AOL Help : About AOL® PassCode
Florian Weimer
fw at deneb.enyo.de
Tue Jan 4 14:19:30 PST 2005
* Ian G.:
> R.A. Hettinga wrote:
>
>><http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&artic
leId=217623>
>>Have questions? Search AOL Help articles and tutorials:
>>.....
>>If you no longer want to use AOL PassCode, you must release your screen
>>name from your AOL PassCode so that you will no longer need to enter a
>>six-digit code when you sign on to any AOL service.
>>
>>To release your screen name from your AOL PassCode
>> 1. Sign on to the AOL service with the screen name you want to release
from your AOL PassCode.
>>
>
> OK. So all I have to do is craft a good reason to
> get people to reset their PassCode, craft it into
> a phishing mail and send it out?
I think you can forward the PassCode to AOL once the victim has
entered it on a phishing site. Tokens ` la SecurID can only help if
the phishing schemes *require* delayed exploitation of obtained
credentials, and I don't think we should make this assumption. Online
MITM attacks are not prevented.
(Traditional IPsec XAUTHis problematic for the very same reason, even
with a SecurID token lookalike.)
More information about the Testlist
mailing list