AOL Moves Beyond Single Passwords for Log-Ons

ars writes "Yahoo is reporting that AOL is adding a new feature alowing customers to use two passwords to log on. The second password comes from a small small device from RSA Securitywhich displays a new password each minute. The scheme is called two-factor authentication and will cost $1.95 a month plus a one-time $9.95 fee. It's aimed at small business and people who conduct large transactions online."

Security Functionality

[Tyndmyr]

Its a security improvement yes...but why would I want to use AOL regardless?

I tried it...it was slow, often down, and required special software. None of which my cable connection is subject to.

i always wanted it.

Yes, i always wanted too pay to have a longer login time. so bad i'm not using AOL...

And... I'f I don't need a password..at all..

[Demanche]

Can I have a $2 discount???!??!

^^ Average american reply if this gets implemented.

Have fun at the aol sales desk ;)

Re:And... I'f I don't need a password..at all..

[nearl]

Can I have a $10 discount and 3 passwords ^^ Average Indian replay

Re:And... I'f I don't need a password..at all..

Funny...but it got me thinking. Whatever happened to the 'guest' or 'anonymous' account?

Granted, if you're doing any kind of online transaction, you need security, and the more, the better. Protection against identity theft is also a great thing, so that people can't do all kinds of nefarious things in your name.

But not having an identity at all is more secure, in some cases. The vast majority of information transitting the internet has no reason to tie an identity to the data...for example, an "anonymous coward" on /.

AOL Employees

Used to have to use them, smartID or something. ALL internal accounts were locked... its a very secure system, but hard to believe that users would actually want to use it.

Re:AOL Employees

[clickster]

They were called SecureID. I had one when I worked there (traumatic life-altering mistake). It is a very secure system. I wish I could tie it to my e-mail or perhaps for a login to VPN to my home network. Anyone know if it's possible to use SecureIDs for your own personal home system (certainly at a price)

Re:AOL Employees

[gfxguy]

I still do... RSA SecurID... don't need it to get mail from "outside" if you're happy with the exchange web interface, but I need it in order to VNC inside the Turner (an AOL/TW company) firewalls.

Re:AOL Employees

I am also in the TW family (the AOL was dropped from the name long ago - did Turner miss the message) and we use the SecurID token with the web interface and instant messenger as well as the VPN. It's a great technology except that the tokens break very easily.

Re:AOL Employees

[Nursie]

Is it that bad?
I'm applying right now....

Re:AOL Employees

[macthulhu]

I still work for The Deathstar.... oooops, I mean AOL/TW (Go easy on me, I work on the less evil side... Time Warner Cable). We use these RSA IDs. They're not so bad. The part of the login that asks for the number actually goes faster than the normal login procedure. I know you need it to access that account from any computer via AOL or their Webmail interface...

As for using it for other systems (VPN, etc.) I would be really surprised if they would let you do that, even for an extra fee. Tinfoil helmets and extreme security paranoia are rampant in our IT people, mostly AOL guys. Our network is built on the 'Security Through Confusion' model. Their answer to getting me intranet access from my video production machine was to ship me a low end Dell that they would allow on the network. It still doesn't address the issue of my need to take :30 TV ads from the production machine, and send them to people on the network.

So, no, I wouldn't expect that they would help you use the RSA fob for anything other than getting your spam, er.... email.

Re:AOL Employees

[nolife]

We use the same system at work for all remote access. AOL must have got one hell of a discount, I believe we are paying about 5-10 times that per user. Maybe AOL is using their own backend and only buying the FOBs.

Re:AOL Employees

"They were called SecureID"

And they are nothing new or revolutionary. HP employees have been using them to VPN into HP's network from home for a long time now.

Re:AOL Employees

[clickster]

Depends. I worked as a call center tech from 1997-1999. I'll outline the problems that I had. First, you are nothing more than a number (or numbers). You are employee 28645. You must maintain an average call time of no more than 7 min 30 sec, an idle time of 3% or less, and lose no more than 15 minutes off of the phones in an 8 hour shift. That is all they care about. Oh, and maintain good customer service stats at the same time. It's like the real-life interpretation of a Dilbert comic. You have to fix the customers problems and make them happy. But don't take more than a daily average of X number of minutes. This sucks when someone who has had AOL for years calls with a problem that takes hours to fix. You can A. Spend time fixing it and screw yourself on call time or B. Dump the call to save your call time and hope that they aren't one of the few callers who get a "how did we do?" e-mail that will lower your customer service scores. I quit because I got sick of conflicting signals I kept getting from management. "We're all about servicing the customers". But that was only if you could do it in the correct amount of time. They wanted satisfied customers, but didn't want to spend any time with them. Oh, and they put the responsibility for resolvong that paradox on your shoulders. If you fail, you're fired. I had one of the highest customer satisfaction scores in my call center. Because I fixed peoples' problems on the first call, rather than giving BS and dumping calls and forcing them to wait on hold 3 times to get a solution (something like 90% and 95% when the call center averages were around 60% and 65%). But that killed me on call times. If a customer called in with problem A and I knew that down the road they were also going to run into problem B, I would fix both problems, while most people who valued their jobs would fix problem A and let them call in again in a week when they ran into problem B. This could all be solved if management could pull their heads out of their butts and realize that one 10 minute call that fixes a problem costs less than three 5 minute calls. And the customer leaves happier. Save your sanity. Tear up the application.

Re:AOL Employees

[Halthar]

So far as I know there isn't a PAM module to use SecureID cards directly. I have read that you can get a SecureID enabled Radius Server, and then use the PAM module to authenticate using Radius. I haven't tried it so I have no idea how well it works, but it is one option.

This is based on reading from a while ago, so I don't know what the current state of a SecureID PAM module is.

Re:AOL Employees

[Nursie]

Does sound bad. We'll see I guess, i just sent a speculative email in to their tech department in the UK in the hope of getting some web design/coding work of some sort.

Probably won't get back to me anyway.

Re:AOL Employees

[nuhonda]

The nice thing about them (I have one... yes, i work for AOL) is that it now ensures that i WON'T be checking work email outside of the office.

sure, the security is nice... but after having left mine at home a couple of times, suddenly you're cut off from the world. no email. no access. nothing.

so now, as any good security conscious user does, my RSA key sits on my desk. right next to my workstation.

Re:AOL Employees

[clickster]

If you're not doing call center work, they might be a good company. I can't really vouch for anything outside of their call center environment.

Re:AOL Employees

Check out RSA's Web Site.

They have a lot more than you assume...

Re:AOL Employees

[SenseiLeNoir]

Its called SecureID, and there are two types. one type is a keyfob that generates a number randomly every minuite.

The second type which I use to access my company Intranet is liek a credit card, where i also have to type a pin into the Card, and the generated key is further masked. Very Secure

Re:AOL Employees

[Demanche]

Thats why I like my new call center job...

No time limits on calls and harly any limits on support ;)
But aol is probably one of those we can't help you please contact the manufaccture companies.

Re:AOL Employees

[mjh]

Personally, I wish every account that I had were on SecurID. Then I wouldn't have to change my passwords every other month. They'd change for me every 60 seconds with no input on my part.

Re:AOL Employees

[SenseiLeNoir]

yes.. but you are talking about the keyfob type.

The SecurID card i have you have to ALSO type a pic number onto the card itsself. EVen if someone finds the card, they will not be able to get in, unless they also type the pin.

Re:AOL Employees

[bkocik]

I can't really vouch for anything outside of their call center environment.

I can. I'm a Sr. Software Engineer here, formerly a Sr. Unix Admin. I've been here a few years, and am largely happy with the place. They're not perfect, like any other employer, but I'd say they're a better employer than many. The pay is very good, the working conditions are outstanding (at least in Dulles and Reston), the perks are nice, and most of the managers I've worked for have been pretty easy going types.

It's one of those places that, speaking from my own experience, if you deliver in your job you're treated like a professional, and an adult. It's never been a problem if I need to come in a little late, leave a little early, work from home, or take a day off. They're great about that sort of thing.

Yeah, I like it here. Hopefully you (the parent) will, too if you get in. Good luck to you.

Re:AOL Employees

[clickster]

Like I said, I can't vouch for them outside of the call center environment. The above poster is in a "creative" environment rather than a static, redundant one like a call center. I can see AOL being much better where he's at.

Re:AOL Employees

[xmp_phrack]

Yeah it's RSA SecurID, which uses an OTP (one time password) which changes every 45 to 60 seconds. AOL has used them for internals (employees) and overheads (contractors) in the past. They will likely use them to secure the host accounts, especially if hosts still have the permagag (chat gagger) ability.

A 6 digit SecurID would ideally take 500,000 attempts to brute force it. However, due to time windows (up to 10 min) and potential 45 second intervals, it can brute forced in ~ 30,000 tries worst case scenario. The passwords are one time typically which means you'd like need an exploit or brute force program that actually logs you in and hands off to the AOL client. Theoretically the main password can be acquired via a trojan or hybrid dictionary attack and verified. Then an attacker would brute force the remaining OTP of SecurID.

The AOL system is fascinating esp FDO91, CRIS, Merlin/Pegaworks, Kerebos, AOLserver, OpsSec, and Defender.

Re:AOL Employees

[xmp_phrack]

Anyone know if it's possible to use SecureIDs for your own personal home system (certainly at a price)

There are one time pass solutions like s/key and opie. They are bit more unwieldy than SecurID, but cheap. A challenge-response system would be cheaper than SecurID as well. I'd like to homebrew something like SecurID.

Re:AOL Employees

[AKnightCowboy]

so now, as any good security conscious user does, my RSA key sits on my desk. right next to my workstation.

That's a silly place for your key fob. Mine is on my keychain along with my other keys. Other users put theirs on their badge lanyard, but either way, it's always close at hand.

Re:AOL Employees

[davegaramond]

Can't they use a 95% percentile (or 90% or something) to calculate the daily average call time? This way, if you get say 41 calls a day, and only 1-2 calls take a long time, they don't count. But if more than 3 calls take long time, only then they start to affect your average call time.

Re:AOL Employees

[mdmarkus]

It's not that bad. You just have to realize that 12 year old girls (our target market, despite protestations otherwise) need internet access too. I understand it's pretty bad in customer service (as it is everywhere), operations can have odd and somewhat inflexible hours, but development (particularly server development, where i am) is pretty good. It's a Unix shop that cares ab't quality and scalability, what could be better?

Re:AOL Employees

[Doug+Neal]

I've used one on a dialup account before (dial up to company's network) so it must be possible on a VPN too, a PPTP one at least. It worked by having a four-digit password that stayed the same, and the SecurID code appended to the end, so effectively the dialup password changed every minute but the first four digits stayed the same.

Isn't there a much easier way...?

[MurrayTodd]

Something I've waited for years and it never come--maybe someone can explain why: client-side SSL.

To my understanding, you would place a client-authenticating certificate in you web browser program, and during the SSL negotiation that certificate would be used for authentication.

The only two problems were (again, to my limited understanding) first that you had to go through the effort of installing the certificate on every browser you used, and second, the security could be broken if someone had access to your account. (Of course, account login security and browser "first-time-on-launch" passwords helped protect against that.)

Why the bloody SecureID system that's so klunky?

Re:Isn't there a much easier way...?

[dr_dank]

Why the bloody SecureID system that's so klunky?

Klunky? Given the average skill of the AOL user, telling them to punch in the code from the SecureID keyfob couldn't be easier to do. Better than importing and keeping track of ssl certs across machines.

Re:Isn't there a much easier way...?

[datadriven]

The retailer is the one that needs to be certified. Client side certification would allow you to be securely connected to fraudulent retailers.

Re:Isn't there a much easier way...?

[virtual_mps]

Something I've waited for years and it never come--maybe someone can explain why: client-side SSL.

Because client-side security sucks. The push for personal certificates is to provide non-repudiatable authentication. Think about that for a moment--do you want your identity tied to something sitting on your home computer? Something that, once taken, could provide access to your bank accounts, credit, medical history, etc.? Something that, legally, you'd have an uphill battle to prove wasn't used by you? Something that would be a prime target of the next worm? I find it's a lot harder to compromise a "klunky" device that's not connected to the computer than to compromise a certificate that is on a computer. Client SSL is snake oil--it's theoretically great, but just can't be implemented securely with current technology.

Re:Isn't there a much easier way...?

[Alioth]

Although it's not perfect, it's hardly snake oil. We use client-side certificates to keep the random crackers away from the login screen - they don't see anything unless they have the certificate. However, we DO NOT use them to identify individuals - it's only a very rough grained and basic bit of authentication to keep random people away.

Re:Isn't there a much easier way...?

As usual, the clueless get moderated up on Slashdot. Just because you do not understand client certificates, does not make them snake oil.

For starters, while it is possible to use client certificates without any further security, in practice the minimum security on the private key for a client certificate is a password, which because it never leaves you machine is much less susceptable to interception than a password sent over the internet. There are also hardware devices that can either hold your client certificate, or do the authentication needed to use it, which protect you against locally installed keyloggers.

Re:Isn't there a much easier way...?

[merphle]

The SecureID tags typically (always?) generate a new 6-digit number every 60 seconds. How many AOL users would have difficulty hunting-and-pecking those 6 keys before a new number is generated?

Also, of the systems I've had to use SecureID, if you mistype the number, you need to wait until the tag generates two new numbers before you can try again.

Re:Isn't there a much easier way...?

[poulbailey]

> Something I've waited for years and it never come--maybe someone can explain why: client-side SSL.

Such a thing already exists... in Denmark. It's completely free to get a certificate mailed to you and you can use it to authenticate for a multitude of do-it-yourself online services like tax returns and other state/county forms. I think it works quite well.

Re:Isn't there a much easier way...?

[networkBoy]

That's still preferable to the normal way of doing things. This way when a 1user is spoofed into releasing account info in some e-mail, at least their account is still secure. Granted as an earlier poster noted, this only protects their AOL account and not their bank account.
-nB

Re:Isn't there a much easier way...?

[virtual_mps]

For starters, while it is possible to use client certificates without any further security, in practice the minimum security on the private key for a client certificate is a password, which because it never leaves you machine is much less susceptable to interception than a password sent over the internet.

But does nothing against a client-side compromise. Look at the stats on the number of home PC's with cable modems that are being bought and sold as zombies. In practical terms, the odds of having your password stolen via a local compromise are probably higher than having your password stolen on the internet over an ssl connection.

There are also hardware devices that can either hold your client certificate, or do the authentication needed to use it, which protect you against locally installed keyloggers.

Yes, and these have their own problems. First, you need a hardware device and an interface to the system--which makes them no less "klunky" than the securid's the OP was complaining about. Second, the interface is a hard problem to solve for the home user. Do you force the user to do something at the hardware device for each use of a client certificate? (Good luck getting that adopted, and good luck teaching the user to distiguish "good" requests from "bad" requests.) Or do you authenticate once per session, which once again leaves you open to attacks if you have a compromised workstation?

Re:Isn't there a much easier way...?

[Rich0]

Client SSL is snake oil--it's theoretically great, but just can't be implemented securely with current technology.

Actually it can. Take a look at the Java iButton sometime. Or any other number of smart cards capable of RSA. If you keep the certificate in a smart card, it eliminates many of these security issues.

The technology is there. The problem is that nobody cares since the current system is "good enough".

Re:Isn't there a much easier way...?

[petersam]

You do not need to wait for the code to change if you've fat fingered it. Entering 6 digits can take up to 10 seconds for the slow fingered. The tokens have a little countdown bar to let you know when they're about to change. If mine is about to change, I just wait a few seconds and then log in.

Re:Isn't there a much easier way...?

[Ytsejam-03]

First, you need a hardware device and an interface to the system--which makes them no less "klunky" than the securid's the OP was complaining about.

You bring up a good point. I've been reading these comments thinking, "What's wrong with a smart card that has a certificate w/private key?" The problem is that the user would have to install the hardware, and these are AOL users we're talking about.

IMHO, a system where the server sent some random data to be signed with the private key (which you should _not_ be able to extract from the card) would be even better. Use this in conjunction with a mutually authenticated SSL connection, and you eliminate man-in-the-middle attacks. (Sure, SecurID makes an MITM attack harder since you have, by default, a three-minute window in which the one-time password can be used, but an MITM attack is still possible.)

Do you force the user to do something at the hardware device for each use of a client certificate? (Good luck getting that adopted, and good luck teaching the user to distiguish "good" requests from "bad" requests.) Or do you authenticate once per session, which once again leaves you open to attacks if you have a compromised workstation?

I don't see how using a one-time password solves this problem. With a one-time password, they would have to re-enter their password each time an authentication is required. If this is what they want, it would not be hard to find a smart card implementation that would do it. I've seen smart card implementations that behave both ways.


As I see it, SecurID was chosen for the following reasons:

1. No hardware to install (as you pointed out)
2. Less risk. AOL was already using SecurID internally, so it would have been easier to roll out more SecurID tokens than some other technology that they had never deployed.
3. The hardware was probably cheap. (Yes, this is pure speculation on my part.) I realize that SecurID tokens generally cost $60 or more for the average Joe, but this is AOL we're talking about. RSA is almost certainly giving AOL a large discount for this exposure to the mainstream marketplace. If AOL is successful with this rollout, then lots of other businesses (banks and stock brokerage houses come to mind) are bound to end up rolling out SecurID tokens as well.

Re:Isn't there a much easier way...?

[pod]

Ok, that's obviously configurable behaviour. I know if I mistype (happened only once by accident in over 2 years) the code, I have to wait for the next one. If I just type in the current one again, authentication will fail. Also, the SecurID code is prefixed with a 5 digit code of your own choosing (like a password).

Making people wait TWO turns is just retarded; preventing people from re-using the code is at least a pretense to security and makes some sense.

Re:Isn't there a much easier way...?

[petersam]

I don't know where you get the need to make people wait two turns. I've never seen that. And I don't think that making you wait for the next code after a single failed authentication attempt is a configurable option. Sounds more like a bug that's been fixed by now. Yes, if you fail authentication 3 times (default, configurable), you need to enter 2 authentication codes in a row next time. That too is a security feature.

This has been used internally for years

[David_W]

Interesting... this particular feature has actually been a part of AOL for several years now. All AOL employees are issued SecureIDs and are required to use them to log in to various places. It seems they've just expanded the feature to non-employees.

Re:This has been used internally for years

[LetterJ]

A lot of companies use them for their VPN access. Several of the last big companies I've contracted for have required them. Some just use the value from the fob and others require a concatenation of the fob value and a prechosen password.

Unfortunately, I've found that the fobs tend not to enjoy the abuse that being on my keychain tends to bring. The LCD panels end up pretty scratched by the time I'm done with them.

Re:This has been used internally for years

[LnxAddct]

Serious question: What happens when the battery dies? Or more importantly how long does it last? I wouldn't want to have to call some guy every month asking him to reset my password.
Regards,
Steve

Re:This has been used internally for years

[sparkhead]

I have one that was given to me 5 years ago. It is still running fine.

Re:This has been used internally for years

[earthstar]

Battery isnt a problem.The passwrd generators batter lasts for a minimum of 5 years . So you don hav to call up someone every month. When the batter does die after 5 years,you gotta contact.

Re:This has been used internally for years

[LetterJ]

I haven't had a battery go dead in one yet. Granted, I haven't had the same one for longer than a year, but physically, the display is pretty much what a digital watch would be. There's no backlight, etc., just a string of numbers and a little countdown meter. Internally, it's doing more calculations than a watch does, but we're still talking about a really small electrical draw.

Incidentally, there's an expiration date on the back of these things (I just thought to check). My current fob has an expiration date in Dec of 2007. I think that's a pretty good duration and it's more likely the thing will get destroyed by being dropped on the pavement, lost, scratched beyond usability, etc. in over 3 years of use on a keychain.

Re:This has been used internally for years

[jandrese]

The battery on those devices is designed to last longer than the internal random number store. After you have the device for 5 years it stops working and you have to replace it.

As for damaging the RSA key, it's hard to do more than superficial scratches to those things. They are tough, like digital watches. I've never heard of anyone actually breaking the things, and I've seen them used at every place I work. BTW, in my experiance it is rare for the password to only be the number on the pad. It's almost always some combination of a number you memorize and the pad's current number, so stealing one is usually worthless.

Re:This has been used internally for years

[mikeage]

As for damaging the RSA key, it's hard to do more than superficial scratches to those things. They are tough, like digital watches. I've never heard of anyone actually breaking the things, and I've seen them used at every place I work.

Nice to meet you. I've broken two (and not just breaking the flimsy plastic that lets you hook it onto your keychain). One went in the wash, and the other fell on the pavement. From my balcony. 4th floor.

No, I'm not very popular with the IT department ;)

Re:This has been used internally for years

[Aumaden]

I hate me too stories, but ...

First, I had the credit card sized token. It survived about a week. I forgot, slipped it in a hip pocket and sat on it. CRACK! No more LCD display.

Number 2 was a key fob. That lasted about 2 weeks before the loop where it attached to the key chain broke. <Sigh>

Great fun going into the security office and saying "I did it again"

Re:This has been used internally for years

[slycer]

I went through 4 in 1 year at the last place I worked at. Not through any further abuse than being on my keychain.

They weren't the full credit card sized fobs, but the smaller fobs that fit on a keychain.

The place prior to that, I had one of the credit card sized cards (no buttons as I've seen people mention) and it was much more reliable, lasted me at least 4 years.

Re:This has been used internally for years

[Piquan]

Incidentally, there's an expiration date on the back of these things (I just thought to check).

That's an expiration date? I'm glad you told me that... it's in the middle of my vacation next month!

Re:This has been used internally for years

[jandrese]

I did see the ones that were like a little pocket calculator with buttons that you entered in your pin with to get the key. They looked a little flimsy. The ones that fit (kinda) on your keychain are the ones I was talking about though. When my old one expired, they told me to just toss it in the trash. Well, being the geek that I am I decided to take it apart first before tossing it. The thing is pretty much encased in a solid shell of tough plastic. It's really hard to get down to the chips when you try to take it apart.

Oh, and the new one came with a nice little leather case that should keep the plastic from getting too scratched up.

noone will get this

because it costs money.

"Identity theft only happens to other people"

Re:noone will get this

They're already paying a premium for AOL's inferior service. I'd say the opposite, these customers are used to paying more for less and they'll gladly fork over an extra $2 for this feature.

Not a bad idea

[Celt]

AOL/TW employee's use these so why not offer it to customers, imho if banks gave out these devices for a one-off-fee on-line banking would be ALOT safer and there'd be less scams.

Also sometimes those secure ID devices can go out of sync with the server and thats when the fun begins :)
Thats the only problems I've seen with them,

--

Re:Not a bad idea

[PugMajere]

When they go out of sync, either they haven't been used in a *long* time, or the server's clock is drifting badly.

The server is designed to track slight drifts in time and track/compensate for the cards.

Even if they are out of sync, the most you have to do is enter two codes instead of just one.

Re:Not a bad idea

[cockroach2]

Some banks (like mine) actually do that (for free, even). And I doubt I would use online banking without (anythinkg like) it.

Re:Not a bad idea

[Meostro]

AmEx provides SmartCard readers for its Blue line, with a program already embedded in the chip on the card.

Pretty cool.

Re:Not a bad idea

[Jedi+Alec]

having a real hard time right now trying to think of a bank in Holland that *doesn't* use something like this...nope, can't think of one.

Re:Not a bad idea

[the_unknown_soldier]

macquarie bank in australia runs off this system for its banking., so it has been done, and aol did not invent it

Re:Not a bad idea

[qray]

Would be good for general ATM banking as well. At least then if the ATM machine was comprimized the information it gained would be useless. Instead of typing in the pin, put your card in, type in the Secure ID.

Re:Not a bad idea

[Celt]

Nice to know some banks are doing it, but for some reason I can't see AIB (Alied Irish Bank) or Bank Of Ireland doing such things :(

---

Re:Not a bad idea

[Ryokurin]

They can also go out of sync if you enter the old number right before it changes to the next number. When it asks for next token key it throws most unknowledgeable people off and they enter everything again instead of just the new token thus not getting anywhere.

I hope they realize what they are doing from their internal experience. its going to be that much worse for the public.

Re:Not a bad idea

[cockroach2]

So what do you have there? Just a username and password?

Re:Not a bad idea

The Postbank

Re:Not a bad idea

AmEx provides SmartCard readers for its Blue line, with a program already embedded in the chip on the card.

Which is okay if you're only around computers with smartcard readers.

Re:Not a bad idea

[ahrenritter]

AOL asks for the SecureID number in a separate dialog (or page for SNS) from the username/password so that shouldn't be too much of a problem.

"Fobs"

These are the same devices the internal AOL employee accounts have been using for years.

whoo.

[nbvb]

SecureID.

Whoo.

Been there, done that.

All it does is make an attack "more" difficult, but nowhere near impossible:

http://www.tux.org/pub/security/secnet/papers/se cu reid.pdf

Re:whoo.

[maximilln]

All it does is make an attack "more" difficult, but nowhere near impossible

It also makes Linux dialup (chatscripts) darn near impossible.

Re:whoo.

[k98sven]

All it does is make an attack "more" difficult, but nowhere near impossible

Yes. Exactly like every other security system ever designed.

Your point is?

Re:whoo.

[lysander]

For the external attack described in the document you mentioned, it assumes that the SecureID token's value is sent in the clear. I don't know about you, but this seems like a pretty big assumption. If one enters the value over SSL or SSH, observing the value over the network is harder, and makes the first attack not feasible.

That leaves the rest of the document describing attacks between the machines that verify the value, which hopefully are internal and not snoopable from the outside.

Re:whoo.

The article you link to describes how to attack a SecurID session by trying every of the remaining 10 possibilities as soon as the user has entered all but one digits given by the SecurID card.
The attacker eavesdrops in order to get the n-1 digits, which implies that the digits are sent one by one over an unencrypted connection (think telnet).

I don't see how this method can be used to attack the SecurID session I establish with my bank, since I type in all 6 digits on my client, then they are sent over to the bank in one bunch, and they are sent over https.

Re:whoo.

[bitslinger_42]

Hmm. Did you actually read the fine article you posted? If you had, you would realize that all of the attacks fall into one of a few categories:

1) Targeting users of sdshell and a token card
2) Denial of service
3) Require access to the server network

#1 doesn't apply because this is using the keyfobs, not the token cards. The difference, you ask? Keyfobs generate a 6 digit number every six seconds which is appended to the user's password. Since the password is variable-length (per user), it ends up being much more difficult to guess. The token card has a keypad on it where the user enters ther numeric pin which is mathmatically merged with the 6 digit "random" number, creating a 6 digit code that's sent across the wire. Oh, yeah... The attacker also has to have access somehow to the data stream between the client and the AOL server during authentication, which basically requires pre-compromize of the client machine. You got that, why do you need to fake the auth? Oh, and the AOL plan isn't using sdshell. Other than that, sure it might work.

The second, the DoS attack, is old, and its not like AOL hasn't dealt with DoS attacks before.

The third require pretty significant access to AOL's server network, plus the ability to insert yourself into various server data streams. Again, if you've got that, why waste your time getting a user's PIN?

If you read the hacker rags closely, you'll find that the keyfobs auth is really hard to get around without having to do something else first (i.e. get the server key records). Everything I've read from the attacker's perspective is that, while its technically possible in some circumstances to do an attack on the SecurID process, its usually so damn hard that it'd be easier to attack some other point (i.e. dumpster dive for sensitive info, etc.)

Re:whoo.

[Fedallah]

After reading through the paper, I have to say that the attacks contained therein are simply not that impressive. In it, the author describes the following attacks:

• An race attack that is only valid if the user slowly logs in over an unencrypted non-line-buffered telnet session using the SecureID. I have never seen an implementation of SecureID used like this, and we can be assured AOL's implementation will not be susceptible (as they will undoubtedly be having the token typed into a local window, not transfered over a network character-by-character)
• A attacked on a clustered implementation where the attacker shuts down several lines of communication as part of the attack. This is probably the closest thing to a dangerous attack; however, the author even describes a way that the servers could be programmed as to avoid this situation. At the time of the article, this has not been implemented in the server, but apparently, the article was written in 1997 (or thereabouts)
• A software bug in an older version of the software. Shameful, yes, but apparently fixed about 8 years ago.
• A theoretical attack of which the author claims "It is not known whether all of the semantics are
  absolutely correct in this example but it is quite probable that some variation of the
  attack is possible."

Of course, I'm not claiming that the security of a SecureID implementation is unassailable, or that SecureID is a panacea for security problems. I just don't believe an old article that describes some irrelevant not-quite-attacks is sufficient to cast doubt on the extra security provided by SecureID, and that attacks on SecureID are actually much more difficult than you seem to be claiming.

Re:whoo.

[autophile]

Paper describing attack on SecurID

It depends on the client software. Our company uses client-side software which has you type in your password, PIN and token first, and then it logs in. So the "try all last numbers before the person can enter it" idea wouldn't work. Effectively this implements the "LINE_BUFFERED" protection described in the paper.

Key loggers would only get this minute's token, which is already used, so a key logger would have to then physically steal the token to be able to gain access.

--Rob

Re:whoo.

[XMyth]

Could you ever even do those with AOL?

Re:whoo.

[grahamsz]

I've never written a linux chat script but my box does need a secureid password to authenticate to the VPN. I just wrote a little perl wrapper that asks for the code then runs the vpn connect scripts.

I'm not even sure the exploit listed is valid. IIRC secureid now does use alpha characters and i'm not sure it allows you to be simultaneously logging in twice using the same credentials.

Re:whoo.

[maximilln]

My employer uses SecureID for their dialup. I've managed to get quite good at waiting for the next SecureID token change, quickly modifying the chatscript file, and then initiating the dialup sequence. One of these days I'm going to explore using miniterm to manually atdt my employer, manually enter the login info, and then initiate the pppd from another shell.

I don't know if AOL ever made a Linux client. I never cared for AOL.

Useless

[cly]

When common folk's computer is still infested with adware/trojan/god-knows-what

This just creates an illusion of security.

Re:Useless

[Lord+Ender]

"When common folk's computer is still infested with adware/trojan/god-knows-what

This just creates an illusion of security."

Wrong. You could have a damn key logger on their computer, it doesn't matter. The SecurID password expires every minute.

Re:Useless

[PalmerEldritch42]

I don't think you are understanding what is going on here. The SecurID solution is not meant to stop spyware. It is meant to block people from finding/using an AOL account. Even if you have some sort of spyware on the computer that logs keystrokes and sends passwords home, then the hacker will get a password that no longer works (since SecurID passcodes can only be used once and change every 60 seconds anyway). Therefore, this is a proactive security step, not illusion. Of course any security step can be worked around given time and talent, but this is a vast improvement over the old system where someone types in their AOL password once and checks the little box to remember the password so they never need to enter it again.

Bear in mind, I still think AOL sucks, and I would never use it for various reasons, but I have been using a SecurID system for work for about 6 years and it seems very good. There are several client programs for it that also enclude encryption so even sniffers on the network can't find out the username or password that is used.

Re:Useless

[Nf1nk]

except that if given a large enough set of data the formula to create that data can be reverse engineered, and emulated, also how many unique devices can there be, cost cutting would likly lead to only having a limitied number, then it just comes down to synching your program with a seed password. yes it make things more complicated, but it only needs to get broken once and we have a thousand clone in minutes

Sorry this needs to be said, but...

like most technologies, this one will never be embraced unless the pr0n industry stands behind it. They've been early adopters on almost everything else that's been successful.

I had one of these before

[forgotten_my_nick]

For a company I worked for. It worked great, but they ended up scrapping it. Not sure why. I still have it sitting in a drawer years later still spewing numbers.

I suppose if someone was out to get you then they could steal the ID code generator.

Re:I had one of these before

[caluml]

Interesting - wonder if it's the same company as me?

This will make the problem disappear.

[AhabTheArab]

Great, now phishers will have to ask AOL users for their password twice, and they will gladly comply.

Re:This will make the problem disappear.

[Baumann]

Not quite true for the secureID - it is a time-locked device. Unless of course the phisher uses the password within 60 seconds of getting it. Not bloody likely.

Re:This will make the problem disappear.

[JohnHegarty]

two points...

1) it only lasts 60 seconds
2) if used , it can't be used again until the minute is up

Re:This will make the problem disappear.

[David+Rolfe]

You're right ... and in addition to that, if you are online when an intruder access your account it says this:

"You have been disconnected due to -your screenname- signing on from another location. If this not authorized call now at 1-888-265-Whatever"

At which point the user is aware of a problem, contacts us (CAT or PWA) and can not only have the intruder bumped and the account secured, but also we can send the session trace information to fraud or up the CAT chain.

In real life the damage is mitigated to whatever the intruder can accomplish in the time interval between logging in and the member reaching CAT. Additionally, not much can be accomplished (even online, in kw: billing etc) without also knowing the account's security question. Also, personally idenfifiable information is not available online at kw:billing. So normally what we'd see is a spam run, or another phish run, or some 'domestic abuse' (IM impersonation, reading ex-wife's email, etc).

SecurID ups the social engineering ante, increases the urgency of attempts vs. compromises, and mitigates the damage to one session.

No system is perfect of course, and that's why we try to educate on every call to CAT. Weakest link is you and all. :)

Re:This will make the problem disappear.

[Old+Wolf]

1) it only lasts 60 seconds
2) if used , it can't be used again until the minute is up


Let me guess, this was designed by a male..

Good deal

[Realistic_Dragon]

AOL rip your card off by another $60 every year - saves small business the time and trouble of going out and finding a genuine internet criminal to perform that vital service.

No wonder they are America's number 1!

AOL...cutting edge security.

[Captain+BooBoo]

This is going to be a complete waste of time IMHO. The AOL user base is such that a typical AOL user has a password like " password" or MikeJohnson". How do they expect users to be able to handle a second password that is strong? " I forgot my password, can you help?" Yes, just read the display on your password generator." "ok what does "dgR23Ls12S" have to do with me? My name is Mike Johnson"

Re:AOL...cutting edge security.

This is going to be a complete waste of time IMHO. The AOL user base is such that a typical AOL user has a password like " password" or MikeJohnson". How do they expect users to be able to handle a second password that is strong?

Uhmmm... You've never used SecureID, have you?

The basics is that since you have two passwords, your static password doesn't have to be string - a 4-number PIN is enough.

The SecureID then spews out 6-8 numbers that you add to your PIN.

Since you constantly change one of the passwords, brute-force attacks become really hard to execute.

The user need only remember a 4-number PIN and bring his keychain (to which he has attached his SecureID).

Re:AOL...cutting edge security.

[BrianRoach]

I worked for AOL for 8 years ... secureID is easy, and keeps the clueless billing reps (now in india I believe) from giving away your account to social engineering "phishers".

The display on the SecureID is just numbers, synced to the auth server. The average user should have no problem entering 8 numbers when prompted.

- Roach
http://www.speedwerks.com

Re:AOL...cutting edge security.

[gfxguy]

First, it's only numbers. Second, it's two parts - one is your password that you've set up ahead of time (like usual), the second is the "random" number on the securID. I work with a lot of idiots and they all seem to manage.

good PR

I am glad that someone like AOL has taken it up to push this out and make it in broad use. Even if most AOL users simply ignore it, this could give it the publicity it needs to make it more known so other companies who need it can use it.

Good Idea

[AndrewStephens]

This is a good idea, 2 factor authentication (something you know - password, something you have - RSA gadget) should be manditory for serious transactions. I have seen this things before, they are simple, small, rugged and do not need to be interfaced with the computer so that they can be used anywhere without special hardware.
Even if you have sniffed, bribed, or tortured your way into knowing the password, you will not be able to log on unless you also have the gadget - its a good solution.

Re:Good Idea

[trout_fish]

although if you bribed or tortured your way into knowing the password you could probably bribe or torture your way to obtain the code generator!

Re:Security Functionality

[ptr2004]

For the tin foil hat hearing folk you can get a three password login for one low fee of 5.95

This isn't new

[tyrani]

The RSA keys have been avaliable for a long time. They're great.

I'm impressed that AOL is using them. It shows that they're at least a little concerned with security.

I really hope that this is a starting point for web hosting providers to start using these.

Re:This isn't new

[surprise_audit]

Do you have to enter a pin on the token to get it to work?? I have an Axent Defender token which, if you get the pin wrong 3 times in a row, locks you out. It has be sent back to the company Security folks to be unlocked... Hours of fun for AOLers and their kids... :)

Re:This isn't new

[Phil+Wherry]

SecurID cards generally don't require a PIN be entered into the card. There is a variation of the SecurID which does use a PIN entered on the card, but it's rarely used and all of the validation is done server-side. The PIN algorithm it uses is really simple, too; it permutes the displayed number in a way that can be calculated mentally in less time than it takes to enter the PIN using the buttons on the card. Surprisingly, this doesn't have an effect on the overall security of the system; the real strength is in the pseudo-random sequence generated by the card itself.

Time Drift

[JumboMessiah]

IIRC, The RSA devices that I've used in the past rely on accurate time synchronization with the server. While it was easy for me to have it reset, I wonder how they plan to handle this on a large scale? It would require the end user to physically send the device back to AOL.

I suppose eventually they may integrate GPS timing with them, making it a thing of the past, but who wants your fob tracking you...

Re:AOL Security at work again...

RTFA you nincompoop... one of the passwords changes every minute, and it's generated automatically. So phishing attempts would not be all that successful.

Seen it used..

[the_dubstyler]

My bank uses one of these for online banking, as a protection against keystroke recorders. I suppose I'm just too lazy to actually get hold of one and try it. I figure they're not a bad idea, given that the majority of people trying to hack your accounts are amateurs who would be put off by it.

Re:Seen it used..

[boiscout]

What bank is that? I'm surprised larger banks like Wells Fargo, Chase or Principal don't offer such things.

Re:Seen it used..

[the_dubstyler]

First National Bank/Ebucks in South Africa.

So much for living in the third world..

It's a good thing...

[Jeconais]

second password comes from a small small device from RSA Securitywhich

... they didn't use a large small device, or a large large device, where would we be then?

Re:It's a good thing...

[StevenHenderson]

...and also, is a Securitywhich like a secure sandwich? :)

Should slashdot get this

[ncsg3]

This could be the next step in security. It may stop outrages like this from happening!

Hmm

[Bigthecat]

As I'm sure many people here have noticed these before, they've probably also noticed how often they go missing. For instance, the employees of a large company right here in Australia are all given these, along with their laptops and logins.

These people aren't techheads, and most of them write their passwords down on pieces of paper, conveniently attached to their laptops, which is then conveniently placed in their work briefcase, along with the password updater.

Sufficed to say, dozens of these briefcases get stolen, in the same bar frequented by employees of this company every six months (One might ask why they still take their gear there). The thief gets an expensive company fleet laptop, a company password list, and a company satellite password updater, all packed in the same convenient suitcase with a carryhandle ready to go missing.

Ultimately, no matter how many security measures you put in place for a company or organisation, you're going to encounter people who write down their passwords, people who fall for emails from tech support who need to 'verify' their accounts and ultimately people who will have their information stolen and not report it for days, which is plenty of time for the thief, and a less-than-ideal amount of time for people like you and me to have enabled compromised accounts running on the system.

Re:Hmm

[Total_Wimp]

Question: You have bank. The bank has a vault. The vault has a combination. The bank manager writes the combination down on a slip of paper and tapes it to the vault door. Do you still keep him employed?

If your company gave the same answer you just gave to all these "techheads" getting their laptops stolen (with keyfob and password no less) your problems would cease within the first three terminations. I gaurantee it.

Any company foolish enough to entrust their keys to foolish people deserves what it gets. Any company foolish enough to do it twice.... well, that's something no security system will be able to fix.

TW

Re:Hmm

[cheezit]

You realize of course that here on earth, where security people are not dictators, the scorched earth approach only leads to a beatdown and loss of credibility...

Human nature being what it is, your last statement is exactly right: "that's something no security system will be able to fix"---I'd challenge you to show me a security problem that DOESN'T have a human element.

Re:Hmm

[Total_Wimp]

People get reprimanded, punished and fired all the time for misuse of physical keys. Everyone intuitively knows that they can't can't leave the physical keys to the physical building on a cardboard box on the sidewalk without suffering serious consequences. So how come it's called a "scorcehd earth approach" when the same thing is suggested for an RSA key fob?

Basic logical security policy must be be able to be enforced to at least the same level as basic physical security if we want to have a fighting chance of keeping intruders out of our systems.

TW

Big Deal :)

[purduephotog]

Had this ability for corporate accounts for some times. And the problems have never been addressed, some of which:

1) Long dial in times result in the 2nd password changing before completion, thus requiring a 2nd attempt (or a 9th, depending on how pathetic the phone service is)
2) Annoying easily lost dongle on your keychain that says "RSA- STEAL ME" in big bold letters. ...

So yeah, I'm thinking it's a great step. But not for AOL.

Re:Big Deal :)

[gfxguy]

1. The way it gets used is not for establishing an internet connection, but authenticating the user (broadband users, for example, still need to use one). So you establish your connection, then a password prompt pops up then you type in your password. No automation = more secure.

2. You have an established password PLUS the securID password... even if someone you know steals it from you, and they know your login and have your securID, they cannot log into your account unless they ALSO know your private password, which can't be easy like "mike" or "john", because it's all numbers. Now, sometimes people use stupid numbers (birthdays and so forth), but you are still talking about having two "keys" in order to log into an account.

Re:Big Deal :)

[bitslinger_42]

What he said, plus the fact that users tend to notice the missing laptop bag and/or the missing keychain with their car/house key on it and report it. In particular, if every laptop gets issued with a SecurID, then every laptop that's reported missing has the corresponding keyfob flagged as stolen and a new one's issued to the user.

A company I work with has thousands of these things out. Very few problems of users locking themselves out, almost no fobs lost/stolen. When the fobs do go missing, we know immediately rather than having to notice the same user being logged in through multiple places in order to figure out the password's compromized. Heck, even the CEO uses one. If non-techie executives can do it, I'm pretty sure AOL business users who are deliberately paying more per month to have it will be able to figure it out.

Re:Big Deal :)

[lachlan76]

2) Annoying easily lost dongle on your keychain that says "RSA- STEAL ME" in big bold letters.

IIRC, I think they have a credit-card sized version, and it is possible to have it integrated into a phone/PDA.

Serious business people use AOL?

[siliconjunkie]

This is a great feature to have from an ISP, and the technology is sound (we used similar "Crypto Keyfobs" when I worked at PacBell for logging into the system remotely when in the field)...but I must admit I am surprised that it's AOL offering this kind of a thing.

I used AOL years ago, and have used it from time to time recently on other people's computers, and there is nothing in the "AOL package" that I have seen that says "power user" to me.

So I guess what I am wondering is...is this something that AOL users are actually clamoring for....or has AOL finally sucked up all the "n00b" market that there is and is trying to offer services that would appeal to more of the "slashdot crowd"?

Re:Serious business people use AOL?

[Freefall90]

I don't think they're trying to appeal to the "slashdot crowd" with this. AOL has gotta know by now that they're simply not going to reach the majority of this group.

Rather, I think this is aimed at the part of the population that doesn't know the first thing about encryption, firewalls, etc. and shops online till they're credit cards are maxed out.

As for serious business people using AOL, I don't think so. Why would they? No benefits that I can see.

Re:Serious business people use AOL?

[lakin]

I suspect this is something AOL users would be interested in. I mean, the "slashdot crowd" are not the ones handing out passwords for chocolate, its the AOL users. And seeing as most websites offer options to send your password (or a new one) to your email, this could be quite useful at protecting them.

Only problem i really see is most users (that i know) use the same password on all their sites, so the RSA gadget would protect the aol account, but not for example paypal. Its still a step in the right direction though, and like SPF is something that could really be helped along by AOL saying they use it. But will users really want to have to carry a bunch of RSA units with them?

Social engineering

[maximilln]

How long until the AOL service department implements a policy for allowing users into their accounts when they've lost the SecureID, or their spouse accidentally took it with them, or they're on a business trip and left it at home? I see this being a perfect route for social engineering of unauthorized access.

Re:Social engineering

[PalmerEldritch42]

The SecurID system allows for a temporary password to be set in the event of a lost or stolen token. While, it is certainly possible for someone to call up tech support and say they lost the token, so please give me a temp password, it is trivially easy to beat that sort of claim. For instance, at my company which uses SecurID (Not AOL), we will hang up the phone and call back the phone number listed in the SecurID system for the user. So, unless the hacker here broke into the person's home, they won't be able to find out the new password. In the event that the user says that they are in a hotel or somewhere else, we have security questions to ask them. These security questions are not standard "what is your mother's maiden name", either- they are individually selected by the user when he/she first sets up his account.

While I wouldn't put it past AOL to skip the security steps, the technology certainly allows for pretty good security if used correctly. It is certainly better than the current AOL situation.

Think about the average AOL user

[Baumann]

They're hard pressed to remember their own password, and whine about having to enter that. Now they want them to carry a secureID card, and enter 2 passwords? Can you say marketing fiasco?
secureID works when you can FORCE employees to use it, but having people PAY for it Nah....

You can't copy a physical token

[morzel]

If I get into your PC, I can copy your certificate without you ever knowing it until it's too late.
I obviously can't steal your RSA token without you finding out pretty soon.

Re:You can't copy a physical token

[pulazzo]

Most browsers store client certificates in a password protected store and require the store password to export the certficate.

Not to suggest that this is completely hacker proof, but the notion that you can simply go to someone's computer and copy their certificates is a little simplistic.

Re:You can't copy a physical token

[_Sprocket_]

Most browsers store client certificates in a password protected store and require the store password to export the certficate.

Right. A certificate store protected by a password. Passwords being the very thing that's causing enough trouble to warrent two-factor authentication.

Re:You can't copy a physical token

[devilspgd]

I'm sure they do.

You just copy the whole thing and brute force or socially engineer the protected store's password at your leisure.

This Doesn't Help!

All this device will do is make it harder for the human user to sign on. Once authenticated, the infected computer (often infected through AOL's own service) starts spamming or running transactions automatically for the unsuspected user.

Get a clue, dump Microsoft while you still have money in your account. If you don't, Microsoft will charge it out of you on the next upgrade or hackers will just take it straight out of your account.

of course it doesn't mean this

[RMH101]

yes, they drift. not much, but a bit: this is why the system accepts a few numbers in the sequence. should it drift *too much* then you just need to phone their access control guys and get it put in "new pin mode" remotely. this happens all over the world, all the time. gps timing and tracking? lay off the crack.

Re:of course it doesn't mean this

[jrockway]

Lay off the crack? I think GPS timing is a good idea. It's a wireless time signal that's easy to receive... what again is bad about that?

(And just because you receive a GPS signal doesn't mean that you're being tracked. You would have to receive a few GPS signals, do some calculations, and then transmit that data to be tracked. If you just get one GPS signal, then all you have is the time.)

Well...

[ImaLamer]

What happens if I lose my SecurID?

Seriously. If I set my password to "password" and someone picks this up then I'm screwed, right?

Re:Well...

[WesG]

Hmmm...Screwed? Nah..I would call this natural selection.

Seriously - its no different than writing your "simple passwords" on a piece of paper somewhere and someone finding the list. For bonus points, what was the password used in Wargames :-)

Kudos to AOL for at least providing this option to the general public.

Re:Well...

Only if they find it and use it before you discover you've lost it. Your securid is tied specifically to your account, if you lose it you just get it removed from your account and nobody can use it anymore.

Re:Well...

[geekguy]

I get to support these at work, if they lose the device they will have to call in, AOL can set the password to a temporary code or possibly just turn off looking for it. Then they can send them a new one and probably charge them extra for it.

Re:Well...

[Billy69]

If you happen to set your password to 'password', lose your RSA key, and also happen to have lost your username, and something which allows the finder/theif to know that the SecurID is indeed for your AOL login.

I have seen these devices *many* times before, and they are small, nondescript keyfobs.

The worst thing, IMHO, would be if AOL decided to put an AOL logo on them, as this would indicate what it is a password for.

Of course, they probably will, because anybody dumb enough to use AOL will need a bit of help ensuring they type in the SecurID number instead of the serial number off their front door key.

Re:Well...

[Moonlapse]

not really... Unless they also had your screenname written on it under the title AOL SCREENNAME. I have one of these things for work...theres no way someone would know where to login and what id to use just by picking this off the street.

Re:Well...

[cjpez]

What happens if I lose my SecurID?

A company I worked for used to use these things as part of the login process to get into the VPN, and the password you supplied based off of the FOB included a part chosen by you that was static and *not* displayed on the FOB. So the whole password always begins with "xyz" (whatever you decide, or, I believe, whatever was given to you), and ending with the 60-second numeric key.

Regardless, even if they don't do something like that, getting someone's password is now a matter of finding out their first password and then physically stealing a FOB. That's much more work than just finding out a password.

Re:Well...

[autophile]

What happens if I lose my SecurID?

We use SecurID tokens at work. The passcode you have to enter consists of a four-digit PIN, plus the six digits displayed in the token's window. So even if your token is stolen, whoever found it would have to know your PIN. And unless you're dumb enough (whoops, this is AOL) to tape your PIN to your token, the h4x0rz have 10,000 PINs to go through... and the system locks you out if you fail three times.

--Rob

Re:Well...

[richie2000]

For bonus points, what was the password used in Wargames

Which one, "pencil" or "joshua"? Or maybe you're referring to the launch codes? :-)

Re:Well...

[WesG]

pencil

Great job!

Re:Well...

[nologin]

Well, the two-factor authentication scheme works on the basis of something you know + something you have (password + token).

If you lose the token, you should report that you've lost it, so the administrators can disable that token from the authentication server. At that point, they can choose to reissue a new one, or reactivate the original one should you find it again.

Re:Well...

[richie2000]

Bah, that was easy. I still have the original movie poster up in my old room back home. :-)

Re:Well...

[TheOtherChimeraTwin]

The worst thing, IMHO, would be if AOL decided to put an AOL logo on them, as this would indicate what it is a password for.

Funny that you should suggest that! Check out the picture of the fob at the RSA site

I Used AOL securID

[Apple+Acolyte]

In addition to being used internally by AOL, securID was offered to some regular users who were targeted by hackers. Like an organization I work for. The securID token is smaller than the average pager, having no buttons, only a display with a string of numbers that would alternate every 30 seconds or so. The biggest shortcoming of the system is that the battery did eventually die, and there was no easy way to replace it. That meant the account in question had to be unbound from the token. And it took a long time to find a rep that could actually handle that request. (Not that that was too big of a deal, since my organization only kept its AOL account alive for legacy purposes.) In terms of use, however, the token was not obtrusive at all. No additional client software was required. Upon sign on, a securID window was presented prompting the user for the key. Otherwise, it was transparent.

The big question is, is AOL's true motivation for offering this to regular customers just to compensate for the service's renowned terrible security?

Re:I Used AOL securID

[alistair]

The battery does die, but normally after the lifetime of the token.

Every secureID token had a lifetime of three years, in the old security dynamics days these were printed on the back of the token, I'm not sure this is the case now they are RSA tokens.

Either way, each number is displayed once and once only. The limit on available numbers is reached before the battery dies, after which the token flashes pointlessly for a couple of extra years.

There are no user replaceable parts. You buy the token, we buy them in bulk at my work for $XXX (NDA I'm afraid) and they last for about three years. You also have to buy an ACE server licence for $XXX. Its an expensive business but RSA are an excellent company to work with and the ACE servers and Secure ID cards work with a huge number of services, for example I can log into my corporate network from my home Mac and Linux machines using the excellent Netlock VPN solutions and Secure ID, a choice I don't have at work.

Re:I Used AOL securID

[David+Rolfe]

The lifetime of the token is printed on the back. I can confirm this for the RSA fobs we used internally and sent to members (subscribers).

Not to be pedantic, but if one had checked the date, one could have had one's replacement before the token's battery had died.

I didn't reply to the GP because as an ex-eomployee I didn't want to affect his "member experience" by telling him about the date etched in the back.

Re:I Used AOL securID

Ace Server can go between $5k and $20k + additional cash for user 'buckets'
SecurID tokens are between $50-$80 in bulk, depending on what lifetime you buy... 3years to 5years.

What NDA restricts you from quoting prices on commodity hardware/software?

Re:I Used AOL securID

[David+Rolfe]

The big question is, is AOL's true motivation for offering this to regular customers just to compensate for the service's renowned terrible security?

AOL does not have 'renowned terrible security'. What they do have is legions of 'normal users' that are not trained in best security practices. The majority of the 35 million (larger than everyone in your city) users only ever know about account safety if they read and understand the information we provide them at signup, or they read and understand the information we send to them AGAIN after a comped account.

Additionally, if you had an organizational or overhead account that was continally 'getting hacked' what you mean to say is you had an account used by more than one person, one of which was leaking the password, by getting phished, scammed, or otherwise. The service locks accounts when brute-force attempts detected, and internal changes to passwords are monitored -- especially if the account has been comped before; making 'traditional' (aka like in the movies) hacking improbably at the least, however this encourages social engineering. We would see this all the time on organizational/business accounts: Boss calls up 'cause account(s) has gotten locked. We argue with him for 30 minutes because he says no one uses the account but him, and can't account for the sessions prior to the lock, eventually he asks an underling or a secretary that reads his mail for him, and she says 'yeah, I got an email that said you had purchased a DVD player from AOL, so I went to the site and canceled the order'. Of course the site was a scam, the letter that claimed to be from AOL was not 'official mail' (an authentication system AOL uses to let users know when something is legitamtely from us) and finally, the site asked for login information, something that AOL will never do onced you've signed in. So we'd talk to the secretary for a couple minutes about best practices, send email to all involved about online safety, reset all the passwords, unlock the account and send them on their way. I don't mean to insinuate this is your case. (As you can see, these are organizations small enough that they don't have IT departments to implement and train on security practices.)

The point I'm trying to make is that in a sample size that huge you are going to have people that don't heed the warning that appears on every letter and IM "AOL will never ask you for your password or personal information". In addition, the majority of comps come from downloading 'cute forward-ware' or from cloned sites (tiny urls, or faked urls leading to copy and paste replica's of yahoo, 1800-flowers, match.com, etc).

(sorry again for the long winded reply)

Re:I Used AOL securID

[Apple+Acolyte]

I value your informative reply, David, but many of your assumptions do not apply to my case. The account we had was only trusted to two people, myself and a person I trust with my life. We are a Mac-only group. We observed all the safe Internet practices, and I changed the password on the account frequently. But due to the high profile nature of the account, it was targeted. One hacking attempt was successful. Not too long thereafter we learned AOL had disabled our account and escalated the matter to a special security team. We never heard the details about the attempted hack, except for the fact that AOL heard about it before it happened.

Beyond that, an acquaintance from years back mentioned that AOL used (uses?) terrifically weak encryption (16 bit?) to secure its password file, and that standard accounts are therefore susceptible to simple, brute force cracks. I was so disgusted by these claims that from that point on I encouraged people to get off AOL. I have no idea if it was true, or if any of that applies to today, but it seemed plausible given my experience. In any case, I know opening up securID is a great step for those dependent upon AOL, but I have little love for the company or its services.

Re:I Used AOL securID

[hughk]

The way Secur-ID is managed normally is to expire tokens before the battery dies. That used to be about a couple of years. The user gets the token in plenty of time and then kills the old token and activates the new from within a session.

Re:I Used AOL securID

[David+Rolfe]

Well sure. Again I didn't mean to sound fliamish, just as an employee for nearly seven years I have pretty much seen and heard it all. In your case it sounds like NOC or Fraud detected the compromise of your account (depending on the situation). The odds though that an account would not only get cracked, go undetected, and then get posted about, and replied to are astronomical :)

Your friend may have been correct back when we were all using 386s (or Quadras as the case may be), but those days are long since passed. At least AOL was encrypting passwords in a time when plain text transmission was prolific on public networks. There was a time when you could download /etc/passwd from public ftps (after you logged in with a clear text password) and run satan against them... but those times are also long since passed, it doesn't mean I hate ibiblio (formerly sunsite) or Netcom, right?

So again, nothing personal and w00t macs rule.

Businesses us AOL??

[bcarl314]

It's aimed at small business and people who conduct large transactions online

Just a comment (read opinion), but unless you have no other options, why would you, as a small business owner, use AOL to "conduct large transactions" online.

Mod me troll if you like, but I don't consider AOL to be a very "business friendly" organization.

Re:Businesses us AOL??

[bitslinger_42]

Due to the ubiquity of AOL and its pretty good stability, I've heard of financial businesses selecting AOL as a backup for the backup (i.e. redundant WAN connections, both backhoed and down for days, so a user dials AOL to transfer daily info the XYZ partner). From what I've seen, this is pretty common for the big players (AOL, MSN, Earthlink, etc.)

Lip service toward true security...

[Vexler]

...also includes implementing ideas like the two-factor authentication for users who re-use their passwords, or write them on stickies, or lose their smartcards once every two weeks, or are simply computer-illiterate, etc.

What does AOL hope to accomplish through using the smartcard? A better investment in security would be to stem the flood of spams currently coming out of their slice of TLD. This measure is like a new bandaid for the old bandaid that's falling apart, and the wound is fourteen inches long and gushing blood.

Funny Video

[alatesystems]

AOHell Commercial

Chris

Password Bonanza

[Icarus1919]

Many places are beginning to realise the value of passwords in protecting data, though one would have thought it would have been just as obvious in the past.

My college, the University of Florida, recently instituted a new rule that our school password had the be 12 or more characters long and have two of these three things: Capital letters, Numbers, and non-letter Characters.

Additionally, the passwords were checked against a dictionary and couldn't be a word in the dictionary. I thought this was all a bit much at the time, but as I said, I understand the need for security.

Re:Password Bonanza

[Paulrothrock]

They need one of These

heh

[H8X55]

And yet AOL still reccommends to its home users that they store their passwords in a less than secure format on their local PCs.

Re:people who conduct large transactions online

Sure! You don't want anyone to intercept that large money transfer to Nigeria, do you?

I for one, welcome this. The more security they think they have, the more likely they are to trust you.

-- Prince Michael Okoya

Re:Good deal - basic math?

[Meostro]

How exactly does $9.95 plus $1.95 per month get to be $60/yr?

1.95 * 12 = 23.4

23.4 + 9.95 = 33.35

33.35 != 60

New Phishing method!

[CodePyro]

In light of the recent additions to AOL Security....Phishers have had to update thier methods...its been reported that they IM using the following line...

"Hi, Im an AOL Service Represenative. Due to a high security threat, AOL has randomly changed your password to "Att25hj4" If you would NOT like to have your password changed please disable the second password feature by calling our toll free number(1-800-GOT-RIPP) and reply back with your existing password. Thank you and have a nice day!"

Re:Time Drift - sliding window

[morzel]

IIRC RSA uses a sliding window to correct for time drift.

In an ideal world, the server and the fob are perfectly synchronized, meaning that the server knows which number the fob will generate at any given time. In the real world, the fob creeps behind/before schedule and generate a number x entries before/after the expected entry.
If this is the case, the server looks up if number x is in the vicinity (e.g.: within 5 minutes) of the expected number. If that's the case, the server assumes that the clock has drifted and marks the amount of time that the fob has drifted for next authentications.
If x is outside that range, but inside a much broader range (e.g.: one hour), it will request the number that the fob generates next, and checks if that number matches the one that should come after x. Then it marks the drift amount and allows access.

The server automatically compensates for inaccurate clocks in the fobs; as long as you use it regularly. Only if you have,'t used your fob for quite some time, and it has a really lousy clock they de-synchronize, requiring a hardware swap (and/or manual intervention from the sysadmin).

Re:Good deal - basic math?

[Inda]

Beat me to it...

What I would like to know is why the IT department at my place of work charges 80 GBP ($145) for these? Someone is on a winner down there, that's for sure.

The Associated Press reporting, not Yahoo

[kriston]

I'm rather concerned of the trend in today's journalism where the news aggregate is quoted as reporting something when it's really the Associated Press that is reporting something.

Get your citations straight! Don't be like the radio!

I've used somethign similar about 5 or 6 years ago

[Stonent1]

The company that I was working for had little devices similar to that (They called them Token Cards) that would display a new code each time you pressed the button. It was a financial institution and they used it to protect their dial-up lines from people. They entered the code like this password*hashfromdevice.

The End is Near!!

[Maestro4k]

Oh man, Lucas finally releases the original trilogy on DVD, AOL starts at least trying to have some form of security both in the same day. That has got to be a major sign of the impending apocalypse. If Microsoft announces it's dropping Windows to develop Linux before the day's out I'm heading for the mountains!

Re:The End is Near!!

Fascinating Captain, your post seemed to have gone into warp-drive and transcolocated into the "AOL improves security" story.

Perhaps you spent a long time writing this article?

Re:The End is Near!!

Perhaps you didn't read his post properly?

Only if you can use just one...

[TreadOnUS]

to handle all online transactions. I'd hate to carry one for my bank, one for my credit card, etc.

Aol must really care about security...

[SirTwitchALot]

because they can't be making much money from this:

RSA sells these devices for $60 each or so in bulk. RSA fobs are programed to expire in 36 months. Let's say AOL got them for $50. The customers are paying 9.95+(1.95*36) or $80.15 over three years. That gives AOL $30.15 or about $10 a year. I'm sure aol could find some other way to fleece their users less than a dollar a month, leading me to believe this isn't just some profit making venture (not to mention the cost of the servers to implement this, which is not insignifigant.)

Re:Aol must really care about security...

Since it's optional, I get the feeling that maybe they're trying to split up the users;

User: "Hello, my account is all screwy, can you fix (xyz)?"
Rep: "Do you subscribe to our extra-secure service, or regular?"
User: "regular"
Rep: "I can fix (xyz) but it carries a charge of $24.95 do you accept the charges?"

Re:Aol must really care about security...

[slungsolow]

I am sure that the financial hit isn't as bad as you made it out to be.

1) They wouldn't have purchased a small amount of fobs. We are probably talking about an order between 100,000 and 1,000,000. That means they probably received a vast discount. The fobs themselves are glorified calculators that run off of a preset algorithm. They most certainly wouldn't cost upwards of $50 a piece. I am sure that they are partnering with RSA for this business venture.
2) The security features were already put in place so all they had to do was beef it up a bit, so again, the initial investment isn't that great.

3) They are a corporation. They wouldn't do anything if it didn't have the promise of a return on their investment. They wouldn't do something like this unless they researched it and found that there was a need and that they will be able to make a...
4) PROFIT!!!

I of course just don't get it. Why would people want to secure their data on the client end when they should be worrying just as much about the data stored on the server end. What is AOL doing to ensure that the data is kept secure throughout the whole transaction? Is this whole secureID thing just a method of coddling their non-technical customers (Look you get fancy number changers for your keychain!!!).

They even branded the secureID with AOL graphics and colors. Its insane.

Re:Aol must really care about security...

[alistair]

I'm not so sure your maths is correct.

Sure the fobs can be bought in bulk for $xxx. But for every usable fob you have to buy a corresponding ACE server licence, which does also add to the expense. You then have standard maintenance on the ACE servers which is a fixed percentage of the initial server costs.

The branding isn't that special, I think you can get it whenever you order more than 1000, most banks do this for their customers, it isn't a new thing for AOL.

The service is generally very good, The combination of what you know (secret PIN) with what you have (SecureID card) has rapidly become the industry standard. The $10 a year figure sounds like excellent value, I'll be chatting with my RSA salesperson this afternoon to see if we can get the same deal :-)

Re:Aol must really care about security...

[XorNand]

I think you're also forgetting about who these fobs are going to: major players with major money. RSA has got to be tripping over themselves and possibly doing this project at a loss. They get their technology in the hands of thousands of C?O's. How many of these people do you think are going to ask their IT manager or CIO "Why don't we have this technology yet?" once they get accustomed to it?

Re:Aol must really care about security...

[SirTwitchALot]

While I agree they aren't doing this at a loss. I have to disagree with you on pricing. I work for a fortune 100 company, and we buy tens of thousands of these things a year. The best price we can get is about $60 each, with the fobs running 70-100 in smaller quantities. RSA is the leader in two-factor authentication, and they know it. That's why they can get away with charging you so much for a device that has programmed obsolescence.

Re:Aol must really care about security...

[SmittyTheBold]

I don't dispute what RSA charges for these (having never purchased them, I don't know.) But they were giving them out like candy a few years ago. I personally received two evaluation kits with two keys each for free a few years back, just by asking. I doubt they'd throw $200 at a person like me, who had marginal decision-making power at a small operation, and was rather up-front about it.

I've always wondered...

[3-State+Bit]

There exist handshakes for proving I know something without revealing what it is.

Is any of it simple enough to perform -- perhaps with some idiot savant-y BIG_NUM manipulation tricks -- in your head?

It might take a bunch of passes, perhaps as many as one for each bit of entropy in your "secret", but I am sure there must be SOME way to set up my webmail so that I can authenticate myself into a "read the subject lines / senders of all NEW messages" session, with password1, or, with password2, into a "read the body of the NEWEST unread email" session. Thus I could "log in" even through a COMPLETELY COMPROMISED computer, keylogger and all, and unless I slip up on my mental math, without any device of any sort I could check my mail without compromising my inbox or identity. (no spamming-in-my-name; no reading-my-archived-email; no sniffing-my-authentication). There's not even anything a man-in-the-middle can do with my plaintext request for the newest unread subjects or bodies. There's no insertion attack.

background.

Re:I've always wondered...

[HeghmoH]

Anything that a vaguely normal person can do in his head is easily crackable by a normal PC. In order to be considered secure, RSA has to use numbers that are more than 200 digits long. Simply memorizing such a number is already beyond the abilities of most people; performing the hundreds of multiplications and other manipulations needed is beyond even the best of idiot savants. If there were a better way, it would probably mean a speedup for computer RSA algorithms as well, so I think it's fairly safe to say that nobody knows of one for now.

roll your own

[digitalsushi]

I love those little digital PIN devices... I thought they cost a lot more than that. Are those feasable for do it yourselfers to use at home for their SSH authentication? Once I was thinking about writing a script that changes the user ID of my remote login account every X minutes, and sends an SMS to my cell phone with the ID each time it changes, like my own cheap ripoff...

Got a good screen name? Get one of these.

[YetAnotherName]

If you're lucky enough to have a decent screen name on AOL, like your first or last name, then you probably want to get one of these devices.

When I got my Yahoo account years and years ago I was early enough to get decent screen name. The problem is that today that account is routinely hacked (and once, even pwned, but thanks to the nice security folks at Yahoo, given back to me). People don't like to use something like "%geeba%56672" for Yahoo Instant Messenger. I imagine the same thing is true on AOL. Having a smartID or securiCard or other defense would be nice.

(Then again, auctioning off a nice AOL screen name might be worth a few bucks on eBay...)

All --AOL--TW employees have them.

[digitalgimpus]

After pestering employees with these damn things, AOL thought it would be wise to charge customers for the same pain in the ass.

I hate these stupid things. Keep them on your keychain, and you know it's going to break, and your going to have login problems. Don't keep it on your keychain, and you know you'll forget, and be unable to login. No matter what, you loose.

I won't say they are ineffective, since they do work. But they are the biggest pain in the butt.

Couldn't stand having it. What a drag.

Oh, and guess how many people loved using AOL mail in the workplace: None. Can you imagine this sinaero:

You sign on, do your work, leave for the day. Come back in, and AOL for some reason signed you off (happens every so often). Uh Oh... forgot the SecurID... no email for the day!

Was my post informative? Help me get a free flat screen by completing 1 silly little offer. I need one to go with my free iPod.

Re:All --AOL--TW employees have them.

[Kiryat+Malachi]

We use them at my company to authenticate our VPN connections for remote users. Works great, and I've never heard a single complaint about it; it allows us to use untrusted connections to do trusted work.

Just as a note, RSA has also released a software version of the token, which eliminates some of the problems of the keyfob - it doesn't expire, and you can have a copy on every computer you might conceivably use - you just install a token file on the machine itself, which allows the program to be synched to the keystream. However, with that sort of system, you have to be careful about who has access to the token-enabled program - the program has an option to password protect access, as well as the typical protections (Windows password, etc.)

I believe they've also released versions of the generator for PocketPC, and possibly for Palm.

Re:All --AOL--TW employees have them.

Oh, and guess how many people loved using AOL mail in the workplace: None. Can you imagine this sinaero:

Imagine a scenario where you know how to spell, asshat.

Re:All --AOL--TW employees have them.

You sign on, do your work, leave for the day. Come back in, and AOL for some reason signed you off (happens every so often). Uh Oh... forgot the SecurID... no email for the day!

When this occurs an employee can be bound to the SecureID of another employee for the day. It is a pain to go ask that person for their code, but it only needs to be done once or twice over the course of the day.

But you don't need "two" passwords !

[syrinje]

Two factor authentication relies on (d'uh) two inputs to the authentication algorithm - something you know (like your username) and something you have (like a password - whether generated by a SecurId or not).

The advantage of the automagically generated password is that the password is a temporal function of the account. This means that the server and the password generator both work off the same clock base to calculate a password for your account and authentication succeeds if the two match (within some non-zero time window - to compensate for clock drift). the password is thus valid for a very short duration and makes it very hard for a MIM to capture, replay and use

As far as I can see the first (user memorised password) is merely an artefact of an older system left in there to make the user feel good about having some password control since that is the fator that is most vulnerable to compromise (think social engineering).

A more robust mechanism would be to add a challenge response to this mechanism - the suthenticating system gives you two numbers (n1, n2)which you feed into your password generator and it generates the response thus -

R sub t = f(t, n1, n2)

The authenticating system performs the same computation and accepts your password if it matches with the result generated locally. Banks in Sweden have been using this for quite a while now - the password generator is, of course, protected by a PIN number to unlock it for use and therin lies the weakest link!

Re:But you don't need "two" passwords !

[Kiryat+Malachi]

Without the user-memorized factor, the token (secureID or otherwise) becomes the entirety of the password, making it no better than a key for a lock - if it goes missing, your security is nil.

Essentially, the two-factor system needs both the user-generated factor and the automatic factor - the automatic protects against social engineering of the user, and the user protects against physical engineering (i.e. theft) of the automatic.

Re:But you don't need "two" passwords !

[Gunzour]

Authentication can generally be done using any combination of these 3 factors:

- Something You Know. Generally a shared secret, such as a password.

- Something You Have. Prove that you are in possession of something. By entering the code from a SecureID card, you prove you are in possession of the card. A physical key entered into a lock is also Something You Have. The CVV code on the back of a credit card is a weak form of Something You Have (it could be argued it is something you know, but online stores are using it to 'prove' you are in possession of the card).

- Something You Are. This is biometric authentication, such as voiceprint, fingerprint, iris scan, DNA check, dental records, etc.

Your username is only a bit data -- well-known data at that. It doesn't count for any of the three factors.

dongle annoyances

Yeah, and if you have the RSA dongle and a remote car lock/starter, you can look forward to your keys taking on the characteristics of a porcupine.

Re:Nothing new

[LnxAddct]

I believe their charging because the device costs money and also they have to administer the RSA ACE/Server which I'm sure costs a lot in licensing and to keep it running.
Regards,
Steve

Re:Security Functionality

[mwood]

Whoop-de-do, we've been using SafeWord cards just about forever around here. Nice to see at least one ISP dragging itself into the '90s.

Synchronized Clocks?

[ericpi]

One thing I always wondered about these devices, is how you keep the device synchronized with the server. Since the code changes every 60 seconds, the server and the fob have to be set to within 1 minute of each other in order to agree on the same code.

A typical quartz clock has accuracy on the order of +/-10 ppm (parts per million). To accumulate an error of 60 seconds requires only 60 / (10 / 1M) = 6M seconds = 70 days. Therefore, it would seem after a few months, the fob would 'drift' enough to make the codes not match.

Does the user have to manually keep the time set? (Though, looking at the device on RSA's site, I don't see any buttons.) Does the server automatically accept a range of codes to allow for more 'drift'? Both approaches in combination?

Re:Synchronized Clocks?

[PalmerEldritch42]

The server does allow a range of codes to work. I have been using SecurID and you can put in the tokencode from 1-2 minutes ago and it will let you in. So, if the token gets out of sync from the server, it is ok. If it gets too out of sync, then you need to call the help desk and they can resync it using some online tools. It takes less than a minute to do. I've never experienced a time drift problem that resyncing didn't fix, but theoretically, if it cant sync back up, they can always just send you a new card and use that one instead.

Re:Synchronized Clocks?

[nologin]

Actually, the tokens themselves are quite reliable. I have seen only a small few that actually drift out of sync with the authentication server. In the case that the server determines that the token is out of sync, it can query the user during the authentication process to key in the current code to maintain sync with the server.

In most cases, it is the internal clock of the computer running the authentication server that drifts the most. Of course, you are always encouraged to use NTP in order to keep that clock in check.

Dead key?

[sporty]

What happens if your fob/rsa token, dies. They do expire, but sometimes, they die due to "reasons". Either faulty, or too much static etc etc..

That could be a hurdle to get over.

Not quite...

[Millennium]

Two-factor is indeed based on something you have and something you know. But "something you know" isn't your username; that's "something you are". "Something you know" is, in fact, your password.

Two-factor authentication actually has three factors. The username part is so insecure, however, that no one really counts it, because everyone has to know it in order to do any business with you at all. Many graphical login managers even present a list of usernames, because keeping these secret hampers the system's usability -no one knows who anyone is- for no real security gain.

The user-memorized password is not "an artifact of an older system"; it is still an important part of security, It is no longer the only important part of the security process, but it retains its importance.

Re:Not quite...

Incidentally, "Something you are" is biometrics pure and simple. Account name is public information, and doesn't secure your account in any way whatsoever.

Duh?

[mfh]

1) it only lasts 60 seconds
2) if used , it can't be used again until the minute is up

Yup that will work for 1% of AOL users. The rest are screwed if it ever becomes mandatory. Sixty seconds is not enough time for about 99% of all AOL users. They'll spend the first 30 seconds trying to get the first password in and then type in the second password in the next thirty seconds -- only to figure out they got the two mixed up. Then they will spend all day typing in the same two passwords until they phone AOL at around 3:30pm.

Re:Duh?

[RollingThunder]

The timing of the second password is not dependent on when the first is entered.

It's evaluated as to what it should be at the moment you hit enter, after punching it in.

We use them all over at work, and it's pretty easy.

Re:Duh?

[David+Rolfe]

I hate to slam you like this, but, you are totally wrong.

As is mentioned in other places in the thread, the token resets every 30 seconds, that's true, but is it so hard to type 6 numbers in 30 seconds? No, it's not. What a ignorant, short-sighted (and possibly mean-spirited) thing to say. I know you are "holier than thou" and none of your friends require physical passwords, because they all have great memories and are full of best security practices; but that does not excuse the need for many people to protect their "online identities".

This is really old news. In CAT and PWA we had been trialling (offering) securID's to customers for um ... gosh I dunno since like last summer? If someone had repeated compromises from phishing/trojans/kids we would offer them a securID.

Parents whose children were on the verge of getting their accounts canceled (and grannies who'd been comped and used as spammers) Loved this feature. So anyhow, this:

Yup that will work for 1% of AOL users. The rest are screwed if it ever becomes mandatory. Sixty seconds is not enough time for about 99% of all AOL users. They'll spend the first 30 seconds trying to get the first password in and then type in the second password in the next thirty seconds -- only to figure out they got the two mixed up. Then they will spend all day typing in the same two passwords until they phone AOL at around 3:30pm.

...is complete BS. SecurID is effective and easy; I did the support to prove it.

(Just don't reveal your tokens. I remember l0pht wrote a brute force for the internal crypt key if you could provide it a number of sequential tokens.)

Sorry that got a little personal. I'm a little riled from the last batch of /.ers slamming AOL's core demographic. Still, needed to be said.

SecureID

[Gr8Apes]

SecureID just seems like the next logical step. I used one for 3 years, and, once you get used to not attempting to log into your VPN when only the last bar is showing (there's a countdown bar indicating how much time is left before the number changes) it's really not so bad.

They appear to run on pseudo random number generators, and are synched up with the server with a known seed. I imagine they'd be very difficult to crack, as our system was configured to only allow 1 login attempt per number, if you typed in the wrong password/SecureID number, you had to wait until the next number came along. Annoying, but definitely better than the 3 (or 5) attempts and get a system admin to unlock your account.

Re:SecureID

[Neil+Watson]

This is secure, until the laptop is stolen. In spite of written instructions that are contrary, the user saved his password in the VPN client (why does the software even allow that?!) and has stored the SecureID device in the laptop case.

Re:SecureID

[Gr8Apes]

That would be true - if only we didn't have:

• to log into the client to access anything at all on the laptop (can be gotten around, I know)
• the VPN client not having the capability to save the password or the user name. (Quite annoying if you have a long name as the basis for a 20 character username....)
• a 5 digit PIN required as a prefix or suffix to your SecureID number. (varied by account)
• if you failed to log in 5 times, the VPN account was locked

Yep, seems like a breeze to break into a VPN with those restrictions....

Re:SecureID

[devilspgd]

The solution is simple -- Occasionally ask people to show their SecureID on the way in or out of the building.

Anyone that pulls it from their laptop bag is fired on the spot.

Re:Good deal - basic math?

[cjpez]

$33.35 + $26.65 Shipping+Handling?

:)

Does this really help?

[Meostro]

Does my small small device show the same number as everyone else's? If so, how does this help with phishing, as long as Phisher Bob can get his hands on one?

If it doesn't show the same #, does AOL generate a new # every 60 seconds for every subscriber? Not sure, but that seems like a lot of work... Anyone know specs on the RSA algorithm used? From TFA:

Gartner analyst Avivah Litan believes a "very narrow set of consumers" -- perhaps 5 percent to 15 percent of AOL's 30 million subscribers -- would sign up, but "you have to start somewhere."

So they're talking about 25k key updates per second if they only have 5%. Is this a "you need a cluster of HAL-9001s to keep up" kind of problem, or is it more of a "that 486 you use as a doorstop could be useful again"?

Re:Does this really help?

[Tazzy531]

I have one for work at an investment bank [not through AOL]. Basically it generates an unique number every 60 seconds. AOL doesn't have to generate it nonstop. Basically they just generate it based on the timestamp at the time of login.

Why would you think they would update every second even if nobody is logging in? That would be pretty piss-poor design.

Re:Does this really help?

[Meostro]

I was under the impression that you'd have to keep them in sync, that there was some kind of sequence to them.... you generate the next step every second. If you don't, you'll have to go through X steps when you authenticate, X = # of minutes since last authentication. Then instead of just knowing MD5(time), you would have to generate MD5(MD5(MD5(starttime))) 3 minutes later if you're trying to hack it.

If it's just some kind of hash of a timestamp, why wouldn't it allow you to enter your time on the card? No time-drift problems, no oscilator and it wouldn't have to be always-on, battery life would go up a lot.

Seems to last for a while

[xyote]

Besides the problem with wear and tear that some poeple may inflict on them, you might have a problem with the bubble keypad wearing or sticking on certain keys as you type in your PIN to get the password. The password is gotten by adding the pin modulo 10 to the currently displayed number. If you pick a PIN that is easy to add in your head then you can save on typing in the PIN.

This system is really a one time pad generated as a pseudo random sequence by the card and by the authentication server based on a common seed and starting time. The card will eventually drift out of sequence with the server and you will be required to enter some extra authentication steps to get back in sync. If you mess up with too many bad authentications, you get locked out and have to have the authentication server manually reset for your account.

Since if you know the algorithm (it's propietary with supposedly tamper resistant chips) and enough of the generated passwords, you could compromise that account, assuming you can guess the PIN before being locked out, it's a good idea not to lose or misplace the card, and to not use too trival a PIN or write it down.

Re:Seems to last for a while

[petersam]

Thanks for the FUD. AOL's solution has no pin pad. You only enter the code displayed on the token. The 2nd factor is your AOL password that you previously entered on the login screen.

Re:Security Functionality

[gcaseye6677]

What I'm curious to see is how this would affect "people who conduct large transactions online", who the article said were one of the target groups for this device. There are currently no plans to integrate this with banks or credit card companies, so how exactly does this protect peoples' account information? If bobbyjoe44@aol.com has an account at Bank One, I can still send them a fake "update your information" email, they put in their Bank One password and other info, and I get into their account. Meanwhile, the keygen thing is only protecting their AOL account and I'm cleaning out their bank account.

The only thing this really secures is AOL's bottom line, by preying off of peoples' fears and giving them something that makes them FEEL more secure online.

Small Business, Large Transactions and AOL?

[graphicartist82]

"It's aimed at small business and people who conduct large transactions online."

These people use AOL? I sure wouldn't do business with any company whose e-mail address was companyname@aol.com or whose web page was http://hometown.aol.com/coolguy12345

Re:Small Business, Large Transactions and AOL?

[westlake]

Think of a real estate agent in a rural township or small town. He has little need for a broadband connection, assumming one is available, but his online transactions involve serious money.

/. newbieness

[LinuxHam]

This is why /. is a great site for hobbyists and newbies. All you had to say for those with actual work experience is "AOL adds RSA keyfob support". I can almost make a necklace out my expired ones.

anti spyware / trojan

They need to include anti spyware / trojan software such as spybot search and destory ... why dont they plop a big donation to spybot and include it ?? Or fine come up with their own .. they only have what a few billion dollars of cash they're sitting on. This would be FAR more beneficial to their users security that this foo foo token thing. How many people REALLY need this? I admit it's of some benefit .. but sreiously overall including anti spyware software is vastly more beneficial.

Re:anti spyware / trojan

[MBaldelli]

why dont they plop a big donation to spybot and include it ?? Or fine come up with their own.

You mean assimilate, like they did Netscape and ICQ? Thanks, I would prefer Spybot be free of the AO-Borg assimilation.

it's surprising, but...

[thegnu]

quite a few do. I heartily recommend that they get their own domain name and they stammer, stare at me blankly, and then log on to AOL.

*tsccchh* "You've. Got. Mail." *tsccchhh*

fobs used to be cool ..

[LionsFate]

Back in the day on the school yard, we used to beatup all the AOLers.
"My daddy just got me AOL, look everyone!"
Yeah, we'd pelt him with a few dozen free AOL CDs.

You could always spot the AOLers, with that vacent look in thier eyes, the look of the newly assimilated.

Now a days AOLers are getting more advanced, they are able to creep up on you. You don't know till its to late. "Come, see my computer". "No, wait! - Why, what have I ever done to you?!"

Now they have these fobs. I can see it now. Someday I'll return to the old school yard, and one of my friends will spot the fob. I'll profess how its not for AOL, its for work. They won't believe me. I'll be pelted with CDs. Branded a traitor. They'll find out that I've had an AIM address for years. I'll be denied entry to the clubs. Women will find me attractive.

It used to be that only real nerds carried fobs. Damn you AOL.

Re:fobs used to be cool ..

[Jackhamr]

Man, I feel old. I used to throw AOL 3 1/2" floppy disks around....

Re:fobs used to be cool ..

[SuiteSisterMary]

Man, I feel old, I used to throw around a Qlink disk....

Re:Time Drift - sliding window

I actually used these SecureID FOBS with 2 different systems, one of which was me Administering the Secure ID FOBS for a couple of months. There seemed to be alot of problems with the system. The system requires a 4 digit unique PIN for each FOB which is entered as well as the 6 digits in the window. The system is not supposed to give out duplicate PIN's....but every once and a while it would spit out one that was already in use, causing problems for the other person who had the same PIN. This would require me to reset their pin and tell them how to obtain a new PIN (easy...but still a pain in the ass as it shouldn't require this) FOBS would frequently go out of sync with the server, causing people calling me bitching...ah...it's a good system on a small scale...but when you have thousands of people using it, it can become a pain in the ass

Problems have been addressed.

[alistair]

Ermmmm,

Each number last for 60 seconds, so if it is just about to change you wait and type in the next number (there is a visual counter on the left of the device)

The back end ACE server knows the previous and next numbers, so adjusts for any internal clock changes which can be present on the card. If you meet an RSA sales person at a trade show, they may well offer you a demo card, these are generally production cards which ended up with clock speeds outside the QA range so look good but are effectivly worthless.

You can steal a card, but unless you know the user name and the secret password / username they are still worthless. To log in you generally need a user name / 4 digit pin and the number on the screen, lose one and the finder generally has simply an interesting desk ornament.

SecureID cards

[Otto]

1) Long dial in times result in the 2nd password changing before completion, thus requiring a 2nd attempt (or a 9th, depending on how pathetic the phone service is)

Assuming you have some wacky setup that asks for the password before connection and not after you have already connected... then all SecureID based systems have a server running the same math as your little ID is and the server can, and does, calculate the previous and the next numbers the device will display. So even if the password takes 20 seconds to get there and it has changed in the meantime, it'll still authenticate, because the server is aware of the previous and next passwords.

2) Annoying easily lost dongle on your keychain that says "RSA- STEAL ME" in big bold letters...

I've been using these things for years and have yet to lose one. Of course, I never lose my keys either. If I lose my keys, I'd be more concerned about how to start my car than my account's security.

Relatively common technology

[Overt+Coward]

My company already uses these for off-site employees so we can access the company intranet. Ditto for Mrs. Overt Coward's company, which is in a dramatically different field.

How soon till they patent this method?

[jocknerd]

Or does Microsoft already have a patent on this?

Too bad they never implemented it correctly

[signe]

So AOL's extending the system that they use for all internal AOL logins to the general public. Big deal. They never implemented the internal system correctly to start with, which reduced the effectiveness by quite a bit.

When you're using a SecurID, you're supposed to enter in the number displayed by the device and a PIN number. So if the device displays 12345 and your pin is 6789, you would enter 123456789 at the prompt to authenticate. The point of this is that it combines something you have and something you know. Now, of course AOL will say that they already have you entering something you know, in the form of your normal password.

But the other benefit of the SecurID setup is that if you increment (or decrement. I can never remember, since AOL never did it correctly) the PIN number by one when you enter it in, the authentication server will set off an alarm that says you're logging in under duress. Especially considering how much sensitive internal AOL employees have access to when they log in (of course, it varies based on what you need to have access to).

How many of you want to bet that AOL users start writing their password on a small slip of paper and taping it to the back of the SecurID?

-Todd

Selection

"Two-factor authentication [...] is common in Scandinavia, Brazil, Singapore and selected countries."
That would be "Elita selected", wouldn't it?

Hint: Elita selected is a brand of coffee here, in Romania.

I have one ...

[cascadingstylesheet]

... not for AOL, but for VPN access when I work off site.

It works great. I'm actually more strongly authenticated that way then when I'm really at work (if you ignore social factors like "who the hell is that?"). I still need my network password to get to shares and email and so forth. And (not that this applies to the AOL situation) the VPN only grants me access to a specified list of servers, not everything theoretically in reach in the {US State Government}'s network.

BTW, those comments like "what business would use AOL"? You might want to grow up a little. Until relatively recently, it made good sense to have dial up accounts for your employees that they could use anywhere in the country, dealing with a large established company for billing and support.

Re:Security Functionality

[westlake]

AOL has local dial-up access pretty much everywhere. Useful for small business and anyone on the road.

What about DSL connections ?

[Builder]

This isn't a whole lot of use if you have a DSL connection using a router then, is it? This sounds like it would be impossible to use on a DSL solution.

Smart Cards.

[valder]

Steps to create more security is always welcomed. Especially when it comes to log ins. It also creates a "perception" that AOL is secure, family oriented and trustworthy. I've been in the industry for several years -- these securID fobs have been around for a long long time and have been proven to be very effective. Haven't others on here had exposure to these? I can't believe that those who actually have used the system would complain. Then again, seeing all these complaints it leads me to believe "slashdotters" are less technical savvy than one would initially think. valder.

See, this is fine but....

Great, so now we can be pretty sure that the person who logged into your AOL account is you. And for AOL services, they have a better trust of your identity. Well and good.

But the average user has more places they log into than just AOL. They log into the bank website. The phone company to pay the bill. The credit card company. etc...

I see 2 options here before this is more than a "so, what?".

1.) You get a seperate RSA keyfob for every site you log into. Which is obviously silly.
2.) Your AOL account becomes a "master account," where the credit card company, the bank, etc., all assume "well, if AOL thinks this is Bob, it must be Bob!" And that's Microsoft work!!! But regardless of who it is, it would imply placing your absolute trust in AOL (or someone else) as guardian of your identity, for EVERYWHERE you go online. Also implies that everyone agrees that AOL is authoritative. Merits of this have been debated to death, my opinion is "good idea in theory, but I trust AOL to have bug-free, unbreakable code about as much as I'd trust Microsoft....

strike lists

[jeif1k]

Online mail services, banks, etc. should really all offer the option of using one-time passwords from strike lists.

The idea is simple: when you log in, you can either use your regular password, or you can use a one-time password from a printed list of passwords (you strike it out so you don't accidentally reuse it). You would use the one-time password when you log in in a public environment, when people might be looking over your shoulder, video taping the keyboard, have a key-logger installed, etc.

One-time passwords like that don't require any kind of special hardware, just a web page that lets you print a new list whenever you want to.

Almost all web-based services should offer this, in particular, web-based mail services like Yahoo!, AOL, etc.

small small device

[wcrowe]

...small small device from RSA Security...

Now, is that a really tiny device, or is there some acronym (SMALL?) of which I am unfamiliar.

Re:Security Functionality

[Dun+Malg]

AOL has local dial-up access pretty much everywhere. Useful for small business and anyone on the road.

Any decent ISP has local access pretty much anywhere. AOL hasn't really had an advantage in that regard for four or five years. The only excuse for using AOL is "not knowing any better".

Re:Not a bad idea for ATMs

[David+Rolfe]

Wow that would be awesome. What would be even sweeter is to add a simple biometric to that, not for Identification, but just as confirmation. Put in card (it knows who I am), enter physical time dependent password (I'm now authenticated), make my transaction, "would you like another", "Is everything correct? Thumbscan" (card pops out and you go about your merry way).

This way a biometric could be used only in the case of theft of both authenticators (not AS an authenticator). If you don't press your thumb on the pad, the ATM eats the card ... mitigating damage caused by a theif not willing to add his thumbprint.

Of course you better hurry and patent this, because someone else is about to. Despite it's obviousness to me.

doesn't SecurID have a patent on this?

[Hohlraum]

I thought for sure that I read somewhere that they did.

Not such a hot idea.

[pragma_x]

Having worked as both an internet tech rep *and* as as a security admin handling these kinds of tokens, I can say that this is going to be a tech-support disaster for AOL.

First off, the more economical (read: cheaper) secureID tokens are notorious for being suseptable to static discharge, moisture and physical impact (dropping). They usually are made with a loop or hole in one end to attach to your id-badge at work: this will most likely be used to attach the device to Joe-Blow's keychain instead (also not good).

Second, a token *will* fall out of sync with the server if not used frequently (takes a few months). The result is a token that may be useful, but will require additional support (call AOL and wait) to resync before it may be used again.

Third, its a physical device that needs to be put in the hands of the user. It will take time to issue and replace, that the end-user may not have. Administrators at AOL *might* be willing to institute temporary passwords to side-step this, but once again, this requires another call to AOL.

Overall, the potential for repeated failure of these devices, in the hands of an ill-informed userbase (does anyone read directions anymore?), plus latencies all over the support process will result in an extremely hard to to manage product.

Furthermore, I seriously doubt that this will do more for AOL other than bolster its image as a secure service provider, which is possibly more than what its competition is doing; the actual product itself may only need to have a marginal value if any. Its a bold move, especially since the $2/mo plus $10 signup probably won't completely cover the hardware and support costs incurred.

AOL for small business?

[Chanc_Gorkon]

ANYONE who uses AOL for their ISP and is running a business needs to run and not look back. It's nice that they are adding this but I think it's stupid (for AOL).

Now on the other hand for my work, I would love to implement this for our logins. It would definitely secure things much better.

Your math is horrible

Try (9.95 + 1.95) * 36 = $428.40

Re:Your math is horrible

[csimpkin]

I believe that the article said a one time fee of 9.95 and 1.95 a month. That is 9.95 + (1.95 * 36) or 80.15.

Re:Security Functionality

[TyrranzzX]

And if the little battery on the device goes?

:x

Why just AOL?

[phildog]

Why doesn't some 3rd party company offer one of these devices to secure ALL of your online logins?

One device could then get you in to:
- bofa.com
- aol.com
- etrade.com
- etc etc

Why couldn't this be an optional security measure for purchasing through yahoo shopping, amazon, buy.com, etc?

I would gladly pay $10/mo for such a service. But it would have to be ONE device. I don't need 50 "pager-sized" devices.

Oh yeah, how about an RPM that lets you add this thing to your *nix login as well on any boxes where you have root?

You think it would be hard to get the first big client, like bofa.com? Probably, but once you get one the sell is much easier to the others.

Bravo to AOL for making this technology available to the general public.

Hello, McFly!

The AOL service will be using RSA SecurID dongles, duh!

Re:Time Drift - sliding window

[PierceLabs]

My employer has tens of thousands of employees (guess who) using the system and it has caused us no large problems. It removes moronic passwords and reduces the amount of stuff that people have to remember to their PIN number, which most people probably take from their ATM PIN anyways.

Outside of some of them breaking off of keychains, I have yet to see large problems with the system. Its one of the best authentication systems out there IMO.

Re:Not a bad idea for ATMs

[Rich0]

And we could have a secureID card for each credit card! And one to start the car! And one to open the house door!

How about somebody comes up with a standardized smart card that can handle all of the above... And it might include a thumbscanner...

Re:Security Functionality

[cos(0)]

In addition, RSA SecurID hardware authenticators are manufactured and sealed with an integral lifetime battery. No user maintenance or battery replacement is required. As a result, this authentication solution is as easy to deploy and administer as it is to use.

Source: RSA Security - Hardware Authenticators.

Heh

[mfh]

What a ignorant, short-sighted (and possibly mean-spirited) thing to say.

Obviously you don't have a n00b who comes to you for computer help. It's just a fact that AOL should not be complicating their users this way. It is going to end up in techsupport Hell, and that was my point.

It's not mean spirited to speak the truth. Sometimes the truth hurts and that's why it's the truth.

Re:Security Functionality

[luxaeterna7]

The company I work for has been using SecureID cards for years, the battery lasts around 5-6 years. AOL would probably want to send users a new card every 4-5 years.

Another novelty

[amightywind]

..a new feature alowing customers to use two passwords to log on. The second password comes from a small small device from RSA Security

I used to use a 2 part password with an RSA Secure ID to login to a Cray Y-MP back in 1990. Quite a novelty this.

Re:Security Functionality

[slycer]

They do go occasionally, and sometimes the cards get fucked - they're not super delicate, but enough abuse and they'll stop working.

The RSA admin tool allows an administrator (or someone with elevated privileges) to set a card into "lost mode", which allows setting a static password, and an expiry date for the lost mode - after which it disables the static password.

So, sending a card out via mail, should reach the user by the time their static password is going to expire, and they're back in business using the card.

I've worked with these things for somewhere around 7 years, and I pity the support people for AOL, and pity those that will need to use these cards. When they work, they work great, but it seems a fairly common thing for the cards to get out of sync with the server, in which case someone needs to resyncronize the card. It's a common enough problem in a smallish (~5000 users) support base (used for VPN, so you could knock that down to a percentage of that 5000) that I can easily see the support costs for AOL going wayyy up. And that's just a minor problem with the system.... there's also the case of a server crapping out (which can be semi-solved with redundant servers - which adds it's own problems to the mix)

I'm all business and use AOL on the road

[Lieutenant_Dan]

I consider myself a power user and I have AOL set-up on my notebook.

I travel a lot around the US and Canada, and 99% of the time there is a local number I can dial to connect to the Internet. I couldn't care less for AOL "services" but it's great to check your corporate e-mail, connect through SSL-VPN, and even do some quick FTP uploads.

I haven't found another provider in the US that offers the same. My colleague claims that he was even able to use his account in Germany!

At home I have a high-speed cable connection.

Old idea.

My ex-girlfriends's dad works as a vp for the magazine division of aol time warner, he has one of these little keychain rca jobs, but hes been using it to log into his aol account before i started dating her.

Re:Time Drift - sliding window

e&y?

Hm...on second thought...

[Shoten]

At first, my reaction to this article was along the lines of, "Holy crap...AOL users get two-factor authentication, and I can't get my bank to come up with anything better than a password and an SSN as the login ID!" But then, while I was repeatedly slamming my head in the file cabinet drawer to distract myself from such frustration, I thought about it. And when you really come down to it, I think that AOL accounts are heavily targeted, and that this is, on the whole, a case of strong authentication that makes overwhelming sense.

Think about it...how many times have you heard of people wanting to "hack aol so i cn read my girlfriends mail i think she is cheating on me can u help pls?" I've seen it over and over again. And then you have to consider things that are more likely (like shoulder-surfing) with AOL accounts. Using SecureID makes all of that FAR harder.

And what about the other less-obvious benefits? Little Timmy got in trouble in school today? Sure you could go into parental controls and block his use, but I think it'd be more poignant (and easier for the non-techie parent) to just have him surrender his token. I'm sure that there'll be other manifestations like this that I haven't even considered, also.

So on the whole, not only is this a good idea for security, I don't think it's even close to overkill to be doing it with AOL users. The benefits are that significant.

Good idea

[Zerbey]

We used these for a client project a couple of years ago. They worked really well and I'm actually surprised more companies don't use this.

Anyone know if there is an open source equivelent?

AT&T Wireless Call Center

[Aexia]

A friend of mine was working as a call center rep for them and ran into a similar problem. She was fired for having too long an average call time, though she wasn't over by very much and no one warned her that she was taking too long. Keep in mind, this was just 3-4 weeks after she finished four weeks of (paid) training. Great ROI there guys.

She found out later that a couple days after she was fired, a CS VP came down to give her an award for getting perfect scores in all her customer feedback.

Re:AT&T Wireless Call Center

I've always found that AT&T Wireless has great people, but their systems suck. 90 minute hold times. Not knowing what another department is doing because they are on a different system and not being able to speak to anyone because that department is closed. Getting bounced around reps.

Re:Not a bad idea for ATMs

[Facekhan]

ATMS are actually pretty secure. On just about every ATM and about to be required by all the major banks and card issuers the pin pad hashes your pin in hardware and even the ATM itself never sees your plaintext pin.

Charging for security?

[jsk2001]

Microsoft is giving away Windows XP SP2, its free security overall to the OS to both licensed and unlicensed users. Now AOL is charging their customers wanting to keep their accounts from being used by spammers and other criminals. Why should anyone have to pay to prevent unauthorized usage of their account? AOL has reached a new low with this one.

AOL? WTH?

[GoClick]

Large transactions online?

I'm pretty sure people who do large online transactions don't use AOL...

Large transaction to me is something over $500,000.00

DOS, Lost FOBs, etc...

[digital+photo]

Jokes about AOL users aside, this isn't a good thing.

RSA key password systems are designed to lock the account after X number of failed tries. After that, the fob and the account have to be resynced to one another.

Anyone interested in causing AOL and the AOL\fob users will just need to keep bonking the login screen enough times and the account will be "inconvenienced".

Another problem is that of lost fobs. Another physical item to lose which could deny access to the users account.

Sounds more like a "make aol rich scheme" rather than an honest "protect the users" scheme. If this IS an attempt to protect users, then it means the normal AOL system is insecure enough that people who don't want to get screwed will have to pay just to maintain a decent level of security...

At least, that's what it looks like.

Snail Mail Pad

[Preferred+Customer]

Two pages into the last link of the original post you find:

http://www.pcworld.com/howto/article/0,aid,116989, 00.asp

This article gives a two-factor security example in which a bank mails a user a sheet with perhaps 50 scratch-off numbers unique to that user on it. The user would need to enter a password and one of the scratch-off numbers to log into his account. Once a scratch-off number was used, it would "die" never to become valid again. A new set of 50 numbers would be mailed out each month with the bank statement.

The banks where I do business don't use this, but it seems like a really good idea. IANASE (I am not a security expert) but isn't this a one-time pad approach? Has anyone seen this used? It may be more common than I realize.

Could the idea be expanded to other fields? Is there a better way than snail mail to deliver the scratch-off sheets?

Re:Snail Mail Pad

[Preferred+Customer]

Opps, how did that space get in there?
http://www.pcworld.com/howto/article/0,aid,116989, 00.asp

Re:whoo. (corrected :)

Sorry about being anal, but the keys are generated every "sixty" seconds *NOT* six seconds. Six seconds is about how long it takes for me to put in my PIN and the 6 digit number.

You could always use a soft-implementation...

[Ayanami+Rei]

in a palm or something, using an access PIN to decrypt the local secret.

That only saves you money of course if everyone already has a PDA.

Not $60 ... recheck the financials on this.

The fobs are only about $20. I used to work at AOL, and if we lost ours, that was the charge to the department for replacement. $20. That's the rate they buy them at for 9000-10000 employees. They do a deal with RSA to open up SecurID to the world, the price will go down significantly.

I'd be willing to bet that $9.95 is break-even cost on the fob, and the $1.95 gets split evenly between RSA and AOL.

So far, analysts predict this to only appeal to a narrow range of AOLers, guesstimating 5 to 15% of the member population. On the low side, let's take 5% of 30MM users, = 1.5MM people. At a measley $0.975 each (revenue split with RSA), * 1.5MM users, that's $1.4MM per month, that's about $17MM/year of revenue for AOL and $17MM/year for RSA.

I'd like to be the guy who found $17MM of revenue for my company.

Plus, as it's already there to support employees, the infrastructure is already built in to the AOL login servers, so there is no net new cost there.

Last I knew, only OpsSec had access to bind/unbind fobs, sometimes you also needed to resync them. But, it would be trivial to train the member services team on resetting the fobs, resetting, etc.

From a security perspective, now instead of simply calling up and pretending to be you to get your password reset, I call up pretending to be you, and have lost "my" fob and get the account unbound until I find it... but maybe they'll have some precautions around that.

Sure, it's easy.

[Ayanami+Rei]

Get a phone with Java. Make sure your home machine is using NTP (or GPS, or both) to keep accurate time. Your phone should get it's time from the cell tower (or GPS if it has that).

Write a J2ME app (or find one, I think you can) that takes the current time rounded to the nearest minute, asks you for an unlocking-PIN, which is used to decrypt a shared secret. Hash the secret with the current time (SHA-1 is good enough). Show the lower 8-bytes or something.

On the server, write a PAM module that does the same thing, except maybe it creates 8-byte hashes for a minute behind and ahead and behind too, and accepts any of them (to account for time jitter).

So you go to log in, pop open your java app on your cell, type in the PIN, write down the hash, and then use that to login via SSH or FTP or whatever.

Of course, ssh public-key authentication is just as secure as this (you have key halves on each side, the client side's protected by a pass-phrase, you encrypt a random challenge which is dependant on time, among other things...) Actually, I think I trust a PKI-scheme with 1024+ bits more than a symmetric hash-based system.

Exactly!

[bs_02_06_02]

This isn't some method to fleece customers. It's a way to establish credibility. I've had SecurID fobs for years. They are a pain in the ass, but they are secure. They are reliable. I've never had any problem with "out-of-synch" as one other thread mentioned.

It was nice for travelling. I could get into our intranet from anywhere in the world.

Re:Security Functionality

[Izmunuti]

I've used these doo-hickies. The thing has an expiration date (about a year) and you have to swap out periodically. The battery lasts long enough to get you past the exp. date. Never had one croak before it had to be swapped anyway.

Re:Not a bad idea for ATMs

[Celt]

The machine may not see your PIN but somebody looking over your shoulder could

Atleast with a PIN and a SecureID you have less of a chance of somebody seeing your PIN and stealing your SecureID tag.

---

One other idea: Parental Control

[HalfOfOne]

I can see a huge use for this in the private sector. Mom finds out junior is abusing her internet account. She takes away the token, and only provides it when junior behaves. Added bonus is that we don't have to deal with junior trying every 'sploit he can find.

Caveat: if junior is anything like me, he'll either do some social engineering and get another token issued, or find another way to get dialup. Of course, if junior's mom is anything like mine was, that won't be under the radar for that long. My biggest motivator from 7-15 was trying to outwit my parents.

Re:Security Functionality

[JAgostoni]

Exaaaactly. If a small business relies on AOL for their ISP/road-warrier needs then chances are they really aren't aware of security issues. One good spin on this is it is exactly these sort of people that will buy into to this ... bad spin being that they will indeed bleed information (credit card#, account logins for banking) via some other orifice.

REALLY old news...

...a roomate worked for digital city in the late nineties and had an AOL account as a result. In addition to his password he had a small keychain that generated a six digit number that had to be entered as well.

Re:REALLY old news...

[dlb]

Uh yeah.
Secureid key fobs are nothing new.

AOL Says "No Such Device"

[sipy]

I just got off the phone with AOL (well, their India-based customer support, actually) and they say that AOL has no such device.

In fact, they got a supervisor on their radio who was barking questions like "how did you know about it?/Who told you?/Are you an AOL employee?/We don't have any such item." (etc.).

Sounds like AOL India is into a FUD campaign of their own. Maybe, being tens of thousands of miles away, they are actually the last to know about this device?

If anyone hears how to get one, please email me. I'd love to try it.

Thanks!

Re:Not a bad idea for ATMs

[austad]

This is false. While ATMs are required to have this functionality, it's not required to be enabled until 2006. Almost no one has turned it on, even though the functionality is there. The security of ATM machines is poor, I should know, I worked with them for about a year doing network stuff on the backend, which required in depth knowledge of how the machine worked and how to admin it.

A little more security could be added by forcing a user type his PIN *and* his SecurID/SafeWord/CryptoCard code, but that doesn't stop a motivated attacker with knowledge of how the machines communicate with the banks auth server. In several scenarios, the PIN is irrelevant, in fact, having a valid card is irrelevant also.

I do security for a living, and I've been doing it for a long time. Obviously, I don't know everything, but some of the scenarios I mentioned I brought up with Deibold, and they agreed that they do pose a threat.

Anyone who thinks an ATM is secure is just plain wrong.

Humans Unintentionally Make This Obsolete

[prattboy]

I guess I don't see how this will make a system more secure in an office setting. Let's take my dad who works for a local government agency, as an example. To log on to his work station, he needs to enter in his password. Because he has to change his password every 60 days to something new, he writes it in Sharpie on his CPU unit for everyone to see and crosses out the old one. (If he didn't have to enter in a new password every two months, he'd still probably write it on his computer just to make sure he wouldn't forget it.) Now let's say he needs to enter a password from a key fob. I'd say he's not very likely to take the device with him because he would be afraid of losing it or forgetting it. So he'd probably leave it right on the CPU with his Sharpie-written password. Heck, he'd probably write the password right on the back of the fob. Unfortunately, anyone coming into his office could still gain unauthorized access to his computer. Doesn't sound very secure to me.

ugh securid, im sure RSA pushed this

[sPaKr]

As someone that has had to work with SecurID more then once, I can tell you its a heaping pile from the 80s. The client librarys are crap, mostly written for winblows, and ported by some grad students via macros. Two factor authentication is usally charecterized by 'something you have and something you know' You know your password (pin in rsa parlance) and you have a token which has a value, toghter you get a passcode. Really AOL should have been smarter and just issued digitial certificates to their users. This would make the hardware not required (unless you used usb dongles to hold the cert) but also allows for much higher encryption, better managment, and its cheaper as all you need to do is create your own CA, and start issuing certs. Im rather surpised that verisign didnt try to win the aol deal.

Re:AOL Employees...try Earthlink!

Lets just say it sucks. I worked over at an outsource Earthlink call center for a while in Las Vegas and that was about as dumb a mistakes as I could ever make. I had the exact opposite problem of being too fast with calls. No I wasn't a tosser I just got to stuff quickly and just got it done since 90% of the problems were just needed a dialup #, a rebuild of the TCP/IP stack and a new dialup connection, was something I couldn't help em with ("I'm cheap and don't wanna pay someone to fix my computer so I called you since I pay Earthlink $20 a month" people), or it was something we were supposed to send to level 2 (of which half of them were women and had were "easy" to say the least so there wouldn't be much help there). Ended up getting hassled too constantly because my average time would be anywhere between 5-7 minutes and then when there was a call I actually needed to take some time with they'd tell me to get them off the phone the moment I hit 10 minutes. Finally ended up not showing up for a month after they decided to make everyone on the floor learn to "support" Macs and reduce my pay back to everyone else's since I was one of like 6 that knew how to even work a Mac (I was level 2 Mac, but not PC...go figure) and came in, grabbed my check and my supervisor was so dense she asked me if I was working that day. Just handed her my badge and walked out. Hope she got the message finally.

Um... they want to makke it more secure

Then don't give users the option to save thier passwords.

Content providers have had these since '96 or so

[hatless]

If I recall, AOL started requiring the use of SecurID keyfobs for content-provider logins sometime around 1996, when they rolled out their graphical form-design tools or Rainman Plus or something.

Given how many corporate workers, especially in field sales, use AOL as their travel ISP since it's so easy to change cities and countries, it's about time AOL recognized the demand for this kind of thing.

In most ways, AOL's a goofy (and expensive) choice for a business ISP, but very few dialup ISPs bother to offer a decent dialer addon with a built-in worldwide database of access numbers, so AOL remains one of a handful of low-fuss chocies for the kind of person who ends up in a different city (or country) every few days and just wants to plow through their email.

Re:Not a bad idea for ATMs

[zoombat]

Atleast with a PIN and a SecureID you have less of a chance of somebody seeing your PIN and stealing your SecureID tag.

I'm a bit confused.. ATM's already use two-factor authentication: What you know (your PIN) and what you have (your ATM card). Doesn't using a SecurID just add another "what you have" factor? Or are you just saying that you're less likely to lose both your SecurID and card at the same time?

Re:Security Functionality

[dnoyeb]

I see a lot of merchants using yahoo for their transactions. Maybe this is aol trying to get into the same.

Also I know Ford uses this technology for remote logins.

Re:Security Functionality

[dnoyeb]

naa, the advantage of using AOL is the perceived customer support. I thought MCI tought us years ago that large ISPs couldn't provide anywhere near the support of small ISPs. But some don't learn.

Re:Security Functionality

[ImaLamer]

Hey, I was actually being serious.

(And I actually liked a lot of AOL's features, seems to have bundled plenty of pay/'plus' services available on the Internet for their customers... oh well.)

Start of something big?

So, AOL has gone and bought some RSA Radius
Servers for their customers (finally).

Maybe its time to buy some RSA stock again.

Re:Got a good screen name? Get one of these.

[tacokill]

Uhh, I've had my Yahoo account since 1996 and have never had an issue with crackers or hackers. Not once....ever.

Perhaps you should think about changing your password? I may be talking out of my ass here but to my knowledge, Yahoo is fairly difficult to crack. Yes, you can guess passwords, phish, etc....but I've yet to hear of a Yahoo account getting owned without SOME help from the legit owner of the account.

Anyone else care to chime in? I only speak from my own experience.

My card is skewed!

[pyrrhonist]

I helped develop a system about 8 years ago that used RSA SecureIDs to log on to the system. The SecureID card or fob, in AOL's case, has a small computer in it which continuously executes an algorithm to generate a sequence number. The card is a self-contained system that automatically stops working after 4 years. I'm not sure if this is due to the battery being drained, or something to do with the algorithm used.

During logon, the user enters their user ID and the sequence number from their card. Since the sequence number changes every 10 seconds, the user has ten seconds to enter the current sequence number when they log in. If they don't make it in ten seconds, the login is not allowed, and they have to enter the next sequence number. There is a small "bar graph" next to the sequence number that tells the user exactly how much time they have left to enter the number.

Our system used the model of SecureID with the built in keypad. The system we used was different from the AOL system in that you entered a PIN into the card, and the card would then tell you what the correct sequence number you should enter was. The SecureID AOL chose to use always displays the sequence number, and you enter it and your password when you log on. The SecureID system we used is more secure, because someone can't use a keylogger to get your password, and then steal your card.

The sequence number is then authenticated against a server (called ACE) that is able to calculate the next sequence number for any card that it knows about. When logging in, the card's version of the sequence number is compared to the ACE server's version of the sequence number, and if it matches, the login is allowed. The ACE logon sequence can be integrated into any application using a fairly simple API. For our application, we integrated the ACE API with NSAPI for use with Netscape servers.

Now, here's the problem. The algorithm is not without its faults. Sometimes the card and the server disagree on what the next sequence value is. This can happen easily if you don't enter the sequence number within the 10 second time limit a number of times, or the sequence number changes just as you finish entering it. When this happens, the card is considered "skewed", and there is a sequence of operations that need to be performed to "unskew" the card, that consist of having the user enter the currently displayed sequence number a number of times. If there is a problem unskewing the card, the user gets locked out. A user can also be locked out if their card is skewed too many times.

Skewing happens often enough to be annoying from a technical support point of view. We had to deal with it quite often with our application, and we did not have more than 200 users. Our users were used to dealing with security, and this type of hardware was not new to them (i.e. experts). Now think about how many cluless users AOL is going to have for this service, and how many people are going to mess up when unskewing their card. This is going to be a technical support nightmare.

Re:Not a bad idea for ATMs

[Facekhan]

They did not turn it on? That is perhaps the worst possible idea ever (on the ATM operators end of things) but you do seem to know more than I about it. So I can just tap the line between those supermarket atms and the bank and get everyones info? I did recently become aware that the maintenence access on some of those atms comes up from pressing two of the buttons at once and the password is just a short pin number.

Re:Security Functionality

I've been using SecurID for two years now, and it's never gotten 'out of sync', nor have I heard of such a thing happening to anyone in the company (10k+).