EarthLink's Passwords Are Naked

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/privacy/0,1848,53208,00.html

By Brian McWilliams 
2:00 a.m. June 17, 2002 PDT 

Passwords are Internet users' best defense against online-identity
theft. So why is EarthLink exposing customer passwords to tech support
staffers?

In a break from industry practice, EarthLink, the nation's
fourth-largest Internet service, is allowing its support employees to
have full access to the passwords of its 4.9 million subscribers.

According to EarthLink spokeswoman Carla Shaw, EarthLink service
agents are permitted to view customer passwords in order to expedite
the handling of one of the ISP's top support issues: forgotten
passwords.

"How are tech support representatives supposed to troubleshoot a
person's account if they can't see the password?" Shaw said.

While such a practice may please some customers, experts said
EarthLink could be exposing its subscribers to a range of security
threats, including attacks from disgruntled or unethical employees.

"Giving service reps customer passwords is a security risk, certainly.  
Service reps could use the passwords to eavesdrop upon or impersonate
customers. They could give or sell those passwords to others," said
Bruce Schneier, chief technology officer for Counterpane Internet
Security.

Last year, EarthLink launched a major branding effort touting its
protection of users' privacy. According to Shaw, the company remains
"very privacy and security oriented," but does not believe its
password policy creates a threat to users. In any case, attempts by
support reps to gain access to customers' accounts would be logged,
she said.

At America Online, MSN and United Online -- the top three ISPs,
respectively -- stored passwords are off-limits altogether to support
staff, according to company officials.

"There is no place where our service reps or anyone else at AOL can
get access to customer passwords. We specifically train our reps not
to ask for or accept passwords or billing information from customers,"  
said AOL spokesman Nicholas Graham.

What's more, AOL nags users with a warning every time they check their
e-mail or send an instant message: "AOL staff will never ask you for
your password!"

If you subscribe to AOL and you forget your password, it's history.  
AOL will issue you a new, temporary one over the phone, but it will
instruct you immediately to change it online at the service's password
area, according to Graham.

With new password-stealing frauds regularly appearing on the Internet,
"ISPs need to take a harsh stance against password disclosure and arm
their users" against such scams, according to Greg Shipley, director
of consulting for security firm Neohapsis.

"If users are unclear about when it's OK to give out their password,
trouble will follow," Shipley said.

At the help section of its site, EarthLink provides the following
warning on password security: "Never tell your password to anyone --
with one exception. EarthLink Sprint Technical/Customer Support may
ask for it when you call EarthLink Sprint for assistance."

According to Shaw, EarthLink sometimes requests a subscriber's
password to troubleshoot connection problems, but the company does not
use passwords as a way of authenticating telephone callers.

Such a confusing password policy could make an ISP's customers easy
prey for password scams that involve "social engineering" or trickery,
said Shipley.

Officials at Microsoft's Internet service appear to agree. Product
manager Parul Shah said MSN warns users never to send their passwords
by e-mail and never to speak them over the telephone -- not even to
MSN support staff.

"If someone else knows your password, the consequences can be
chilling. Your e-mail is no longer private ... the identity thief may
have access to your credit card numbers. Your children may be able to
get to Web sites that you've blocked.... The list goes on," states a
warning at MSN's help desk site.

Should MSN users forget their passwords, the service will issue new
ones from a Web form or a toll-free telephone number. Customer service
reps do not have access to stored passwords, Shah said.

United Online follows a similar password security policy. Created last
year by the merger of Juno and NetZero, United does not give service
agents access to users' passwords, according to spokesman Peter
Delgrosso.

United's Juno site allows customers who have forgotten their passwords
to receive a new one by e-mail or by phone. The NetZero side of
United's operations additionally allows customers to generate new
passwords using an online request form, Delgrosso said.

In providing its support staff with access to customer passwords,
EarthLink appears to be in conflict not only with ISP industry
practices, but also with modern software theory, according to Shipley.

Rather than saving a plaintext copy of passwords, operating systems
like Windows and Unix, as well as commercial applications, only store
a "hash" or cryptographic fingerprint of each password on the system,
Shipley said. When a user signs on, the program authenticates him or
her by comparing the value of the stored hash against the hash of the
characters typed in by the user.

"If EarthLink's technicians are able to see a password, that means
they are storing the actual password and not a hash, and that's a very
bad idea" that could enable thieves to pilfer its password databases
without the need of a password cracking program, said Shipley.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.