AOL Accounts Jeopardized?
The author of this Wired News article talks to several hackers who claim to have gained access to AOL's account database, Merlin. Merlin contains all the information about AOL customers. However, the security system protecting Merlin appears to be very advanced, leading many to question the validity of such claims.
The attacks that aren't being challenged by various industry pundits are the good old fashion social engineering exploits, ones that don't rely a flaw in technology but on human nature. For instance, the hackers claimed to have called up support personnel, feigned a broken jaw, and mumbled a fake social security number to "prove" their identity.
Having been in this industry for some time, I don't doubt that this could happen. Nor do I doubt that hackers were able to simply call the support department and have the password reset on an account they knew some basic information about. Once the password had been reset, they could then access the account itself.
The article highlights the greatest insecurity in any computerized system -- staff. A company's staff always has access to the sensitive information being protected. Staff can make arbitrary, often poor decisions. In this case, it appears staff can render an extremely expensive security system ineffective.
Highlighting a particular weakness in a popular industry trend, the hackers focused on over seas staff. The theory is that, in the rush to cut tech support costs, many companies such as AOL and Verisign have moved their lower echelon tech support over seas.
In places such as India and the Philippines, these companies found vast, English speaking work forces willing to work for far less than their counterparts in the States. In many cases, they could higher more highly educated people for less than they could here. But education is no substitute for training.
These companies put up entire call centers in a rush to meet stock market expectations. In many cases, the employees who staff these call centers have access to the same information as higher echelon tech support. The hackers in the article -- and many industry pundits for that matter -- argue that this makes them prime targets for such scams.
For its part, AOL is investigating the matter. They claim to have found no corroborating information. In the end, this may turn out to be nothing more than hacker hubris -- and bad reporting. Nevertheless, many of the practices described in the article are a reality. It seems almost certain that at least some of the social engineering exploits are true.