Advertisement

THE CUTTING EDGE

Online 'Fishers' Eluding Wider Net Cast by AOL

May 13, 1996|MICHELLE V. RAFTER | SPECIAL TO THE TIMES

The official-looking message materialized on America Online subscriber Michael Knaiger's computer screen one afternoon in early April. The message, emblazoned with the official AOL logo of a swooshing circle inside a triangle, said that due to technical difficulties, Knaiger needed to immediately reenter his password or lose his account.

The request sounded odd, but the West Los Angeles resident obediently typed in his password and hit the send key.

Big mistake.

Knaiger fell for one of the oldest tricks in the America Online prankster's book: password fishing. A thief armed with an AOL hacker program created the fake screen to pass himself off as an AOL employee and steal Knaiger's password. The next time Knaiger tried to log on, he found his account had been canceled.

The story is one of many that AOL members tell of dirty tricks perpetrated mainly on newcomers by cybercrooks who will try anything to steal time on the country's largest commercial online network. According to AOL subscribers and critics, thieves after passwords and other information are as active as ever, despite stricter security measures AOL has put in place recently to protect its nearly 6 million members.

"They've solved a lot of their problems, but they still have a bad reputation," said "Ascirider," an AOL subscriber in Illinois who also runs an Internet service provider firm and asked that his real name not be used. "There's still a lot more they could do."

Critics claim AOL brought the problem on itself by flooding the market with trial disks, failing to thoroughly verify information used to open new accounts, understaffing its army of network cops and waiting too long to implement stricter security measures.

AOL President Steve Case did not respond to a written request for comments, but spokeswoman Pam McGraw said the company is aware of password fishing and other problems and has acted prudently in implementing security measures.

"We have a security team in place, and when things are brought to our attention about the safety of our members and system, we look into it and take the appropriate action," McGraw said.

Security isn't just AOL's problem. Executives at other major commercial online services acknowledge they've probably been hit by password fishers and people signing on using fake accounts, although none would provide details.

In March, six major online companies launched a program called ProjectOpen to educate people about how to keep themselves safe online. The $1-million campaign is publishing brochures and has put up a Web site (http://www.isa.net/project-open/) dishing out common-sense advice such as never revealing your name, address, phone number or password while online.

Just days after Knaiger's password was swiped, AOL added alerts in bold red type to members' electronic mailboxes and so-called instant messages warning people that AOL employees would never ask for their passwords or billing information.

In the latest action, last week Case announced that AOL had reorganized and renamed its Terms of Service (TOS) department, which is charged with policing the service. The reconfigured Community Action Team will spend more time educating new members and step up reporting of violations that occur in the service's chat areas, Case says in the May edition of his monthly letter to members.

The changes follow other security efforts that include daily warnings on the service's sign-off screen, a security briefing called "Rules of the Road" posted in the New Member Orientation area, an improved system of verifying credit cards used to open new accounts and additional parental controls to protect children online.

AOL has threatened legal action against authors of World Wide Web sites that make copies of hacker software available for downloading, including the now-infamous AOHell, which can be used to send mailbox-disabling e-mail bombs, among other things. Spokeswoman McGraw said she didn't know whether the company had prosecuted anyone for using or distributing the program.

But the new security measures came too late to help Lain L. Lee Jr., a Vacaville, Calif., man who last summer was duped by the same program Knaiger fell for and unwittingly gave out his credit card numbers to thieves. Lee's first clue that something was wrong was a letter from a Vermont mail-order company denying a $395 order for hunting knives.

Lee had never even heard of the company, and after investigating he realized that thieves on AOL had used his credit card information to place the order--and ring up $60 in charges to a telephone chat line. Police traced the calls to four Newport Beach teenagers, who were arrested on suspicion of conspiracy to commit petty theft. The case is pending.

"Had we not been at the limit on our credit card, it could have been a lot worse," Lee said.

Advertisement
Los Angeles Times Articles
|
|
|