AOL Help : About AOL® PassCode

Florian Weimer fw at
Tue Jan 4 14:19:30 PST 2005

* Ian G.:

> R.A. Hettinga wrote:
>>Have questions? Search AOL Help articles and tutorials:
>>If you no longer want to use AOL PassCode, you must release your screen
>>name from your AOL PassCode so that you will no longer need to enter a
>>six-digit code when you sign on to any AOL service.
>>To release your screen name from your AOL PassCode
>>	1.  	Sign on to the AOL service with the screen name you want to release
from your AOL PassCode.
> OK.  So all I have to do is craft a good reason to
> get people to reset their PassCode, craft it into
> a phishing mail and send it out?

I think you can forward the PassCode to AOL once the victim has
entered it on a phishing site.  Tokens ` la SecurID can only help if
the phishing schemes *require* delayed exploitation of obtained
credentials, and I don't think we should make this assumption.  Online
MITM attacks are not prevented.

(Traditional IPsec XAUTHis problematic for the very same reason, even
with a SecurID token lookalike.)

More information about the cypherpunks-legacy mailing list