AOL Help : About AOL® PassCode
Florian Weimer
fw at deneb.enyo.de
Tue Jan 4 17:19:30 EST 2005
* Ian G.:
> R.A. Hettinga wrote:
>
>><http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&articleId=217623>
>>Have questions? Search AOL Help articles and tutorials:
>>.....
>>If you no longer want to use AOL PassCode, you must release your screen
>>name from your AOL PassCode so that you will no longer need to enter a
>>six-digit code when you sign on to any AOL service.
>>
>>To release your screen name from your AOL PassCode
>> 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode.
>>
>
> OK. So all I have to do is craft a good reason to
> get people to reset their PassCode, craft it into
> a phishing mail and send it out?
I think you can forward the PassCode to AOL once the victim has
entered it on a phishing site. Tokens à la SecurID can only help if
the phishing schemes *require* delayed exploitation of obtained
credentials, and I don't think we should make this assumption. Online
MITM attacks are not prevented.
(Traditional IPsec XAUTHis problematic for the very same reason, even
with a SecurID token lookalike.)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list