenticate the server. Everything that I've seen over the last two years seems to fall into that one bucket.
Mutual authentication + establishment of a secure channel should do the trick. SSL with client authentication comes to my mind...
Maybe. But that only addresses the MITM, not the theft of user information. -- News and views on what matters in finance+crypto: http://financialcryptography.com/
participants (6)
-
Adam Shostack -
Florian Weimer -
Ian G -
J.A. Terranson -
Joerg Schneider -
R.A. Hettinga