Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL's Merlin Compromised?

Posted by CmdrTaco on from the that-would-suck dept.

Neophytus writes "The Inquirer reports that AOL's central customer database, Merlin, may have been been compromised by crackers. This, even though it required 'a user ID, two passwords, and a specialized ID code' to gain access to. That's 35 million user's names, addresses, emails and credit card details - a goldmine for spammers and fraudsters alike. As they they put it, 'AOL can now add another accomplishment to its list: Biggest security disaster in ISP history.' The Register is also running a story explaining why this is not particularly likly, though." Here's the original Wired story.

5 of 239 comments (clear)

  1. the specialized id code is is securid by Anonymous Coward · · Score: 5, Informative

    The securid makes it unlikely that anyone was
    able to hack it, at least without physically
    stealing one of AOL's securid cards and the
    pin for that card.

    For others that don't know how they work, the code
    changes every 60 seconds (and is different
    on every card made), and the old code
    is no longer good when the code changes, it
    makes it really hard to bypass without having
    an actual securid card that is valid for
    the system that is being broken into, and the
    proper username and pin for that card.

    1. Re:the specialized id code is is securid by PeteEMT · · Score: 5, Informative

      SecurID is a physical token. it's not something stored in the computer.

      http://www.rsasecurity.com/products/securid/tokens .html

      They come in two forms (at least the AOL ones did when I was a contractor there) A Key chain Fob and one that looks like a Credit Card Calculator.
      If I remember right, the system also automatically marks the login code invalid once a successful login is achieved. So someone can't use a Key Sniffer to steal your code. If you logged in and got disconnected for some reason, you needed to wait for your SecurID to rollover to the next code.

      --
      Pete
  2. Re:wait a minute... by ceejayoz · · Score: 5, Informative

    A large number of those users are using the free trial periods, or are existing users getting free service (AOL offers that if you try to cancel - it's actually possible to get AOL for free indefinitely).

  3. I'm doubting they got into Merlin with this method by scrain · · Score: 5, Informative

    disclaimer: I worked at AOL for 5 years... i'm pretty familiar with the system under discussion.

    One thing that hasn't beem mentioned is that the SecurID system also requires a pin number to log in, and employees are strongly trained not to give that to anyone.

    Also, Merlin requires a special client, that would be a bit hard for someone using a man-in-the-middle attack to enter information into and/or see the results of.

    As for the social-engineering aspect, people have been doing that all over the world, for centuries. Only a few of them are called hackers. The rest are called journalists.

  4. You Asked for proof by JacobD · · Score: 5, Informative

    Hi,

    You all wanted proof that the hack was done. We're carrying that proof on Observers.net. Check out the first story and that will give you all the proof you need that the hack was done.

    The other news places (The Register, The Inquirer, and Wired) were not able to provide the proof that we have.

    Jacob
    Observers.net