The case of the purloined AOL webmail account

If you have an AOL or AIM webmail account, beware. AOL's security is so poor that it's not only possible for a spammer or other evildoer to hack your account, but to actually steal it.

Yes, that's what I said. It happened to me. A hacker managed somehow to change the security information on my AOL webmail account so that he (or she) can access that information and change it at will- but I can't even verify that the account is mine.

This is what happened: I imagine that over the years thousands of people have been frustrated by AOL's policy of not allowing special characters in its email addresses. If you weren't in at the beginning of AOL, you were almost certain to end up with something like mickeymouse40985@aol.com as your screen name. Or worse, mckymse40985@aol.com.

A few months ago, AOL changed that policy. Special characters are now allowed. Even though I use Gmail for the most part, and have other accounts elsewhere, when I learned of the change I quickly signed up for a reasonable AOL address: bob.waters@aol.com.

This pleased me because I knew from past experience that AOL webmail is, in most respects, an excellent service. It's reliable and relatively un-buggy, if a little slow in loading at times. Its anti-spam software is superb. For a long time, Heinz Tschabitscher of About.com listed AIM (the same service, which existed even before AOL opened its primary domain to free webmail accounts) right behind Gmail as the number two free email provider out there. It's recently fallen to number three, behind Zoho.com, but that's still pretty good.

I'd had good luck in the past with AIM, Tunome, and Mail.com accounts (Tunome is a defunct AOL vanity email service, and for a while Mail.com used AOL web mail's software and interface; unfortunately it's since been taken over by the far the buggy, spam-prone and altogether inferior GMX, which I believe Mr. Tschabitscher treats far more kindly than it deserves). So I was delighted by the prospect of using an AOL account with a brief, reasonable screen name.

I tried bob.waters@aol.com with Yahoo Groups perhaps two months ago. In the middle of my first session, I was suddenly disconnected and informed that "unusual activity" had been detected on my account, and that it had been suspended. Unusual, indeed; this was the first time I'd ever signed in to the account!

One of Heinz Tschabitscher's few criticisms of AIM/AOL web mail is the difficulty of accessing reasonable tech support. Sure enough, I had a bit of difficulty in communicating with the tech support people over in India, a regrettable percentage of whom seemed to be concrete thinkers as well as having a bit of difficulty dealing with English. They were also remarkably uninformed about current AOL policy; at least one seemed not to know about the recent change in policy regarding special characters in screen names. None seemed to have a comprehensive enough understanding of the technical side of AOL web mail to deal effectively with the situation, or even to understand it. But after jumping through far more hoops than I should have had to (AOL/AIM makes you go to a separate, unlisted and unlinked web page to take care of stuff most web mail services would handle through the link to "settings"), I got my password re-set and was off to the races. Or so I thought.

I'd reverted to another account for Yahoo Groups, but I tried bob.waters@aol.com again today. I noticed something strange right off the bat: when I replied to a post in an email group, the "to" address in my reply was not the group, but the member of the group who had written the post I was replying to. I still don't know what was up with that. But before long, that issue became irrelevant: once again I was logged out against my will and told that my account had been suspended for "unusual activity."

Had I been willing to be a good little sheep, I could have gotten my account turned right back on again. All I would have had to do would have been to have changed my password again and conceded that I might have a virus. Luckily, my bullheaded German blood was up, and I pointed out that since merely changing my password hadn't solved the problem the first time, it probably wouldn't so so this time, either- and that, moreover, it was unlikely that every computer used by the Des Moines Public Library (I don't have the internet at home) had the same virus! Ultimately, after talking to the people at the library, I did learn that the library had very strong security software with which AOL's didn't play very well. There was no virus, but the library had chronic problems with AOL.

It took eleven phone calls to AOL tech support, one to AOL billing, and one to AOL fraud before I learned what had actually happened. At one point, I was told (and this should have been a tip off) that the zip code on my account, which the techie was using for security purposes, was not the one I have had for the past three years- and certainly the one I had listed on the account. I assumed that I must have mistyped the zip code when I registered for the account- until one of the techies let slip that not only my zip code, but my entire address was wrong- and that, further, mine was not the name on the account!

Call me hopelessly old-fashioned, but I would think that an email address like bobwaters@aol.com really ought to belong to someone named Bob or Robert Waters, and that it might be a hint that something wasn't kosher if the owner was named Marilyn Schickelgruber or something. But maybe customs in India are different than they are over here. But in any case,no red flags were raised by the fact that, according to AOL's records, somebody not named Bob Waters owned bob.waters@aol.com. And when a guy whose name actually is Bob Waters calls up, and gets the answer to the security question right.....

As incredible as it seems, I not only had my account been hacked, but the security information used to verify the account holder's identity had been changed! Incredibly, the hackers had the ability to claim and re-start the account under their control- but I, who had opened the account, could not!

It's hard to imagine a degree of ineptitude on the part of a company dealing with web mail sufficient to permit a user's security information to be changed without his knowledge. Yet such was the case. I was locked out of my own account permanently. Somebody had literally stolen my email account, and there was no remedy available.

Not that, at this point, I would have wanted one.

The moral of the story: if you value your time, your blood pressure, and your security information, don't use AOL or AIM web mail. Period.