[16622] in cryptography@c2.net mail archive
Re: AOL Help : About =?iso-8859-1?Q?AOL=AE?= PassCode
daemon@ATHENA.MIT.EDU (Florian Weimer)
Wed Jan 5 11:33:43 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Florian Weimer <fw@deneb.enyo.de>
To: Ian G <iang@systemics.com>
Cc: cryptography@metzdowd.com, cypherpunks@al-qaeda.net
Date: Tue, 04 Jan 2005 23:19:30 +0100
In-Reply-To: <41DB001B.2060308@systemics.com> (Ian G.'s message of "Tue, 04
Jan 2005 20:44:11 +0000")
* Ian G.:
> R.A. Hettinga wrote:
>
>><http://help.channels.aol.com/article.adp?catId=3D6&sCId=3D415&sSCId=3D40=
90&articleId=3D217623>
>>Have questions? Search AOL Help articles and tutorials:
>>.....
>>If you no longer want to use AOL PassCode, you must release your screen
>>name from your AOL PassCode so that you will no longer need to enter a
>>six-digit code when you sign on to any AOL service.
>>
>>To release your screen name from your AOL PassCode
>> 1. Sign on to the AOL service with the screen name you want to release=
from your AOL PassCode.
>>
>
> OK. So all I have to do is craft a good reason to
> get people to reset their PassCode, craft it into
> a phishing mail and send it out?
I think you can forward the PassCode to AOL once the victim has
entered it on a phishing site. Tokens =E0 la SecurID can only help if
the phishing schemes *require* delayed exploitation of obtained
credentials, and I don't think we should make this assumption. Online
MITM attacks are not prevented.
(Traditional IPsec XAUTHis problematic for the very same reason, even
with a SecurID token lookalike.)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
