Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Moves Beyond Single Passwords for Log-Ons

Posted by ryuzaki0 on from the are-you-secure-yet dept.

ars writes "Yahoo is reporting that AOL is adding a new feature alowing customers to use two passwords to log on. The second password comes from a small small device from RSA Securitywhich displays a new password each minute. The scheme is called two-factor authentication and will cost $1.95 a month plus a one-time $9.95 fee. It's aimed at small business and people who conduct large transactions online."

8 of 309 comments (clear)

  1. AOL Employees by Anonymous Coward · · Score: 4, Insightful

    Used to have to use them, smartID or something. ALL internal accounts were locked... its a very secure system, but hard to believe that users would actually want to use it.

  2. Not a bad idea by Celt · · Score: 5, Insightful

    AOL/TW employee's use these so why not offer it to customers, imho if banks gave out these devices for a one-off-fee on-line banking would be ALOT safer and there'd be less scams.

    Also sometimes those secure ID devices can go out of sync with the server and thats when the fun begins :)
    Thats the only problems I've seen with them,

    --

    --
    "WebTV: bringing the Internet into the shallow end of the gene pool since 1995" - Martin Bishop
  3. Re:Isn't there a much easier way...? by dr_dank · · Score: 4, Insightful

    Why the bloody SecureID system that's so klunky?

    Klunky? Given the average skill of the AOL user, telling them to punch in the code from the SecureID keyfob couldn't be easier to do. Better than importing and keeping track of ssl certs across machines.

    --
    Where does the school board find them and why do they keep sending them to ME?
  4. You can't copy a physical token by morzel · · Score: 5, Insightful
    If I get into your PC, I can copy your certificate without you ever knowing it until it's too late.
    I obviously can't steal your RSA token without you finding out pretty soon.

    --
    Okay... I'll do the stupid things first, then you shy people follow.
    [Zappa]
  5. Re:whoo. by k98sven · · Score: 4, Insightful

    All it does is make an attack "more" difficult, but nowhere near impossible

    Yes. Exactly like every other security system ever designed.

    Your point is?

  6. Re:Isn't there a much easier way...? by virtual_mps · · Score: 5, Insightful
    Something I've waited for years and it never come--maybe someone can explain why: client-side SSL.

    Because client-side security sucks. The push for personal certificates is to provide non-repudiatable authentication. Think about that for a moment--do you want your identity tied to something sitting on your home computer? Something that, once taken, could provide access to your bank accounts, credit, medical history, etc.? Something that, legally, you'd have an uphill battle to prove wasn't used by you? Something that would be a prime target of the next worm? I find it's a lot harder to compromise a "klunky" device that's not connected to the computer than to compromise a certificate that is on a computer. Client SSL is snake oil--it's theoretically great, but just can't be implemented securely with current technology.
  7. Re:whoo. by bitslinger_42 · · Score: 5, Insightful

    Hmm. Did you actually read the fine article you posted? If you had, you would realize that all of the attacks fall into one of a few categories:

    1) Targeting users of sdshell and a token card
    2) Denial of service
    3) Require access to the server network

    #1 doesn't apply because this is using the keyfobs, not the token cards. The difference, you ask? Keyfobs generate a 6 digit number every six seconds which is appended to the user's password. Since the password is variable-length (per user), it ends up being much more difficult to guess. The token card has a keypad on it where the user enters ther numeric pin which is mathmatically merged with the 6 digit "random" number, creating a 6 digit code that's sent across the wire. Oh, yeah... The attacker also has to have access somehow to the data stream between the client and the AOL server during authentication, which basically requires pre-compromize of the client machine. You got that, why do you need to fake the auth? Oh, and the AOL plan isn't using sdshell. Other than that, sure it might work.

    The second, the DoS attack, is old, and its not like AOL hasn't dealt with DoS attacks before.

    The third require pretty significant access to AOL's server network, plus the ability to insert yourself into various server data streams. Again, if you've got that, why waste your time getting a user's PIN?

    If you read the hacker rags closely, you'll find that the keyfobs auth is really hard to get around without having to do something else first (i.e. get the server key records). Everything I've read from the attacker's perspective is that, while its technically possible in some circumstances to do an attack on the SecurID process, its usually so damn hard that it'd be easier to attack some other point (i.e. dumpster dive for sensitive info, etc.)

  8. Re:Security Functionality by gcaseye6677 · · Score: 4, Insightful

    What I'm curious to see is how this would affect "people who conduct large transactions online", who the article said were one of the target groups for this device. There are currently no plans to integrate this with banks or credit card companies, so how exactly does this protect peoples' account information? If bobbyjoe44@aol.com has an account at Bank One, I can still send them a fake "update your information" email, they put in their Bank One password and other info, and I get into their account. Meanwhile, the keygen thing is only protecting their AOL account and I'm cleaning out their bank account.

    The only thing this really secures is AOL's bottom line, by preying off of peoples' fears and giving them something that makes them FEEL more secure online.