AOL's Merlin Compromised? 240
Neophytus writes "The Inquirer reports that AOL's central customer database, Merlin, may have been been compromised by crackers. This, even though it required 'a user ID, two passwords, and a specialized ID code' to gain access to. That's 35 million user's names, addresses, emails and credit card details - a goldmine for spammers and fraudsters alike. As they they put it, 'AOL can now add another accomplishment to its list: Biggest security disaster in ISP history.' The Register is also running a story explaining why this is not particularly likly, though."
Here's the
original Wired story.
Welcome! (Score:5, Funny)
You've got problems!
Re:Welcome! (Score:2)
Re:UPDATE spam_list SET users='aol_address_list' (Score:2)
Re:Welcome! (Score:2)
Merlin? (Score:1, Funny)
I work for aol. (Score:2, Funny)
Re:I work for aol. (Score:1, Funny)
When is this free pizza weekend? And how much is it gonna cost?
Re:I work for aol. (Score:3, Interesting)
Lets hope you don't let that happen.
You should also read the above link [neowin.net] so you don't get duped.
Also in the news ... (Score:5, Funny)
Guinevere compromised. Faulty key mechanism in chastitybelt.dll blamed.
Re:Also in the news ... (Score:5, Funny)
Re:Also in the news ... (Score:5, Funny)
hmmm... (Score:5, Interesting)
The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library.
Sounds like AOL needs to read Mitnick's book - The Art of Deception.
wait a minute... (Score:3, Insightful)
They have ~35 million users, and yet can't make a profit?
Let's see... ~35,000,000 * $22.99 = ~$804,650,000
They get that much money each month, and still posted a loss how?
Re:wait a minute... (Score:1)
Re:wait a minute... (Score:5, Funny)
Re:wait a minute... (Score:5, Interesting)
i hope i'm wrong here, but i remember reading this a long, long time ago.
Re:wait a minute... (Score:5, Informative)
Re:wait a minute... (Score:2)
Re:wait a minute... (Score:2)
Haven't you ever heard the old joke? (Score:3, Funny)
As I understand it that's the actual business plan of Amazon.
KFG
Re:wait a minute... (Score:5, Informative)
Divide by 7 because you can get 7 usernames for one account. Also keep in mind that many people just coast on the '3 months free' service and then at the end, call to cancel it, and then take another free month when it's offered (so that they don't cancel.) The phone reps get a cash bonus for getting a person to stay with AOL like this.
Lather, rinse, repeat. Free AOL access for life.
Re:wait a minute... (Score:2)
AIM and ICQ (Score:2)
Re:wait a minute... (Score:2)
and from the article, "35 million subscribers"
but even so, $115 million dollars is quite a bit to spend on cost.
the specialized id code is is securid (Score:5, Informative)
able to hack it, at least without physically
stealing one of AOL's securid cards and the
pin for that card.
For others that don't know how they work, the code
changes every 60 seconds (and is different
on every card made), and the old code
is no longer good when the code changes, it
makes it really hard to bypass without having
an actual securid card that is valid for
the system that is being broken into, and the
proper username and pin for that card.
Re:the specialized id code is is securid (Score:2, Insightful)
- they were able to trick the AOL rep into installing some type of remote control software
- and AOL allows the rep's computers to make random outgoing connection
then they might be able to remotely control a machine that already had all the necessary passwords entered.Re:the specialized id code is is securid (Score:5, Informative)
http://www.rsasecurity.com/products/securid/token
They come in two forms (at least the AOL ones did when I was a contractor there) A Key chain Fob and one that looks like a Credit Card Calculator.
If I remember right, the system also automatically marks the login code invalid once a successful login is achieved. So someone can't use a Key Sniffer to steal your code. If you logged in and got disconnected for some reason, you needed to wait for your SecurID to rollover to the next code.
Re:the specialized id code is is securid (Score:3, Interesting)
Re:the specialized id code is is securid (Score:5, Insightful)
I am not claiming at all that the article is actually accurate as it offers no proof and no reliable sources. But, it is theoretically possible to take over a machine where the SecurID has already been entered and cause havoc.
Re:the specialized id code is is securid (Score:2)
My company uses SecurID, and when my connection is active (we use it for VPN), I can't connect to any other machines on my subnet, and blocks off most ports. I'm pretty sure that what you stated is possible, but not trivial by any means.
Re:the specialized id code is is securid (Score:2)
Token authentication is used to try and clean up all kinds of security problems that it doesn't address well-- problems with the client computer being owned, or using unencrypted transport (which is vulnerable to sequence prediction or sniffing to hijack the session, even if the password itself is not replayable).
Re:the specialized id code is is securid (Score:2)
Re:the specialized id code is is securid (Score:2, Insightful)
As for dongles and keys they are pretty easy to lay hands on. A little skill as a social engineer and a pick pocket and you can have one. You do have to be physically there though. You can't pick a pocket remotely.
Re:the specialized id code is is securid (Score:2)
One place I worked someone in mgmt had printed out a master list of passwords (why? no idea) and had managed to drop the list outside the building where it laid for at least one night. Probably the worst security booboo I've seen but most companies have had problems of that nature. The techs build up security and some schmoo blows it all away.
Re:the specialized id code is is securid (Score:2, Interesting)
Once you have the mostly universal changing sequence (based off the previous) you just need to know which one it started with and the approx time and you can nail a secureID system. A glimpse of the card over 10 minutes is enough to break that system if you're smart about it.
It's still pretty tough to do tho, so I agree with you on it being unlikely.
Re:the specialized id code is is securid (Score:4, Interesting)
Re:the specialized id code is is securid (Score:2)
SecurID numbers can only be used once for access. Replay attacks will not work because of this. From RSA's [rsasecurity.com] web site:
Milalwi
This is why.... (Score:2, Insightful)
Re:This is why.... (Score:3, Informative)
They tricked/convinced/conspiderd with AOL employees (those hooked to internal, and external networks at once) into accepting and running a trojan, that would act as a gateway between AOL's systems and the outside world while idling on IRC..
This is how most DDOS bots work, I guess they just took it one step further.
Disclamier: I could be wrong, IANAAH (I Am Not An AOL Hacker), this is just what I got out of reading the article.
Re:This is why.... (Score:2)
Re:This is why.... (Score:2)
Re:This is why.... (Score:2)
Neither can customers.
To create accounts, authenticate user log-ins for e-mail and RADIUS, allow users to update billing information, etc.
There are many ways to make it incredibly difficult to access a server or group of servers, but you really can't cut off access completely, unless you have some sort of rarely used information which can be accessed, updated and verified manually.
Re:This is why.... (Score:2)
Only human... (Score:2)
But then again getting the password of a single user reset may be a big thing for that user, but in the overall scheme of things, it's not much.
As for Merlin; well, just downloading the 35mil Credit Card numbers, could take a while
Social Engineering more than hacking (Score:5, Insightful)
This article is more about social engineering than about the AOL break in. This is odd, if this were true, I would expect a much different type of artcle to be on the lead edge of the breaking news like this. I don't know if this is true or not, but the Wired article does not really have a whole lot of meat with it.
-Pete
Re:Social Engineering more than hacking (Score:2)
I imagine you could work the same exploit with a really thick foreign accent. Or a cell phone that kept having mysterious problems.
Re:Social Engineering more than hacking (Score:2, Funny)
-Ster
Credit Cards doomed to failure (Score:5, Interesting)
The only question is how much money CC providers and companies are going to lose before moving to smartcards that authorize payments on a per-transaction basis.
Re:Credit Cards doomed to failure (Score:2)
The world I see -- you're stalking elk through the damp canyon forests around the ruins of Rockefeller Center. You wear leather clothes that will last you the rest of your life. You climb the wrist-thick vines that wrap the Sears Tower. You see tiny figures pounding corn and laying strips of venison on the empty car pool lane of the ruins of a superhighway. *cough*fight club*cough*
:-D
Re:Credit Cards doomed to failure (Score:2)
But a per-transaction scheme can't, by definition, handle recurring payments.
Re:Credit Cards doomed to failure (Score:2)
Yes, but the CC number space isn't large enough to allow this to be a universal solution. (That's ignoring the fact that it's all divided up and whatnot).
I guess you could try to set up some cyclic reuse thing...
But a per-transaction scheme can't, by definition, handle recurring payments.
[shrug] Same system could pretty easily be used to authorize recurring payments.
Frankly, though, I'm not entirely sure that I wouldn't just like my CC company to just send me a bill with *requested* recurring payments, which then get authorized on a per-transaction basis so that I know where my money is going, and I have absolute control over who gets it.
Not going to happen (Score:2)
Re:Credit Cards doomed to failure (Score:2)
What CC companies usually do is eat the loss, unless it is very large or you've previously contested charges.
So, no, you may not *directly* be responsible for the loss of your CC information. But this is passed on to the consumer through higher rates, annual fees, and surcharges.
My argument is that with all the Internet-connected CC databases and the accelerating rate of compromise of said databases, it is unsustainable for CC companies to keep eating these losses.
Furthermore, it will screw with your credit rating to keep contesting charges and then immediately cancelling cards.
Re:Credit Cards doomed to failure (Score:2)
Here's a good example, someone gains access to my credit card through some shopping database then uses my credit card. OH NO WHAT SHALL I EVER DO!!! My guess is that i cancel the card and get a new one, uh oh that was so hard I am surely doomed ??
And who pays for the fraudulent transactions?
The complex answer is, well, complex. You bear at most $50 of the risk and, in practice, usually pay none. The merchant takes the brunt of it, but their liability can also be limited in various ways such that their contracted merchant acquirer may eat a good portion of the cost. In some cases the issuing bank may suffer.
However, the simple answer is much more enlightening: You pay for the fraud. You won't see the charges directly, but all of those entities I mentioned in the previous paragraph ultimately get all of their money from you, and they're *not* going to lose money.
Right now, CC fraud in the US is around 0.5% of US CC transactions. This number amounts to billions per year, but it is still considered manageable. That's not going to last, though. Why? Many places in the world see CC fraud of up to 10%, and that's why most of the world is moving aggressively towards smart cards (Europe's pretty much there, Asia's getting there quickly, Latin America will be there within two or three years).
So, what do you think is going to happen when CC fraud becomes really hard everywhere else, but remains easy here?
Re:Credit Cards doomed to failure (Score:2)
i have a feeling that stupid people giving up their credit card numbers/social security numbers through social engineering has a lot more to do with this then the database break ins.
Well, I don't know that it's so much "social engineering" as shoulder surfing, dumpster diving, crooked clerks, etc., but yeah, I'm sure that cards retrieved via break-ins is small. It wouldn't even surprise me if more cards are sold by DB admins than are retrieved by wily hackers.
And i also think that social engineering is going to flaw any system.
The applicability of social engineering to a system that requires card presence is limited. You have to talk the cardholder into giving you their card, which is hard. Other attacks will be possible -- other attacks are *always* possible, but they'll be far more difficult and expensive than the current attacks.
These two factors basically ensure that no security will be good enough.
Complete nonsense. The current system of magstripe cards and dialup authenticaiton is good enough, as evidenced by the fact that the system is working. Fraud in the US is around 0.5%, which is low enough to be manageable, low enough, in fact, that it's not worth the cost of implementing more security. When the fraud rises, new defenses will push it back down until the security is once again good enough.
If what you meant to say is that no security will be perfect, then you're 100% correct.
Re:Credit Cards doomed to failure (Score:2)
you're saying that no one gives their credit card number out to people ?
No, I'm saying that with a system that strongly requires card present transactions, it will not matter if people give their card numbers to others, because a number will be useless without the card.
Also,any system made by humans can be social engineered by humans
Did you even read my post? I said:
Note that I said "hard", not "impossible".
If we really wanted to, we could augment the card-presence requirement with a biometric verification, which would mean that an attacker would essentially have to talk you into making the payment for him; merely getting your card would not be enough. That's clearly not impossible either -- "con men" have been around forever -- but it makes the job both difficult and dangerous enough that no one is going to do it unless there is a substantial return for the risk.
Some info on the subject (Score:3, Informative)
Oh yeah, this has been going on repeatedly since at least 2000. However it gets media attention very infrequently, but the problem was always there, and always exploited.
Re:Some info on the subject (Score:2)
Not so fast! You can find stupid employees ANYWHERE!
Lose-Lose (Score:5, Insightful)
If this is true. Well--that's bad. If it isn't then that's even worse. I read the register piece before I followed the link to wired. I know nothing about the possible security measures and exploits that could have been involved in this. And that is exactly the point. From what I read all information that wired really had, was the claims of some self-declared hackers and the statement of some security expert.
If that is enough to get an article like that one published--then why bother to actually try to hack/social engineer/whatever into the AOL database. Just claim something and watch the bad press hit AOL. I never used any of their products (well apart from iChat that kinda ties into their IM-network), but they are in enough trouble as it is. In this case there is such a thing as bad publicity. I am appalled by an article that consists of a whole lot of nothing and ends with "You see all those commercials saying AOL 8.0 is so secure," said Dan. "If people knew how insecure their data was they probably wouldn't use it."
Can I get that e-mail list? (Score:5, Funny)
Re:Can I get that e-mail list? (Score:5, Funny)
Re:Can I get that e-mail list? (Score:4, Funny)
sure fire way to fix this (Score:2, Funny)
If AOL would subsidize this, they would see their security problems disappear overnight.
also - I think Dick Tracy foreshadowed the cracking method used by these kids years ago with its "Mumbles" character.
So by using that as an indicator, we should next look for people wearing bright colors and having odd facial features to be part of the next crack.
Sanctimonious Tech Bigotry at Inquirer (Score:5, Insightful)
>>
Nah. Most will stay because the cost and hassle of leaving AOL outweigh the risk they perceive from this alleged breach.
No, and people who use computers ought not to have to fuss about with building their own firewalls in order to have a modicum of security. Firewalls and other security-related code ought to be buried deep inside any consumer OS marketed for use on the Internet and their configuration ought to be done at a level of abstraction that requires no techncal knowledge.
Re:Sanctimonious Tech Bigotry at Inquirer (Score:2)
You're talking about making a completely idiofied operating system, far beyond that which was Mac OS 9. To make an analogy, you're talking about building a car where the user never has to use the brakes, because "no should have to fuss with doing anything any time there's an immediate need to decelerate." I think we can expect a little more from companies like Microsoft in terms of security, but I also think we can expect a lot more from consumers. I may not need to know exactly how the fuel combustion chamber in my car allows me to move forward, but I for damn sure know that I have to shift to drive to go forward, shift to reverse to go backwards, and press the brakes to stop. How many computer users, if they drove their car like they use their computer, would end up in the hospital once a day with a totaled car?
While I can't provide a simple answer for solving the problem, I really don't think that building an OS that does all but completely remove user interaction is the answer. A certain level of security should be expected, but if a person can't even install Zone Alarm, or install a router, then perhaps they ought not be using a computer in the first place. Perhaps we should license computer use like we license car use. As much as I'd hate to have to muck around with a DIT (Dept of Info Tech) counterpart to the DMV, I think this would solve a whole lot of problems. Granted, however, this is not a likely or entirely feasible solution, but you have to admire how quickly we'd clean up tech support/virus/worm/security issues.
Re:Sanctimonious Tech Bigotry at Inquirer (Score:2)
That's an example of tech bigotry. Ease of use doesn't mean loss of capability. In fact, it should mean just the opposite: enabling more people to do more computing, more often.
I'd imagine that even you are using a leyboard and a monitor, rather than pushing buttons and watching LED's.
Bad Analogy... (Score:2)
Brakes are on/off, and within my experience most people have a pretty good handle on the concept. Perhaps a better analogy would be building a car where the user doesn't have to be concerned with the timing and slippage thesholds of his ABS system--oh, wait--they already do that!
This might be the appropriate moment for a rant about the generally crappy state of software design (complete with quotes of developers whining about how it'd be too hard to make something that works), but I have actual work to do....
this happens all the time (Score:5, Insightful)
Some of you may recall this interview [slashdot.org] from a while back - I used to be an AOL nerd back in the day and I know a few of the kids mentioned in the articles (and I think cam0 is 15 now?) - anyway.. from what I can recall alot of the 'hackers' (script kiddies, whatever) would simply use extreme social engineering tactics, as these articles explain, to get whatever they wanted. As the amount actual bugs of the systems would dry up (your basic token bugs, invokes, problems with the systems themselves) alot of the 'hackers' would have to figure out other ways to get in.
Getting past sID - this is not that big of a deal, while it's not that easy to do as long as you con the right person and you get lucky with the timing your all set. Once you have complete access to their internal system you will have no problems getting them to toss you their current number..
the only non-realistic part of the articles I read were regarding how many attackers utilize programming bugs - there are far fewer now then there used to be..
Not too likely (Score:5, Insightful)
Neither the Inquirer article nor the Wired article shows any evidence that an actual break-in occurred. Of course an occasional account may have been compromised... big hairy deal. But nobody provided any proof that even a noticeable percentage of the 35 million (active or inactive, whatever) accounts has been touched.
The Wired article quotes sounded like a bunch of script kiddies, probably with their own AOL accounts, were making things up to sound important. (What? Online sources telling lies to seem cool? No way!) No evidence was provided in either article, and given the obvious safeguards (of which SecurID is a good one) it sounded like so much bull.
This all sounds like a standard "AOL sux!!!" kind of posting, elevated to seeming respectability by badly-researched articles in the almost-mainstream media.
Sensationalism (Score:2)
I highly doubt this came from one of Wired's top staff, probably someone who wanted to scoop the next CC theft by the million. Nothing to see here, move along!
I'm doubting they got into Merlin with this method (Score:5, Informative)
One thing that hasn't beem mentioned is that the SecurID system also requires a pin number to log in, and employees are strongly trained not to give that to anyone.
Also, Merlin requires a special client, that would be a bit hard for someone using a man-in-the-middle attack to enter information into and/or see the results of.
As for the social-engineering aspect, people have been doing that all over the world, for centuries. Only a few of them are called hackers. The rest are called journalists.
The rest are called journalists (Score:2)
KFG
Oh, wired... (Score:5, Insightful)
Please note that all the sources in the article are "hackers." Yet Wired reports it as _fact_ when they have no official confirmation or hard evidence. I guess a publication like Wired doesn't have very strict journalistic standards about news, but still... this is an instance where you use words like "alleged" and "claim."
Implausible (Score:4, Insightful)
Many things "MAY" have happened... (Score:4, Funny)
What a stupid comment. In other news...
"Aliens MAY have invaded Italy..."
"Saddam Hussein MAY have a gay lover..."
"I MAY have sex with Liv Tyler tonight..."
Re:Many things "MAY" have happened... (Score:3, Funny)
You know, you almost had me with the aliens and Saddam.
Re:Many things "MAY" have happened... (Score:3, Funny)
What merlin looks like (Score:5, Interesting)
Re:What merlin looks like (Score:3, Interesting)
So, how long have you been ripping off AOL customers?
Re:What merlin looks like (Score:3, Funny)
You Asked for proof (Score:5, Informative)
You all wanted proof that the hack was done. We're carrying that proof on Observers.net [observers.net]. Check out the first story and that will give you all the proof you need that the hack was done.
The other news places (The Register, The Inquirer, and Wired) were not able to provide the proof that we have.
Jacob
Observers.net
Re:You Asked for proof (Score:2)
Further, that story does not address the SecurID issue.
Why don't you provide proof then? (Score:3, Insightful)
If you really want to show proof, how about listing Steve Case's information? Or why not ask someone to supply an AOL ID and you can post the complete account details the next day? Chances are, you're not able to do that because this is just stupid script kiddie posturing with no substance.
Re:You Asked for proof (Score:2)
Expect the worst, have damage control ready (Score:3, Insightful)
So it's always prudent to diversify and isolate systems to minimize disaster upon intrusion into one system. And always invest in a good damage control plan
Don't confuse fraud with cracking (Score:2, Insightful)
If you crack my system and steal credit cards and the like, that's illegal too, but now you are talking about two different crimes.
Secure both from outside and within (Score:3, Interesting)
More or less impossible. And I can't imagine that AOL (stupid as their users may be) don't have something like this aswell... WHY ON EARTH would the internal network go staight to their extremely valuable databases?
Most companies keep "mock up" systems for development, the actual production systems aren't accessible to anyone, basically...
Re:Secure both from outside and within (Score:2)
You have to have access to the DB servers themselves, in order to run queries against them. AOL's setup is really much like the one you describe here. It's as secure as it can be, while still being useful how it needs to be.
How to hack AOL (Score:2, Funny)
The Art of Deception (Score:3, Funny)
Dammit! (Score:2)
I wrote the Wired story and, yes, I've seen proof (Score:5, Interesting)
Yes, I was given substantial proof of the attacks. But my job as a journalist is not necessarily to PROVE that anything happened (that is what lawyers do) -- you'll note perhaps that Woodward & Bernstein's takedown of Nixon was initially based entirely on one man's tip in a Beltway parking garage. It all has to start somewhere.
So I merely collect evidence and present what I have. It was completely credible in this case. In fact, I called AOL five times to get their side of the story. They refused to call me back. But YES, the proof does exist. In fact, observers.net posted some of it here [observers.net]. You can dig around to find their full story on the subject, which goes into greater depth than I had the luxury for at Wired -- which is a general tech news site, not a how-to site for hackers and wannabes. In any event, you will notice that AOL has not refuted the claims in any forum. I honestly have no doubt about the authenticity of these claims after seeing the information provided to me. It's now AOL's turn to either come clean about the attacks or say they didn't happen. Since AOL is afraid of negative publicity, they are trying to keep things quiet. This is not apparently working...
Originally I had hoped to interview the unnamed 14-year-old hacker for my story (which was intended to be mostly about the Merlin break-in) but he balked out of fear of prosecution (he was later interviewed for Observers.net and privately apologized to me for not doing the interview). Hence I focused on the myriad other recent hacks (Japan Webmail, the mumble method, screen name thefts) that AOL has been hit with as well.
Regarding the breaking of SecurID -- if a hacker can call up a rep on the phone and get him to reveal his name and password, it seems pretty plausible that you could get the SecurID code as well. Disgruntled insiders also provide this information readily to their pals on the outside. Of course that's all in the story...
Anyway, if any AOL users are convinced their data is secure I'll be happy to pass along your screen name to the people in question...
Cheers.
Re:I wrote the Wired story and, yes, I've seen pro (Score:2, Insightful)
Now, it seems to me that these people you are talking about essentially had physical access. They had someone logged into a machine on the inside and fed them information and did whatever they were asked. You say a friend, a disgruntled employee, gave them a code. Well at that point its simply a case of an individual with a lack of morals doing something wrong. Just because you are upset at your employer doesn't give you the right to screw over 35+million people.
This is not a hack, it's simply an individual making a poor decision. I would like to think that aol had all sorts of firewall/proxy/logging going on and could easily identify where a problem was coming from, but I have no knowledge of the system other than what I've read. So I'm not going to argue that it couldn't be done. I'm just going to say it's not AOL's fault. AOL should be diligent in there security measure's, but what can you do when someone in the NOC is out to get you?
An analogy for you. You go to a resturaunt and order food. You pay with a credit card that you give to the waiter. The waiter copies the card#, the exp date and even your sig from the receipt. That waiter runs up a bill on your card. Now, do you immediately blame the resuraunt? I don't think so, at a certain point, you have to trust people to be honest. Unfortunetely a certain few of them will chose to screw you over.
AOL may have problems and should probably pay more attention to personel in critical positions, however, I'm not sure how much anyone can do if the door is unlocked from the inside.
Re:I wrote the Wired story and, yes, I've seen pro (Score:2)
He said "initially"...
A/S/L?!? (Score:3, Funny)
Merlin doesn't exist (Score:5, Interesting)
Soon after this, I cancelled my account. Not only did they charge me for 2 more months, but they charged me the dialup rate (I was BYOA). So I called them up, quite pissed off, and asked for the charges to be reversed. I was then told my account was still active. At this point, I explained to the incompetent billing employee how to use Merlin to pull the fraud record of the account termination. The charges were subsequently reversed.
My experience gives new meaning to the phrase "AOL sucks"
Re:Merlin doesn't exist (Score:4, Insightful)
************
I used to work for AOL tech support as one of their trained monkeys for a while. There are a few things to keep in mind when dealing with them:
Most of them (the techs) are NOT idiots. However, most of them think that the AOL customer base ARE idiots.
The mission statement for AOL tech support is : Free AOL tech support - You get what you pay for - Call us, we will give you a fish... (you have to understand the old saying about giving a man a fish/teaching a man how to fish story)
They use a case based software called Sherlock which is notoriously lacking in options. Most questions that they handle are so well known that the tech can handle it without sherlock, however, this sabotages the Sherlock program. The whole setup is designed to fail spectacularly while being held together by a few knowledgable floating expert individuals.
These same floating experts double as whip wielding task masters, along with the supervisors, and other narcs, who wander around the phone floor enforcing the use of sherlock and the 3 minute time limit.
AOL tech support, does not have solving the customers problem as it's goal. Pleaseunderstand, that solving your problem when you call has absolutely NO VALUE.
The IDEAL revenue call is a call that is handled in exactly 3 minutes, which results in a positive step in sherlock giving ONE of many options - then results in a negative experience for the customer - prompting a return call in about 10 minutes - to another tech, who then gives the NEXT solution via sherlock - which ideally will fail - on and on until either sherlock runs out of options, (prompting for one of the floating experts to
actually solve a problem, or shifting blame onto either a virus, the manufacturer of the hardware, drivers, etc...) or a final solution (usually a reinstall) and a grateful customer being transferred to another revenue partner, like a rent a car agency, or a cable modem installer...
The ONLY value that any call has is that it is handled in an average of 3 minutes. This is known on the floor as Dumping... You give them one possible solution, then ask them to try it and call back if it doesn't work - you then cross your fingers and hope that YOU don't get them back. All while attempting to sell the illusion that you are an expert and are not merely reading a dialog off a computer screen. As I said above, it's trained monkey work.
With that in mind, you can see why AOL tech support likes people with a minimum of knowledge working on the phones. People with actual extensive computer experience suffer from the "fix it" syndrome. Especially when sherlock cannot give you another option to Dump the customer with.
The very worst thing that a tech can do, is attempt, with his own knowledge and experience, to actually explain why and how and fix your problem, especially because usually the problem is directly related to the stupidity of the customer. It is not unusual for the customer to reveal that they have 30 - 50 tray icons running!!
People with a minimum of knowledge can accept the illusion that sherlock is actually giving good advice and can sell it convincingly as tech support. An actual trained computer tech/software repairman/programmer - usually cannot if he is honest.
***********
[end quote]
The sad thing is, it's not just AOL
Weak link (Score:2)
Re:you won't see me crying (Score:5, Interesting)
AOL markets almost exclusively to the technophobes who either don't know or don't care enough about computing to spend significant time shopping for an ISP. To them, the computer is an appliance; AOL is effective at distributing their product for that appliance.
Get off it. AOL sucks for us slashdot people because it's not a product designed for us. Until MSN or Earthlink or the myriad of other "simple/easy" ISPs start unloading millions of CDs on an ignorant population, it will continue to be the dominate choice.
Re:Who's the Inquirer? (Score:3, Informative)