Imagine picking up your phone to find your line dead and your phone number in someone else's hands.
The cyberspace equivalent happened to users of the ICQ instant messaging system this week. Approximately 200 ICQ users reported their passwords stolen and their accounts taken over by unknown users.
"This is sort of like losing your own phone number that you've had for years and years," said Steve Gossett, an ICQ user in Temple City, California.
"Not only do they have the ability to represent you, but they've stolen that part of your Internet -- that part of your 'phone.'"
Gossett uses the system for both personal communications and some business contacts worldwide. When his account was stolen, he said he had to notify over a hundred other ICQ contacts by email, telling them to ignore any messages sent under his ICQ number, as he no longer controlled it. Gossett has resorted to using a secondary ICQ number.
"I've had three years of ICQ contacts -- some of them business contacts spread out across the US and a couple foreign countries."
America Online subsidiary Mirabilis maintains the ICQ network. More than 60,000 new users sign up daily for ICQ, which totals 42 million worldwide users.
Members use the system to check if friends and colleagues are online, and send each other "instant" text messages.
AOL spokesperson Regina Lewis said the company has been aware of the problem for as long as a month and has a mechanism in place so users can get their number back. She said the number of reported incidents is less than 200.
Users' passwords were obtained by way of simple email trickery, Lewis said. Over the last month, ICQ users have received an email message containing an attached file disguised as a JPEG. When users opened the attached file, instead of opening a JPEG image, the attachment loaded a small malicious program.
The program emailed the user's ICQ password back to the sender. The perpetrators have not been identified or stopped.
In any case, Lewis said users can retrieve their ICQ account numbers by sending email to support@icq.com. If users indicate they've had their number stolen, ICQ will return it within 24 hours after the user is verified, she said.
"The system was not compromised in any way. Somebody didn't go in and break into the database of ICQ," Lewis emphasized. She also reminded users not to open suspicious JPEG email attachments.
Lewis agreed that an ICQ account can be as important as a telephone line.
"That's why it's so important that they can get it fixed -- because people love their ICQ."
Gossett said numerous attempts to log into his ICQ account Wednesday afternoon resulted in repeated "invalid password" rejection messages.
When he visited his ICQ personal page on the Web, where users enter personal profile information about themselves, he discovered that his information was gone. In its place was just the name "honix," possibly that of a cracker.
He logged into his secondary ICQ account and found that someone else was logged on under his primary account. He then made a fruitless attempt to notify AOL tech support representatives.
Miami-based user Ricardo Arenas reported his password stolen in early August.
"A week later my ICQ number had disappeared from their database. It doesn't even exist anymore. I had to get a new one. It's a little annoying."
When he sent email to an ICQ feedback address, Arenas said he received only an automated email reply. In the intervening month, he received no information on the problem.
Neither Gossett nor Arenas recalls receiving the attachment as described by AOL.
The ICQ support message boards have lit up with complaints of the same problem. Users claim that when AOL was no help solving the problem, they gave up hope of getting their ICQ accounts back and opened new ones.
Lewis said users like Arenas and Gossett simply weren't following the correct path to support. "I don't know how they tried to get through, but the right way is support@icq.com."
The ICQ instant messaging system has experienced several security problems in the past.
In August of last year, a security problem let ICQ members log into the network using other users' accounts. Using the bug, an imposter could potentially talk his way into gaining sensitive information.
Earlier that year, security experts criticized ICQ for lacking secure barriers against hijacking, spoofs, and other hostile programs that could listen in on personal and potentially sensitive communications sent over the system. Since then ICQ said it had worked to improve security.
