How I got hacked on AOL

At least one person I know was eagerly chipping away this weekend at his computer while I was avoiding mine on the beach.

An AOL anarchist who goes by the moniker "PhatEndo" was busy pasting snippets of our Instant Messenger conversation into my member profile and adding himself to my buddy list.

Altering my profile was one thing. But my buddy list? That's where it got personal.

It all started from a reader's tip that led me into a frustrating AOL chat with the supposed culprit of a well-publicized recent ACLU hack. He admitted it all and said his quest would continue.

After several on-screen exchanges, I got fed up with his game of "I know something you don't know" and told him I didn't believe his story because he hadn't given me any proof that he was the ACLU hacker.

I asked him facetiously who would be his next victim--the NAACP? The NRA? He answered me with just a "=)" and was off.

When I loaded up my email Tuesday morning, the healing effects of my long weekend in Half Moon Bay, California, came to a startling end when I noticed a message from my AOL account with a subject heading that read "Hmmmmm proof?"

It became apparent after reading it that I supposedly sent myself the email informing myself that I had just hacked my own account. Here's what it said, word for word:

"Heya there Mr I need some proof, well check your profile...=) If you can't get on another account or whatever hehe here it is...=)"

It took a while for it to sink in. When it did, I angrily canceled my credit card.

I certainly didn't ask for it, but he felt he had to give it to me anyway. Thanks, PhatEndo. Three virtual cheers to you for violating my account.

Since the ACLU hacking, AOL has sought repeatedly to comfort its members and the financial community about its commitment to stronger security. But the fact remains that passwords have been disclosed without account confirmation. In my case, it happened through a combination of persistence by PhatEndo and apparent carelessness in the ranks of AOL's army of service reps.

What happened to me seems to have been the result of a "social engineering" hack--a breach in security that stems not from technology, but rather from human foible.

If a hacker is lucky enough to call a service rep who doesn't do a thorough ID check, the password can be reset to give the perpetrator full access to your AOL account and everything that comes with it.

Often, such hackers do it just to show that they can, said David Cassel, a critic of America Online who publishes the AOL Watch online newsletter. Some even take the extra step of ordering merchandise through shopping channels and sending the loot to the host's address, he added.

So I tried it myself: I called AOL and tried to socially engineer my way into my own account (as if once weren't enough). Granted, most of the time I was asked to provide credit card or checking account verification. But on my fourth try, however, I reached a representative who didn't request that information.

In essence, I became a social hacker without that much effort.

Can I really blame the AOL customer service person who was working over the long weekend for what happened? No, I actually feel bad for the rep who had to put up with PhatEndo's farce. (Incidentally, AOL canceled PhatEndo's account today.)

But if in a couple of days I see a seven-speed Cuisinart chrome blender waiting on my doorstep, I may start practicing my Steve Case impersonation.