Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

AOL Moves Beyond Single Passwords for Log-Ons

CmdrTaco posted about 10 years ago | from the are-you-secure-yet dept.

Security 309

ars writes "Yahoo is reporting that AOL is adding a new feature alowing customers to use two passwords to log on. The second password comes from a small small device from RSA Securitywhich displays a new password each minute. The scheme is called two-factor authentication and will cost $1.95 a month plus a one-time $9.95 fee. It's aimed at small business and people who conduct large transactions online."

cancel ×

309 comments

Sorry! There are no comments related to the filter you selected.

I hereby suggest (0, Troll)

Adolf Hitroll (562418) | about 10 years ago | (#10307234)

all the American sinners repent before it's too late.
Eat light and shut up, Yanx !

Security Functionality (3, Insightful)

Tyndmyr (811713) | about 10 years ago | (#10307251)

Its a security improvement yes...but why would I want to use AOL regardless?

I tried it...it was slow, often down, and required special software. None of which my cable connection is subject to.

Re:Security Functionality (3, Funny)

ptr2004 (695756) | about 10 years ago | (#10307314)

For the tin foil hat hearing folk you can get a three password login for one low fee of 5.95

Re:Security Functionality (-1, Troll)

ImaLamer (260199) | about 10 years ago | (#10307337)

To get a free iPod of course [freeipods.com] !

No joke, a free AOL trial has got me one step closer.

Re:Security Functionality (-1, Flamebait)

Anonymous Coward | about 10 years ago | (#10307599)

Go fuck yourself, spammer.

i always wanted it. (0, Funny)

Anonymous Coward | about 10 years ago | (#10307255)

Yes, i always wanted too pay to have a longer login time. so bad i'm not using AOL...

And... I'f I don't need a password..at all.. (5, Funny)

Demanche (587815) | about 10 years ago | (#10307256)

Can I have a $2 discount???!??!

^^ Average american reply if this gets implemented.

Have fun at the aol sales desk ;)

Re:And... I'f I don't need a password..at all.. (2, Funny)

nearl (612916) | about 10 years ago | (#10307332)

Can I have a $10 discount and 3 passwords ^^ Average Indian replay

Wolfe+585, Sr. (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#10307257)

xylene Virtue is its own punishment. -- Denniston Righteous people terrify me ... virtue is its own punishment. -- Aneurin Bevan xylene

AOL Security at work again... (-1, Flamebait)

Anonymous Coward | about 10 years ago | (#10307262)

This email req uires you to send your emails to AOL for verification make sure to enclosed both of them please!

Sheesh, if you have a stupid simple password and use AOL, what are the chances you will choose to use two (and then make at least one of them complex)?

Re:AOL Security at work again... (3, Informative)

Anonymous Coward | about 10 years ago | (#10307321)

RTFA you nincompoop... one of the passwords changes every minute, and it's generated automatically. So phishing attempts would not be all that successful.

AOL Employees (4, Insightful)

Anonymous Coward | about 10 years ago | (#10307264)

Used to have to use them, smartID or something. ALL internal accounts were locked... its a very secure system, but hard to believe that users would actually want to use it.

Re:AOL Employees (1)

clickster (669168) | about 10 years ago | (#10307406)

They were called SecureID. I had one when I worked there (traumatic life-altering mistake). It is a very secure system. I wish I could tie it to my e-mail or perhaps for a login to VPN to my home network. Anyone know if it's possible to use SecureIDs for your own personal home system (certainly at a price)

Re:AOL Employees (1)

gfxguy (98788) | about 10 years ago | (#10307408)

I still do... RSA SecurID... don't need it to get mail from "outside" if you're happy with the exchange web interface, but I need it in order to VNC inside the Turner (an AOL/TW company) firewalls.

Isn't there a much easier way...? (3, Interesting)

MurrayTodd (92102) | about 10 years ago | (#10307265)

Something I've waited for years and it never come--maybe someone can explain why: client-side SSL.

To my understanding, you would place a client-authenticating certificate in you web browser program, and during the SSL negotiation that certificate would be used for authentication.

The only two problems were (again, to my limited understanding) first that you had to go through the effort of installing the certificate on every browser you used, and second, the security could be broken if someone had access to your account. (Of course, account login security and browser "first-time-on-launch" passwords helped protect against that.)

Why the bloody SecureID system that's so klunky?

Re:Isn't there a much easier way...? (4, Insightful)

dr_dank (472072) | about 10 years ago | (#10307335)

Why the bloody SecureID system that's so klunky?

Klunky? Given the average skill of the AOL user, telling them to punch in the code from the SecureID keyfob couldn't be easier to do. Better than importing and keeping track of ssl certs across machines.

You can't copy a physical token (5, Insightful)

morzel (62033) | about 10 years ago | (#10307352)

If I get into your PC, I can copy your certificate without you ever knowing it until it's too late.
I obviously can't steal your RSA token without you finding out pretty soon.

Re:Isn't there a much easier way...? (1)

datadriven (699893) | about 10 years ago | (#10307359)

The retailer is the one that needs to be certified. Client side certification would allow you to be securely connected to fraudulent retailers.

Re:Isn't there a much easier way...? (5, Insightful)

virtual_mps (62997) | about 10 years ago | (#10307415)

Something I've waited for years and it never come--maybe someone can explain why: client-side SSL.

Because client-side security sucks. The push for personal certificates is to provide non-repudiatable authentication. Think about that for a moment--do you want your identity tied to something sitting on your home computer? Something that, once taken, could provide access to your bank accounts, credit, medical history, etc.? Something that, legally, you'd have an uphill battle to prove wasn't used by you? Something that would be a prime target of the next worm? I find it's a lot harder to compromise a "klunky" device that's not connected to the computer than to compromise a certificate that is on a computer. Client SSL is snake oil--it's theoretically great, but just can't be implemented securely with current technology.

Re:Isn't there a much easier way...? (1)

Alioth (221270) | about 10 years ago | (#10307513)

Although it's not perfect, it's hardly snake oil. We use client-side certificates to keep the random crackers away from the login screen - they don't see anything unless they have the certificate. However, we DO NOT use them to identify individuals - it's only a very rough grained and basic bit of authentication to keep random people away.

This has been used internally for years (1, Informative)

David_W (35680) | about 10 years ago | (#10307276)

Interesting... this particular feature has actually been a part of AOL for several years now. All AOL employees are issued SecureIDs and are required to use them to log in to various places. It seems they've just expanded the feature to non-employees.

Re:This has been used internally for years (2, Informative)

LetterJ (3524) | about 10 years ago | (#10307504)

A lot of companies use them for their VPN access. Several of the last big companies I've contracted for have required them. Some just use the value from the fob and others require a concatenation of the fob value and a prechosen password.

Unfortunately, I've found that the fobs tend not to enjoy the abuse that being on my keychain tends to bring. The LCD panels end up pretty scratched by the time I'm done with them.

Nothing new (-1, Redundant)

DrXym (126579) | about 10 years ago | (#10307277)

AOL has had this capability for a long time - all their employees already use a secure ID to log in, in addition to a password. Now they're just allowing (and charging) the wider world to use the same system.

Re:Nothing new (1)

LnxAddct (679316) | about 10 years ago | (#10307577)

I believe their charging because the device costs money and also they have to administer the RSA ACE/Server which I'm sure costs a lot in licensing and to keep it running.
Regards,
Steve

noone will get this (2, Insightful)

Anonymous Coward | about 10 years ago | (#10307280)

because it costs money.

"Identity theft only happens to other people"

Re:noone will get this (0)

Anonymous Coward | about 10 years ago | (#10307523)

They're already paying a premium for AOL's inferior service. I'd say the opposite, these customers are used to paying more for less and they'll gladly fork over an extra $2 for this feature.

Not a bad idea (5, Insightful)

Celt (125318) | about 10 years ago | (#10307281)

AOL/TW employee's use these so why not offer it to customers, imho if banks gave out these devices for a one-off-fee on-line banking would be ALOT safer and there'd be less scams.

Also sometimes those secure ID devices can go out of sync with the server and thats when the fun begins :)
Thats the only problems I've seen with them,

--

Re:Not a bad idea (3, Informative)

PugMajere (32183) | about 10 years ago | (#10307360)

When they go out of sync, either they haven't been used in a *long* time, or the server's clock is drifting badly.

The server is designed to track slight drifts in time and track/compensate for the cards.

Even if they are out of sync, the most you have to do is enter two codes instead of just one.

Re:Not a bad idea (1)

cockroach2 (117475) | about 10 years ago | (#10307465)

Some banks (like mine [credit-suisse.com] ) actually do that (for free, even). And I doubt I would use online banking without (anythinkg like) it.

Re:Not a bad idea (1)

Meostro (788797) | about 10 years ago | (#10307517)


AmEx [americanexpress.com] provides SmartCard readers [americanexpress.com] for its Blue line, with a program already embedded in the chip on the card.

Pretty cool.

"Fobs" (0)

Anonymous Coward | about 10 years ago | (#10307284)

These are the same devices the internal AOL employee accounts have been using for years.

whoo. (2, Informative)

nbvb (32836) | about 10 years ago | (#10307285)

SecureID.

Whoo.

Been there, done that.

All it does is make an attack "more" difficult, but nowhere near impossible:

http://www.tux.org/pub/security/secnet/papers/se cu reid.pdf

Re:whoo. (1)

maximilln (654768) | about 10 years ago | (#10307309)

All it does is make an attack "more" difficult, but nowhere near impossible

It also makes Linux dialup (chatscripts) darn near impossible.

Re:whoo. (4, Insightful)

k98sven (324383) | about 10 years ago | (#10307411)

All it does is make an attack "more" difficult, but nowhere near impossible

Yes. Exactly like every other security system ever designed.

Your point is?

Re:whoo. (2, Insightful)

lysander (31017) | about 10 years ago | (#10307521)

For the external attack described in the document you mentioned, it assumes that the SecureID token's value is sent in the clear. I don't know about you, but this seems like a pretty big assumption. If one enters the value over SSL or SSH, observing the value over the network is harder, and makes the first attack not feasible.

That leaves the rest of the document describing attacks between the machines that verify the value, which hopefully are internal and not snoopable from the outside.

Re:whoo. (0)

Anonymous Coward | about 10 years ago | (#10307542)

The article you link to describes how to attack a SecurID session by trying every of the remaining 10 possibilities as soon as the user has entered all but one digits given by the SecurID card.
The attacker eavesdrops in order to get the n-1 digits, which implies that the digits are sent one by one over an unencrypted connection (think telnet).

I don't see how this method can be used to attack the SecurID session I establish with my bank, since I type in all 6 digits on my client, then they are sent over to the bank in one bunch, and they are sent over https.

Re:whoo. (5, Insightful)

bitslinger_42 (598584) | about 10 years ago | (#10307564)

Hmm. Did you actually read the fine article you posted? If you had, you would realize that all of the attacks fall into one of a few categories:

1) Targeting users of sdshell and a token card
2) Denial of service
3) Require access to the server network

#1 doesn't apply because this is using the keyfobs, not the token cards. The difference, you ask? Keyfobs generate a 6 digit number every six seconds which is appended to the user's password. Since the password is variable-length (per user), it ends up being much more difficult to guess. The token card has a keypad on it where the user enters ther numeric pin which is mathmatically merged with the 6 digit "random" number, creating a 6 digit code that's sent across the wire. Oh, yeah... The attacker also has to have access somehow to the data stream between the client and the AOL server during authentication, which basically requires pre-compromize of the client machine. You got that, why do you need to fake the auth? Oh, and the AOL plan isn't using sdshell. Other than that, sure it might work.

The second, the DoS attack, is old, and its not like AOL hasn't dealt with DoS attacks before.

The third require pretty significant access to AOL's server network, plus the ability to insert yourself into various server data streams. Again, if you've got that, why waste your time getting a user's PIN?

If you read the hacker rags closely, you'll find that the keyfobs auth is really hard to get around without having to do something else first (i.e. get the server key records). Everything I've read from the attacker's perspective is that, while its technically possible in some circumstances to do an attack on the SecurID process, its usually so damn hard that it'd be easier to attack some other point (i.e. dumpster dive for sensitive info, etc.)

Useless (1, Informative)

cly (457948) | about 10 years ago | (#10307286)

When common folk's computer is still infested with adware/trojan/god-knows-what

This just creates an illusion of security.

Re:Useless (3, Insightful)

Lord Ender (156273) | about 10 years ago | (#10307376)

"When common folk's computer is still infested with adware/trojan/god-knows-what

This just creates an illusion of security."

Wrong. You could have a damn key logger on their computer, it doesn't matter. The SecurID password expires every minute.

Sorry this needs to be said, but... (2, Funny)

Anonymous Coward | about 10 years ago | (#10307289)

like most technologies, this one will never be embraced unless the pr0n industry stands behind it. They've been early adopters on almost everything else that's been successful.

I had one of these before (1)

forgotten_my_nick (802929) | about 10 years ago | (#10307290)

For a company I worked for. It worked great, but they ended up scrapping it. Not sure why. I still have it sitting in a drawer years later still spewing numbers.

I suppose if someone was out to get you then they could steal the ID code generator.

Re:I had one of these before (1)

caluml (551744) | about 10 years ago | (#10307355)

Interesting - wonder if it's the same company as me?

This will make the problem disappear. (4, Funny)

AhabTheArab (798575) | about 10 years ago | (#10307292)

Great, now phishers will have to ask AOL users for their password twice, and they will gladly comply.

Re:This will make the problem disappear. (1)

Baumann (238242) | about 10 years ago | (#10307328)

Not quite true for the secureID - it is a time-locked device. Unless of course the phisher uses the password within 60 seconds of getting it. Not bloody likely.

Re:This will make the problem disappear. (5, Informative)

JohnHegarty (453016) | about 10 years ago | (#10307346)

two points...

1) it only lasts 60 seconds
2) if used , it can't be used again until the minute is up

Good deal (1)

Realistic_Dragon (655151) | about 10 years ago | (#10307302)

AOL rip your card off by another $60 every year - saves small business the time and trouble of going out and finding a genuine internet criminal to perform that vital service.

No wonder they are America's number 1!

Re:Good deal - basic math? (2, Informative)

Meostro (788797) | about 10 years ago | (#10307443)

How exactly does $9.95 plus $1.95 per month get to be $60/yr?

1.95 * 12 = 23.4
23.4 + 9.95 = 33.35
33.35 != 60

Re:Good deal - basic math? (1)

Inda (580031) | about 10 years ago | (#10307474)

Beat me to it...

What I would like to know is why the IT department at my place of work charges 80 GBP ($145) for these? Someone is on a winner down there, that's for sure.

AOL...cutting edge security. (2, Insightful)

Captain BooBoo (614996) | about 10 years ago | (#10307305)

This is going to be a complete waste of time IMHO. The AOL user base is such that a typical AOL user has a password like " password" or MikeJohnson". How do they expect users to be able to handle a second password that is strong? " I forgot my password, can you help?" Yes, just read the display on your password generator." "ok what does "dgR23Ls12S" have to do with me? My name is Mike Johnson"

Re:AOL...cutting edge security. (0)

Anonymous Coward | about 10 years ago | (#10307391)

This is going to be a complete waste of time IMHO. The AOL user base is such that a typical AOL user has a password like " password" or MikeJohnson". How do they expect users to be able to handle a second password that is strong?

Uhmmm... You've never used SecureID, have you?

The basics is that since you have two passwords, your static password doesn't have to be string - a 4-number PIN is enough.

The SecureID then spews out 6-8 numbers that you add to your PIN.

Since you constantly change one of the passwords, brute-force attacks become really hard to execute.

The user need only remember a 4-number PIN and bring his keychain (to which he has attached his SecureID).

Re:AOL...cutting edge security. (2, Interesting)

BrianRoach (614397) | about 10 years ago | (#10307444)

I worked for AOL for 8 years ... secureID is easy, and keeps the clueless billing reps (now in india I believe) from giving away your account to social engineering "phishers".

The display on the SecureID is just numbers, synced to the auth server. The average user should have no problem entering 8 numbers when prompted.

- Roach
http://www.speedwerks.com

Re:AOL...cutting edge security. (1)

gfxguy (98788) | about 10 years ago | (#10307464)

First, it's only numbers. Second, it's two parts - one is your password that you've set up ahead of time (like usual), the second is the "random" number on the securID. I work with a lot of idiots and they all seem to manage.

good PR (0)

Anonymous Coward | about 10 years ago | (#10307306)

I am glad that someone like AOL has taken it up to push this out and make it in broad use. Even if most AOL users simply ignore it, this could give it the publicity it needs to make it more known so other companies who need it can use it.

Good Idea (1)

AndrewStephens (815287) | about 10 years ago | (#10307312)

This is a good idea, 2 factor authentication (something you know - password, something you have - RSA gadget) should be manditory for serious transactions. I have seen this things before, they are simple, small, rugged and do not need to be interfaced with the computer so that they can be used anywhere without special hardware.
Even if you have sniffed, bribed, or tortured your way into knowing the password, you will not be able to log on unless you also have the gadget - its a good solution.

Re:Good Idea (1)

trout_fish (470058) | about 10 years ago | (#10307412)

although if you bribed or tortured your way into knowing the password you could probably bribe or torture your way to obtain the code generator!

Only if you can use just one... (0)

TreadOnUS (796297) | about 10 years ago | (#10307500)

to handle all online transactions. I'd hate to carry one for my bank, one for my credit card, etc.

This isn't new (1)

tyrani (166937) | about 10 years ago | (#10307316)

The RSA keys have been avaliable for a long time. They're great.

I'm impressed that AOL is using them. It shows that they're at least a little concerned with security.

I really hope that this is a starting point for web hosting providers to start using these.

Re:This isn't new (1)

surprise_audit (575743) | about 10 years ago | (#10307538)

Do you have to enter a pin on the token to get it to work?? I have an Axent Defender token which, if you get the pin wrong 3 times in a row, locks you out. It has be sent back to the company Security folks to be unlocked... Hours of fun for AOLers and their kids... :)

Time Drift (2, Interesting)

JumboMessiah (316083) | about 10 years ago | (#10307319)

IIRC, The RSA devices that I've used in the past rely on accurate time synchronization with the server. While it was easy for me to have it reset, I wonder how they plan to handle this on a large scale? It would require the end user to physically send the device back to AOL.

I suppose eventually they may integrate GPS timing with them, making it a thing of the past, but who wants your fob tracking you...

of course it doesn't mean this (1)

RMH101 (636144) | about 10 years ago | (#10307361)

yes, they drift. not much, but a bit: this is why the system accepts a few numbers in the sequence. should it drift *too much* then you just need to phone their access control guys and get it put in "new pin mode" remotely. this happens all over the world, all the time. gps timing and tracking? lay off the crack.

Re:Time Drift - sliding window (5, Informative)

morzel (62033) | about 10 years ago | (#10307461)

IIRC RSA uses a sliding window to correct for time drift.

In an ideal world, the server and the fob are perfectly synchronized, meaning that the server knows which number the fob will generate at any given time. In the real world, the fob creeps behind/before schedule and generate a number x entries before/after the expected entry.
If this is the case, the server looks up if number x is in the vicinity (e.g.: within 5 minutes) of the expected number. If that's the case, the server assumes that the clock has drifted and marks the amount of time that the fob has drifted for next authentications.
If x is outside that range, but inside a much broader range (e.g.: one hour), it will request the number that the fob generates next, and checks if that number matches the one that should come after x. Then it marks the drift amount and allows access.

The server automatically compensates for inaccurate clocks in the fobs; as long as you use it regularly. Only if you have,'t used your fob for quite some time, and it has a really lousy clock they de-synchronize, requiring a hardware swap (and/or manual intervention from the sysadmin).

Seen it used.. (3, Interesting)

the_dubstyler (810220) | about 10 years ago | (#10307323)

My bank uses one of these for online banking, as a protection against keystroke recorders. I suppose I'm just too lazy to actually get hold of one and try it. I figure they're not a bad idea, given that the majority of people trying to hack your accounts are amateurs who would be put off by it.

It's a good thing... (1, Funny)

Jeconais (115460) | about 10 years ago | (#10307325)

second password comes from a
small small device from RSA Securitywhich

... they didn't use a large small device, or a large large device, where would we be then?

Re:It's a good thing... (1)

StevenHenderson (806391) | about 10 years ago | (#10307510)

...and also, is a Securitywhich like a secure sandwich? :)

Should slashdot get this (1, Funny)

ncsg3 (771234) | about 10 years ago | (#10307326)

This could be the next step in security. It may stop outrages like this [slashdot.org] from happening!

Hmm (3, Interesting)

Bigthecat (678093) | about 10 years ago | (#10307333)

As I'm sure many people here have noticed these before, they've probably also noticed how often they go missing. For instance, the employees of a large company right here in Australia are all given these, along with their laptops and logins.

These people aren't techheads, and most of them write their passwords down on pieces of paper, conveniently attached to their laptops, which is then conveniently placed in their work briefcase, along with the password updater.

Sufficed to say, dozens of these briefcases get stolen, in the same bar frequented by employees of this company every six months (One might ask why they still take their gear there). The thief gets an expensive company fleet laptop, a company password list, and a company satellite password updater, all packed in the same convenient suitcase with a carryhandle ready to go missing.

Ultimately, no matter how many security measures you put in place for a company or organisation, you're going to encounter people who write down their passwords, people who fall for emails from tech support who need to 'verify' their accounts and ultimately people who will have their information stolen and not report it for days, which is plenty of time for the thief, and a less-than-ideal amount of time for people like you and me to have enabled compromised accounts running on the system.

Big Deal :) (2, Insightful)

purduephotog (218304) | about 10 years ago | (#10307339)

Had this ability for corporate accounts for some times. And the problems have never been addressed, some of which:

1) Long dial in times result in the 2nd password changing before completion, thus requiring a 2nd attempt (or a 9th, depending on how pathetic the phone service is)
2) Annoying easily lost dongle on your keychain that says "RSA- STEAL ME" in big bold letters. ...

So yeah, I'm thinking it's a great step. But not for AOL.

Re:Big Deal :) (2, Insightful)

gfxguy (98788) | about 10 years ago | (#10307508)

1. The way it gets used is not for establishing an internet connection, but authenticating the user (broadband users, for example, still need to use one). So you establish your connection, then a password prompt pops up then you type in your password. No automation = more secure.

2. You have an established password PLUS the securID password... even if someone you know steals it from you, and they know your login and have your securID, they cannot log into your account unless they ALSO know your private password, which can't be easy like "mike" or "john", because it's all numbers. Now, sometimes people use stupid numbers (birthdays and so forth), but you are still talking about having two "keys" in order to log into an account.

dongle annoyances (0)

Anonymous Coward | about 10 years ago | (#10307575)

Yeah, and if you have the RSA dongle and a remote car lock/starter, you can look forward to your keys taking on the characteristics of a porcupine.

Serious business people use AOL? (3, Insightful)

siliconjunkie (413706) | about 10 years ago | (#10307347)

This is a great feature to have from an ISP, and the technology is sound (we used similar "Crypto Keyfobs" when I worked at PacBell for logging into the system remotely when in the field)...but I must admit I am surprised that it's AOL offering this kind of a thing.

I used AOL years ago, and have used it from time to time recently on other people's computers, and there is nothing in the "AOL package" that I have seen that says "power user" to me.

So I guess what I am wondering is...is this something that AOL users are actually clamoring for....or has AOL finally sucked up all the "n00b" market that there is and is trying to offer services that would appeal to more of the "slashdot crowd"?

Social engineering (2, Interesting)

maximilln (654768) | about 10 years ago | (#10307348)

How long until the AOL service department implements a policy for allowing users into their accounts when they've lost the SecureID, or their spouse accidentally took it with them, or they're on a business trip and left it at home? I see this being a perfect route for social engineering of unauthorized access.

Think about the average AOL user (1, Redundant)

Baumann (238242) | about 10 years ago | (#10307351)

They're hard pressed to remember their own password, and whine about having to enter that. Now they want them to carry a secureID card, and enter 2 passwords? Can you say marketing fiasco?
secureID works when you can FORCE employees to use it, but having people PAY for it Nah....

This Doesn't Help! (0)

Anonymous Coward | about 10 years ago | (#10307353)

All this device will do is make it harder for the human user to sign on. Once authenticated, the infected computer (often infected through AOL's own service) starts spamming or running transactions automatically for the unsuspected user.


Get a clue, dump Microsoft while you still have money in your account. If you don't, Microsoft will charge it out of you on the next upgrade or hackers will just take it straight out of your account.

Well... (3, Funny)

ImaLamer (260199) | about 10 years ago | (#10307362)

What happens if I lose my SecurID?

Seriously. If I set my password to "password" and someone picks this up then I'm screwed, right?

Re:Well... (2, Funny)

WesG (589258) | about 10 years ago | (#10307430)

Hmmm...Screwed? Nah..I would call this natural selection.

Seriously - its no different than writing your "simple passwords" on a piece of paper somewhere and someone finding the list. For bonus points, what was the password used in Wargames :-)

Kudos to AOL for at least providing this option to the general public.

Re:Well... (0)

Anonymous Coward | about 10 years ago | (#10307451)

Only if they find it and use it before you discover you've lost it. Your securid is tied specifically to your account, if you lose it you just get it removed from your account and nobody can use it anymore.

Re:Well... (1)

geekguy (97470) | about 10 years ago | (#10307472)

I get to support these at work, if they lose the device they will have to call in, AOL can set the password to a temporary code or possibly just turn off looking for it. Then they can send them a new one and probably charge them extra for it.

Re:Well... (1)

Billy69 (805214) | about 10 years ago | (#10307484)

If you happen to set your password to 'password', lose your RSA key, and also happen to have lost your username, and something which allows the finder/theif to know that the SecurID is indeed for your AOL login.

I have seen these devices *many* times before, and they are small, nondescript keyfobs.

The worst thing, IMHO, would be if AOL decided to put an AOL logo on them, as this would indicate what it is a password for.

Of course, they probably will, because anybody dumb enough to use AOL will need a bit of help ensuring they type in the SecurID number instead of the serial number off their front door key.

Re:Well... (-1)

Anonymous Coward | about 10 years ago | (#10307497)

Yep that's right. So in terms of security it isn't really making a hell of a difference.

I Used AOL securID (5, Informative)

Apple Acolyte (517892) | about 10 years ago | (#10307371)

In addition to being used internally by AOL, securID was offered to some regular users who were targeted by hackers. Like an organization I work for. The securID token is smaller than the average pager, having no buttons, only a display with a string of numbers that would alternate every 30 seconds or so. The biggest shortcoming of the system is that the battery did eventually die, and there was no easy way to replace it. That meant the account in question had to be unbound from the token. And it took a long time to find a rep that could actually handle that request. (Not that that was too big of a deal, since my organization only kept its AOL account alive for legacy purposes.) In terms of use, however, the token was not obtrusive at all. No additional client software was required. Upon sign on, a securID window was presented prompting the user for the key. Otherwise, it was transparent.

The big question is, is AOL's true motivation for offering this to regular customers just to compensate for the service's renowned terrible security?

Businesses us AOL?? (2, Insightful)

bcarl314 (804900) | about 10 years ago | (#10307372)

It's aimed at small business and people who conduct large transactions online

Just a comment (read opinion), but unless you have no other options, why would you, as a small business owner, use AOL to "conduct large transactions" online.

Mod me troll if you like, but I don't consider AOL to be a very "business friendly" organization.

people who conduct large transactions online (-1, Redundant)

rexx mainframe (644124) | about 10 years ago | (#10307378)

It's aimed at small business and people who conduct large transactions online." Large transactions online? - On AOL? Am I missing somthing?

Re:people who conduct large transactions online (0)

Anonymous Coward | about 10 years ago | (#10307436)

Sure! You don't want anyone to intercept that large money transfer to Nigeria, do you?

I for one, welcome this. The more security they think they have, the more likely they are to trust you.

-- Prince Michael Okoya

Lip service toward true security... (1)

Vexler (127353) | about 10 years ago | (#10307413)

...also includes implementing ideas like the two-factor authentication for users who re-use their passwords, or write them on stickies, or lose their smartcards once every two weeks, or are simply computer-illiterate, etc.

What does AOL hope to accomplish through using the smartcard? A better investment in security would be to stem the flood of spams currently coming out of their slice of TLD. This measure is like a new bandaid for the old bandaid that's falling apart, and the wound is fourteen inches long and gushing blood.

Password Bonanza (1)

Icarus1919 (802533) | about 10 years ago | (#10307424)

Many places are beginning to realise the value of passwords in protecting data, though one would have thought it would have been just as obvious in the past.

My college, the University of Florida, recently instituted a new rule that our school password had the be 12 or more characters long and have two of these three things: Capital letters, Numbers, and non-letter Characters.

Additionally, the passwords were checked against a dictionary and couldn't be a word in the dictionary. I thought this was all a bit much at the time, but as I said, I understand the need for security.

Re:Password Bonanza (1)

Paulrothrock (685079) | about 10 years ago | (#10307441)

They need one of These [movetoiceland.com]

heh (2, Insightful)

H8X55 (650339) | about 10 years ago | (#10307431)

And yet AOL still reccommends to its home users that they store their passwords in a less than secure format on their local PCs.

frist psoT (-1, Troll)

Anonymous Coward | about 10 years ago | (#10307446)

New Phishing method! (1)

CodePyro (627236) | about 10 years ago | (#10307459)

In light of the recent additions to AOL Security....Phishers have had to update thier methods...its been reported that they IM using the following line...

"Hi, Im an AOL Service Represenative. Due to a high security threat, AOL has randomly changed your password to "Att25hj4" If you would NOT like to have your password changed please disable the second password feature by calling our toll free number(1-800-GOT-RIPP) and reply back with your existing password. Thank you and have a nice day!"

The Associated Press reporting, not Yahoo (1)

kriston (7886) | about 10 years ago | (#10307486)

I'm rather concerned of the trend in today's journalism where the news aggregate is quoted as reporting something when it's really the Associated Press that is reporting something.

Get your citations straight! Don't be like the radio!

I've used somethign similar about 5 or 6 years ago (1)

Stonent1 (594886) | about 10 years ago | (#10307493)

The company that I was working for had little devices similar to that (They called them Token Cards) that would display a new code each time you pressed the button. It was a financial institution and they used it to protect their dial-up lines from people. They entered the code like this password*hashfromdevice.

The End is Near!! (2, Funny)

Maestro4k (707634) | about 10 years ago | (#10307494)

Oh man, Lucas finally releases the original trilogy on DVD, AOL starts at least trying to have some form of security both in the same day. That has got to be a major sign of the impending apocalypse. If Microsoft announces it's dropping Windows to develop Linux before the day's out I'm heading for the mountains!

Re:The End is Near!! (0)

Anonymous Coward | about 10 years ago | (#10307547)

Fascinating Captain, your post seemed to have gone into warp-drive and transcolocated into the "AOL improves security" story.

Perhaps you spent a long time writing this article?

Aol must really care about security... (4, Informative)

SirTwitchALot (576315) | about 10 years ago | (#10307502)

because they can't be making much money from this:

RSA sells these devices for $60 each or so in bulk. RSA fobs are programed to expire in 36 months. Let's say AOL got them for $50. The customers are paying 9.95+(1.95*36) or $80.15 over three years. That gives AOL $30.15 or about $10 a year. I'm sure aol could find some other way to fleece their users less than a dollar a month, leading me to believe this isn't just some profit making venture (not to mention the cost of the servers to implement this, which is not insignifigant.)

I've always wondered... (1)

3-State Bit (225583) | about 10 years ago | (#10307505)

There exist handshakes for proving I know something without revealing what it is.

Is any of it simple enough to perform -- perhaps with some idiot savant-y BIG_NUM manipulation tricks -- in your head?

It might take a bunch of passes, perhaps as many as one for each bit of entropy in your "secret", but I am sure there must be SOME way to set up my webmail so that I can authenticate myself into a "read the subject lines / senders of all NEW messages" session, with password1, or, with password2, into a "read the body of the NEWEST unread email" session. Thus I could "log in" even through a COMPLETELY COMPROMISED computer, keylogger and all, and unless I slip up on my mental math, without any device of any sort I could check my mail without compromising my inbox or identity. (no spamming-in-my-name; no reading-my-archived-email; no sniffing-my-authentication). There's not even anything a man-in-the-middle can do with my plaintext request for the newest unread subjects or bodies. There's no insertion attack.

background [google.com] .

roll your own (1)

digitalsushi (137809) | about 10 years ago | (#10307509)

I love those little digital PIN devices... I thought they cost a lot more than that. Are those feasable for do it yourselfers to use at home for their SSH authentication? Once I was thinking about writing a script that changes the user ID of my remote login account every X minutes, and sends an SMS to my cell phone with the ID each time it changes, like my own cheap ripoff...

Got a good screen name? Get one of these. (2, Informative)

YetAnotherName (168064) | about 10 years ago | (#10307535)

If you're lucky enough to have a decent screen name on AOL, like your first or last name, then you probably want to get one of these devices.

When I got my Yahoo account years and years ago I was early enough to get decent screen name. The problem is that today that account is routinely hacked (and once, even pwned, but thanks to the nice security folks at Yahoo, given back to me). People don't like to use something like "%geeba%56672" for Yahoo Instant Messenger. I imagine the same thing is true on AOL. Having a smartID or securiCard or other defense would be nice.

(Then again, auctioning off a nice AOL screen name might be worth a few bucks on eBay...)

All --AOL--TW employees have them. (0, Redundant)

digitalgimpus (468277) | about 10 years ago | (#10307560)

After pestering employees with these damn things, AOL thought it would be wise to charge customers for the same pain in the ass.

I hate these stupid things. Keep them on your keychain, and you know it's going to break, and your going to have login problems. Don't keep it on your keychain, and you know you'll forget, and be unable to login. No matter what, you loose.

I won't say they are ineffective, since they do work. But they are the biggest pain in the butt.

Couldn't stand having it. What a drag.

Oh, and guess how many people loved using AOL mail in the workplace: None. Can you imagine this sinaero:

You sign on, do your work, leave for the day. Come back in, and AOL for some reason signed you off (happens every so often). Uh Oh... forgot the SecurID... no email for the day!

Was my post informative? Help me get a free flat screen [freeflatscreens.com] by completing 1 silly little offer. I need one to go with my free iPod.

But you don't need "two" passwords ! (2, Informative)

syrinje (781614) | about 10 years ago | (#10307566)

Two factor authentication relies on (d'uh) two inputs to the authentication algorithm - something you know (like your username) and something you have (like a password - whether generated by a SecurId or not).

The advantage of the automagically generated password is that the password is a temporal function of the account. This means that the server and the password generator both work off the same clock base to calculate a password for your account and authentication succeeds if the two match (within some non-zero time window - to compensate for clock drift). the password is thus valid for a very short duration and makes it very hard for a MIM to capture, replay and use

As far as I can see the first (user memorised password) is merely an artefact of an older system left in there to make the user feel good about having some password control since that is the fator that is most vulnerable to compromise (think social engineering).

A more robust mechanism would be to add a challenge response to this mechanism - the suthenticating system gives you two numbers (n1, n2)which you feed into your password generator and it generates the response thus -

R sub t = f(t, n1, n2)

The authenticating system performs the same computation and accepts your password if it matches with the result generated locally. Banks in Sweden have been using this for quite a while now - the password generator is, of course, protected by a PIN number to unlock it for use and therin lies the weakest link!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>