AOL warns members to keep passwords under wraps

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1005-200-2181540.html

By Jim Hu
Staff Writer, CNET News.com
June 30, 2000, 12:35 p.m. PT

America Online is implementing new safeguards to curb email scams bent
on prying account information out of its members.

The online giant has sent emails about a new feature, "Official AOL
Mail." Emails sent to members by the company will be color-coded to
distinguish themselves from malicious emails disguised as AOL alerts,
representatives for the company said.

Official AOL emails will come with blue envelope icons in members'
in-boxes. Once opened, the messages will have light blue borders
behind the mail buttons in the messages and seals in the lower
left-hand corners that say "Official AOL Mail."

"They're like watermarks and a way in which members know what they're
receiving is from us," said Tricia Primrose, an AOL spokeswoman.

The move is an attempt to curb account "phishing," a practice employed
by email scammers to trick members into divulging their passwords or
credit card numbers.

Many times these emails come disguised as correspondence from AOL's
billing department informing members that their passwords have
expired. Duped people would enter their passwords into the emails and
send them back to the scammer. This is one technique that account
crackers have used to compromise accounts or steal credit card
numbers.

Just this week, Wichita, Kan., police arrested two 15-year-olds for
allegedly stealing credit card numbers from AOL members and then
purchasing thousands of dollars of goods online. An officer involved
in the case said the two teenagers allegedly sent phony emails signed
with AOL chief executive Steve Case's name to members, asking them to
go to a Web site to update their information. The site requested
information such as credit card numbers.

"We served a couple of search warrants, and we did arrest two
juveniles for alleged computer crimes," said Lt. Tom Spencer of the
Wichita Police Department.

Wichita police were notified of the supposed scam by investigators in
other states, where victims reported their credit cards had been
compromised.

The teenagers have not been charged, Spencer said.

"Unfortunately, the incident with the teenagers is an example of the
types of scams we see, and all the more reason why a product like
Official AOL Mail will be an important resource for both the company
and for our members," AOL's Primrose said about the arrests.

AOL has been targeted by account crackers and con artists with some
success. Earlier this month, AOL confirmed that hackers illegally
broke into 200 of its member accounts by sending company employees an
email virus. The virus targeted employees authorized to review and
edit account data, including credit card information and passwords.
AOL did not say what kind of information was compromised by the
attack.

Crackers have also managed to take over accounts by tricking customer
service representatives into giving out confidential information. It
is possible for a cracker to reset an account password by contacting
AOL customer service and impersonating the account holder.

Primrose added that AOL correspondences will never ask for member
passwords or account information. AOL also warns its members never to
open attachments from strangers and never to divulge account
information via email or in chat rooms.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".