Online ‘Fishers’ Eluding Wider Net Cast by AOL

The official-looking message materialized on America Online subscriber Michael Knaiger’s computer screen one afternoon in early April. The message, emblazoned with the official AOL logo of a swooshing circle inside a triangle, said that due to technical difficulties, Knaiger needed to immediately reenter his password or lose his account.

The request sounded odd, but the West Los Angeles resident obediently typed in his password and hit the send key.

Big mistake.

Knaiger fell for one of the oldest tricks in the America Online prankster’s book: password fishing. A thief armed with an AOL hacker program created the fake screen to pass himself off as an AOL employee and steal Knaiger’s password. The next time Knaiger tried to log on, he found his account had been canceled.

The story is one of many that AOL members tell of dirty tricks perpetrated mainly on newcomers by cybercrooks who will try anything to steal time on the country’s largest commercial online network. According to AOL subscribers and critics, thieves after passwords and other information are as active as ever, despite stricter security measures AOL has put in place recently to protect its nearly 6 million members.

“They’ve solved a lot of their problems, but they still have a bad reputation,” said “Ascirider,” an AOL subscriber in Illinois who also runs an Internet service provider firm and asked that his real name not be used. “There’s still a lot more they could do.”

Critics claim AOL brought the problem on itself by flooding the market with trial disks, failing to thoroughly verify information used to open new accounts, understaffing its army of network cops and waiting too long to implement stricter security measures.

AOL President Steve Case did not respond to a written request for comments, but spokeswoman Pam McGraw said the company is aware of password fishing and other problems and has acted prudently in implementing security measures.

“We have a security team in place, and when things are brought to our attention about the safety of our members and system, we look into it and take the appropriate action,” McGraw said.

Security isn’t just AOL’s problem. Executives at other major commercial online services acknowledge they’ve probably been hit by password fishers and people signing on using fake accounts, although none would provide details.

In March, six major online companies launched a program called ProjectOpen to educate people about how to keep themselves safe online. The $1-million campaign is publishing brochures and has put up a Web site (https://www.isa.net/project-open/) dishing out common-sense advice such as never revealing your name, address, phone number or password while online.

Just days after Knaiger’s password was swiped, AOL added alerts in bold red type to members’ electronic mailboxes and so-called instant messages warning people that AOL employees would never ask for their passwords or billing information.

In the latest action, last week Case announced that AOL had reorganized and renamed its Terms of Service (TOS) department, which is charged with policing the service. The reconfigured Community Action Team will spend more time educating new members and step up reporting of violations that occur in the service’s chat areas, Case says in the May edition of his monthly letter to members.

The changes follow other security efforts that include daily warnings on the service’s sign-off screen, a security briefing called “Rules of the Road” posted in the New Member Orientation area, an improved system of verifying credit cards used to open new accounts and additional parental controls to protect children online.

AOL has threatened legal action against authors of World Wide Web sites that make copies of hacker software available for downloading, including the now-infamous AOHell, which can be used to send mailbox-disabling e-mail bombs, among other things. Spokeswoman McGraw said she didn’t know whether the company had prosecuted anyone for using or distributing the program.

But the new security measures came too late to help Lain L. Lee Jr., a Vacaville, Calif., man who last summer was duped by the same program Knaiger fell for and unwittingly gave out his credit card numbers to thieves. Lee’s first clue that something was wrong was a letter from a Vermont mail-order company denying a $395 order for hunting knives.

Lee had never even heard of the company, and after investigating he realized that thieves on AOL had used his credit card information to place the order--and ring up $60 in charges to a telephone chat line. Police traced the calls to four Newport Beach teenagers, who were arrested on suspicion of conspiracy to commit petty theft. The case is pending.

“Had we not been at the limit on our credit card, it could have been a lot worse,” Lee said.

Critics, including past and present subscribers, say AOL’s newfound security awareness is too little too late. They say the password fishing expeditions continue, especially in areas such as the New Member Lounge, a chat room set up for newcomers to seek advice from AOL technicians and veteran subscribers.

“I spent some time there Sunday, and it was unbelievable,” said an AOL member in Illinois, who requested that her name not be used. “If you go into NML from 2 p.m. on, you get deluged” with requests from would-be thieves.

In addition to password fishing, AOL bandits use outlaw software to log on using one account and “morph” onto another member’s account, where they can read the person’s electronic mail and send messages under that user’s screen name. Hackers also use software to “cloak” their screen names, allowing them to pass through chat rooms invisibly.

Nothing AOL has done has stopped this, said James Egelhof, an 18-year-old high school student who has been chronicling AOL hacker lore and security breaches on the “Why AOL Sucks” Web site (https://www.cloud9.net/aolsucks/) for more than a year.

“Cloaking [and] morphing rely on bugs in the AOL server, and the fact remains that the hackers know the AOL software better than AOL,” Egelhof said.

McGraw wouldn’t comment specifically on morphing and cloaking.

Critics lay much of the blame for lax security on AOL’s newly renamed Community Action Team department, which is charged with making members follow house rules that they agree to when they sign up. Those include never harassing other members, not posting harmful or offensive material and not using AOL to do anything illegal, as well as agreeing to provide accurate billing information and paying one’s bills.

AOL employs several hundred CAT monitors and uses several hundred more member volunteer “guides” to help police the network, reportedly in exchange for gratis accounts. But according to critics, CAT staff and guides are short-handed and unresponsive.

“[They’re] too busy making the Net sanitary to bother with security,” Egelhof said.

McGraw said she could only address issues of unresponsiveness on a case-by-case basis, but acknowledged that AOL has staffing problems.

“Our member base has tripled in 12 months. Staffing is a challenge we face every day,” she said.

One area that AOL appears to have cleaned up is billing verification. As recently as the middle of last year, AOL was allowing people to sign up for new accounts with nothing more than a credit card or checking account number. As a result, hackers and other dishonest sorts used fake numbers to open accounts.

According to McGraw, AOL’s billing verification systems have been overhauled in the last 12 months to include more stringent practices. AOL members with ties to the hacker community concede that the number of people trying to create fake accounts has dropped significantly in the last six months.

Internet users who regularly post comments about AOL to two Usenet newsgroups--alt.aol.sucks and alt.online-services.aol.criticism--believe hackers have targeted the company because of its ugly-American approach to the Internet.

AOL didn’t educate its members well enough before unleashing them onto newsgroups and the World Wide Web, which led to a torrent of Internet etiquette faux pas, said David Cassel, moderator of alt.online-services.aol.criticism.

“AOL’s indifference to Internet culture let the consumer service open their gates to the Internet without giving users any training,” Cassel said. But training, specifically teaching new members to be on their guard, is how AOL officials believe they’ll beat the hacker problem.

Freelance writer Michelle V. Rafter writes a weekly Internet column for Reuters. She can be reached via e-mail at mvrafter@deltanet.com.