Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL's Merlin Compromised?

Posted by CmdrTaco on from the that-would-suck dept.

Neophytus writes "The Inquirer reports that AOL's central customer database, Merlin, may have been been compromised by crackers. This, even though it required 'a user ID, two passwords, and a specialized ID code' to gain access to. That's 35 million user's names, addresses, emails and credit card details - a goldmine for spammers and fraudsters alike. As they they put it, 'AOL can now add another accomplishment to its list: Biggest security disaster in ISP history.' The Register is also running a story explaining why this is not particularly likly, though." Here's the original Wired story.

9 of 239 comments (clear)

  1. the specialized id code is is securid by Anonymous Coward · · Score: 5, Informative

    The securid makes it unlikely that anyone was
    able to hack it, at least without physically
    stealing one of AOL's securid cards and the
    pin for that card.

    For others that don't know how they work, the code
    changes every 60 seconds (and is different
    on every card made), and the old code
    is no longer good when the code changes, it
    makes it really hard to bypass without having
    an actual securid card that is valid for
    the system that is being broken into, and the
    proper username and pin for that card.

    1. Re:the specialized id code is is securid by PeteEMT · · Score: 5, Informative

      SecurID is a physical token. it's not something stored in the computer.

      http://www.rsasecurity.com/products/securid/tokens .html

      They come in two forms (at least the AOL ones did when I was a contractor there) A Key chain Fob and one that looks like a Credit Card Calculator.
      If I remember right, the system also automatically marks the login code invalid once a successful login is achieved. So someone can't use a Key Sniffer to steal your code. If you logged in and got disconnected for some reason, you needed to wait for your SecurID to rollover to the next code.

      --
      Pete
  2. Re:This is why.... by kryptkpr · · Score: 3, Informative

    Did you read the article?

    They tricked/convinced/conspiderd with AOL employees (those hooked to internal, and external networks at once) into accepting and running a trojan, that would act as a gateway between AOL's systems and the outside world while idling on IRC..

    This is how most DDOS bots work, I guess they just took it one step further.

    Disclamier: I could be wrong, IANAAH (I Am Not An AOL Hacker), this is just what I got out of reading the article.

    --
    DJ kRYPT's Free MP3s!
  3. Re:wait a minute... by ceejayoz · · Score: 5, Informative

    A large number of those users are using the free trial periods, or are existing users getting free service (AOL offers that if you try to cancel - it's actually possible to get AOL for free indefinitely).

  4. Some info on the subject by Anonymous Coward · · Score: 3, Informative

    Merlin is AOL's internal tool for keeping track of customer records. It only operates from the AOL LAN. However, this is defeated with a simple TCP/IP redirector. The security code is a SecurID code. It changes every 60 seconds, but its pretty useless if you social engineer someone into giving you the code. Same deal with passwords. The real hole here isn't any technical measures, but the complete fucking stupidity of AOL employees.

    Oh yeah, this has been going on repeatedly since at least 2000. However it gets media attention very infrequently, but the problem was always there, and always exploited.

  5. I'm doubting they got into Merlin with this method by scrain · · Score: 5, Informative

    disclaimer: I worked at AOL for 5 years... i'm pretty familiar with the system under discussion.

    One thing that hasn't beem mentioned is that the SecurID system also requires a pin number to log in, and employees are strongly trained not to give that to anyone.

    Also, Merlin requires a special client, that would be a bit hard for someone using a man-in-the-middle attack to enter information into and/or see the results of.

    As for the social-engineering aspect, people have been doing that all over the world, for centuries. Only a few of them are called hackers. The rest are called journalists.

  6. You Asked for proof by JacobD · · Score: 5, Informative

    Hi,

    You all wanted proof that the hack was done. We're carrying that proof on Observers.net. Check out the first story and that will give you all the proof you need that the hack was done.

    The other news places (The Register, The Inquirer, and Wired) were not able to provide the proof that we have.

    Jacob
    Observers.net

  7. Re:Who's the Inquirer? by lowe0 · · Score: 3, Informative

    It's an IT site run by a former editor from The Register. Neither is particularly reliable, but they both make entertaining reading, and one can often get an idea of what might really be going on after filtering out all the bullshit rumors.

  8. Re:wait a minute... by Jucius+Maximus · · Score: 4, Informative
    "Let's see... ~35,000,000 * $22.99 = ~$804,650,000 "

    Divide by 7 because you can get 7 usernames for one account. Also keep in mind that many people just coast on the '3 months free' service and then at the end, call to cancel it, and then take another free month when it's offered (so that they don't cancel.) The phone reps get a cash bonus for getting a person to stay with AOL like this.

    Lather, rinse, repeat. Free AOL access for life.