New Policy On Reporting Compromised Accounts

ACI management’s late fall 1998 announcement on procedure for reporting compromised CL accounts is a prime illustration of AOL’s painfully slow reflex in dealing with serious ongoing problems. In fact, they move so slowly sometimes we wonder if they are still breathing. Their tendency to shelve any progress on serious issues until so much damage has been done and there’s so much negative publicity that they can’t continue their cover-ups is nowhere so perfectly illustrated as in the whole area of compromised empowered accounts.

Empowered accounts have been the targets of hackers and crackers online for years. To the best of our knowledge, this is the first time AOL has come out with a procedure for CLs to following in reporting compromises. As we say, this announcement is unacceptably late, considering this has been a major issue for a long time. Some of the more famous accounts stolen in the past are: Steve Case, TOSAdvisor, and more recently Crock Pot, an ACI administrative account with over 500 pieces of confidential email saved as new. The Crock Pot incident was in fact reported by CNET news back in June. See Jim Hu’s CNET report.

For every publicized hack, there have been many more unreported of even greater sensitivity to AOL security. Recently Observers came into the possession of documents containing highly confidential employee information directly from the email of senior call center management. For this, we thank our friend Maldo very much indeed. And we note that – out of the ACI staff listed in the recent policy statement as those to contact regarding compromised CL accounts – at least three, namely Chrisstine (Guide BEE), Jeweled, and Crockpot, have themselves been compromised.

CL management, in spite of the seriousness of this problem, had done little or nothing to research and correct the problem of hacked accounts even as late as January 1998. We think we were in on the ground floor here. In a private discussion with an Observers staff member on 1/12/98, Christine Trzcinski, the Guide Operations Manager, was only then making initial inquiries into developing guidelines for reporting compromised CLs as seen in this Chat Log. Unless she was feigning ignorance, she had at this date little or no grasp of the problems surrounding reporting stolen CLs. In truth, her main concern seemed to be NOT the stolen CLs but the individuals reporting them to guides. Apparently she believed these people were themselves using phished accounts. Sometimes this was so, sometimes not. However, this was a pointless line of inquiry. TOSAdvisor told one Observers staff member directly last year that AOL had no interest in receiving information from CLs on the stolen accounts of regular AOL members and that it would be useless to pursue such reports. In cases where the account holder discovered his account stolen, it would be up to him/her to call AOL and get it secured, but CLs were not to be a part of that process. In any case, from the time of Chrisstine’s initial inquiries until the release of the current CL policy statement it’s taken ACI eleven months to come up with a procedure consisting of a few basic steps.

Observers thinks this new policy is sadly lacking in substance and also that parts of it were not well thought out in terms of the consequences. For one thing, the statement contains no specifics about what constitutes evidence of compromise. It merely says, “Be sure you have sufficient documented evidence. A report without evidence cannot be processed.” Second, in our experience, reporting an account while it’s ONLINE and can be checked for signon signature by CAT personnel has always been essential to securing it (see comments by Chrisstine in the 1/12/98 chat), so that if CLs do not find any of the management team online, sending them email to read at some later time may well not have any effect.

Furthermore, ACI has already undermined their new procedure with an earlier “guideline” related to stolen CL accounts. The new reporting procedure actively encourages CLs to report any suspicious activity on volunteer accounts. However, in the “Volunteer Guidelines 1.4′ at Keyword:TCB, and also incorporated into earlier versions of the Guidelines, CLs learn that if their accounts are compromised, this comes under the heading of ‘TOS Violations Incurred While A Community Leader,’ – i.e., implying that having their accounts stolen is a TOS violation – and that moreover if they are so unfortunate as to have their accounts stolen more than once, their accounts will be received for possible termination and they may be asked to step down as Community Leaders (but not in that order -=P).

This can hardly encourage CLs to report stolen accounts, particularly if these accounts belong to friends and co-workers. However, it does reflect AOL’s hard-line policy on stolen accounts, which is, that members are allowed to claim compromise only once. If the account is stolen again then the member is held responsible. Observers recently learned of a CL whose account had been compromised for a second time, without that CL’s knowledge. ACI/AOL terminated her CL name with no explanation whatsoever. She was understandably distraught. She finally learned the truth through other, more compassionate sources, not through ACI. Therefore, one procedure discourages the other. Let us ask CLs reading this text if they might think several times before reporting a coworker’s CL account – considering that that account might have been compromised once, possibly without the CL’s knowledge, and this account might lose CL status or even be terminated based on their report.

Are all compromises the fault of the account holder? No, definitely not. Although some accounts are stolen with cracking programs and password stealer downloads – both within the ability of an account holder to prevent through wise choice of passwords and caution in downloading – social engineering techniques of various kinds, where AOL staff is either tricked or voluntarily gives out confidential information to hackers, is NOT the account holder’s fault. The problem is – AOL will never publicly admit to social engineering, and therefore all instances of compromise are considered the ‘fault’ of the account holder.

ACI’s new reporting policy on compromised accounts: once again, too little, too late, and too poorly informed about the realities of life online to make a difference.

*NEW* Reporting Compromised Accounts

Submitted by: FunE One

For Community Leaders

If you are a Community Leader and come across a compromised CL account, please follow the procedures below:

1. Be sure you have sufficient documented evidence. A report without evidence cannot be processed.

2. Contact one of the Management staff via IM and provide them with the documentation. SN’s: FunE One, Mox Wayne, Chrisstine, Gregism, Lauren, Kismetalso, Crockpot, Lydia, Jeweled, WarpJMP. In the event you do not see any one of these names online, send your documented evidence to all of the above names in an email using the subject line: **Suspected Compromise:**

If your Community Leader account becomes compromised, you will need to contact the CL Help Desk at 1-888-265-0779 (voice – 24 hours a day, 7 days a week) or 1-800-759-3323 (TTY – 8am – 7pm EDT, 7 days a week). Be sure to keep the Help Desk phone number and your PIN number accessible OFFLINE in the event you are unable to access your account.

When you regain control of your account, you will need to contact your Supervisor, who will then request reinstatement of access to our private area.

This will be posted off our main menu > CL Info Center > CL Security Center.