AOL Stops One Security Breach, Fails To Stop Another

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/01/170924.html

By Brian Krebs, Newsbytes
WASHINGTON, D.C., U.S.A.,
08 Oct 2001, 4:11 PM CST
 
America Online has fixed a security hole that for years allowed a
cadre of cognoscenti hackers to create bogus AOL accounts and hack
away in relative obscurity, but has yet to patch a little-known
vulnerability that allows anyone with an AOL account to switch many
phone customers' long-distance providers.

According to information obtained by Newsbytes, the exploit allows the
switcher to view the victim's calling and billing records all without
ever notifying the victim or asking his or her permission.

The method for creating a ghost AOL account has become something of an
open secret among the subculture of more sophisticated AOL-hacker
types, but the process for doing so is fairly straightforward.

When new users signed up for an AOL account online, they could opt to
pay via check or credit card, but because it is extremely difficult to
verify checking information online, the signup process transparently
stored the information in a buffer and flagged the account as
"OK-to-create," leaving the user with a message to contact AOL support
in order to verify the checking account information.

But if the new users then returned to the billing page and changed the
billing method to "credit" and entered a random credit card number
created by any one of several credit card number-generating tools
available on hacker sites, the users effectively evaded the next step
in the account creation process the address verification system (AVS).

The exploit worked because by the time AOL's AVS system learned that
the supplied credit card number did not match any current billing
records, the account had already been activated.

"Previously, AOL accounts would be shut down after 72 hours if they
didn't have valid billing," said Adrian Lamo, a freelance security
consultant and founder of Inside-AOL.com, a site dedicated to keeping
tabs on security lapses at AOL.

"But in an effort to increase the total number of registered members,
AOL stopped shutting down accounts with bogus billing and just let
them live and receive daily pop-up reminders that the billing
information was invalid," Lamo told Newsbytes in a recent interview.

Roughly two months ago, Lamo became aware of another buffer problem in
AOL's network that allows any user to exploit the company's
relationship with online local and long-distance provider Talk America
Holdings Inc., (http://www.talk.com).

By simply entering their phone number in an online application, AOL
users can switch their long-distance provider to Talk.com, and receive
all of their billing and calling statements by entering keyword "LD
Member" via the AOL dial-up home page.

The problem, Lamo said, is that during signup the system automatically
assumes the phone number entered corresponds to the user's AOL account
billing information, when in fact neither may be accurate. In effect,
the system never verifies whether the phone number being switched to
Talk.com actually belongs to the subscriber.

Normally when someone switches their long-distance carrier, the
carrier assuming the service sends a letter within 30 days notifying
the subscriber of the service change.

"But with Talk.com, it's never actually seen by the subscriber - they
never get anything in the mail," Lamo said. "So once you've switched
over the person's carrier, you have access to all the information
about calls they made, and they would never notice a thing. Except for
the maybe fact that they would stop getting phone bills."

Working with other subscribers who agreed to test the Talk.com hack,
Lamo was able to verify that accounts belonging to several other AOL
subscribers had been switched.

"In fact, you could sign up phone number in multiple different cities
and it would sail right through," Lamo said. "If someone were
profit-minded, they could definitely take a year or two off from work
just by selling this information out to private investigators."

Both activities raise interesting questions about the effectiveness of
federal law enforcements recent interest in gaining easier access to
Internet service provider records in the wake of the Sept. 11 attacks.

Accounts with arbitrary, made-up information totally break the purpose
of (the FBIs e-mail snooping device) Carnivore, and render the
subpoena process useless, Lamo said. AOLs negligence in this regard
may have single-handedly frustrated more investigations of its
subscribers than deliberate obstruction could in twice the time.

AOL spokesman Nicholas Graham said the company was unaware of member
reports related to either issue and "that there are no indications of
widespread use of the techniques."

"These activities are not 'hacks' - they are serious crimes. Any of
the described scenarios, if attempted, are clear violations of federal
and state laws governing credit card fraud, privacy and slamming
practices," Graham said. "As has been our policy, AOL consistently
reaches out and cooperates with efforts by law enforcement to
prosecute individuals using the AOL service to violate such laws."

Lamo said he was skeptical of AOL's non-denial denial.

"If I become aware of something like this, it means that it's been
used in the wild. AOL spends more time than it used to on internal
security, and it's doing a better job at it, but it still seems to
think that security and public relations are somehow interchangeable,"
he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.