AOL Help : About AOL® PassCode

Florian Weimer fw at deneb.enyo.de
Tue Jan 4 17:19:30 EST 2005


* Ian G.:

> R.A. Hettinga wrote:
>
>><http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&articleId=217623>
>>Have questions? Search AOL Help articles and tutorials:
>>.....
>>If you no longer want to use AOL PassCode, you must release your screen
>>name from your AOL PassCode so that you will no longer need to enter a
>>six-digit code when you sign on to any AOL service.
>>
>>To release your screen name from your AOL PassCode
>>	1.  	Sign on to the AOL service with the screen name you want to release from your AOL PassCode.
>>
>
> OK.  So all I have to do is craft a good reason to
> get people to reset their PassCode, craft it into
> a phishing mail and send it out?

I think you can forward the PassCode to AOL once the victim has
entered it on a phishing site.  Tokens à la SecurID can only help if
the phishing schemes *require* delayed exploitation of obtained
credentials, and I don't think we should make this assumption.  Online
MITM attacks are not prevented.

(Traditional IPsec XAUTHis problematic for the very same reason, even
with a SecurID token lookalike.)

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list