[Satchel]

Originally Posted by patsu:

This is why the victims are mad. No one has claimed responsibility to fix it. And no one has said they can/will stop it. All they see is their money have been taken, and they didn't get phished or social engineered. If there is a way in via Windows Live ID, then XBL needs to block fraudulent logins. Both are MS's systems. If XBL's customer service agents got fooled by the social engineers, then MS is responsible. If the customer service agents forgot to lock a compromised XBL account, they are responsible too. Despite the user info theft on PSN, most users' accounts and $$$ are intact. Debating that one of the locks is not picked while the money in the safe is already gone may not be sufficient.

But I'm not debating the stupidity on MS' part, or what's right or wrong.

But people claiming "Xbox Live got hacked' are factually wrong is all I'm saying, which is why Microsoft won't admit that it's been hacked. Because it hasn't.

Whether that's right or wrong is another discussion all together. MS trying to fix these cases individually makes more sense from a business and publicity standpoint don't you think?

Why admit to something that technically isn't true when you can try and fix it under the carpet and save public scrutiny? It makes more sense for them to do what they're doing. Especially given the relatively small number of users this would be affecting.

Think about it, if this is affecting say 1 or 2% of total worldwide users, why would MS come out and say "Xbox Live has been compromised?" Makes no sense.

[Curufinwe]

Originally Posted by Satchel:

But people claiming "Xbox Live got hacked' are factually wrong is all I'm saying, which is why Microsoft won't admit that it's been hacked. Because it hasn't.

You do not know that MS security hasn't been compromised, and cases like Psychotetxt's missus are very hard to explain any other way.

[Satchel]

Originally Posted by Curufinwe:

You do not know that MS security hasn't been compromised, and cases like Psychotetxt's missus are very hard to explain any other way.

I know we're talking semantics here, but it's her Windows Live ID that was hacked. Not Xbox Live as a service. Which is why Microsoft won't admit to anything.

With PSN, it was the actual PSN that was hacked.

With this stuff, it's the Windows Live IDs being hacked, not Xbox Live as a service or network.

I know both are Micrososft products, I understand that, I also understand this is a fuck up on MS' part, but people bemoaning Microsoft for not admitting to being hacked are trying to nail diarrhea to a wall. It's not going to happen because technically it isn't happening.

[Garcia el Gringo]

Opps, I didn't mean to start this. This isn't productive to my two-step cause!

I'm just saying you might want proof before you claim Live has been hacked. If you don't have proof, then we're not really making any progress.

Originally Posted by epmode:

Social engineering doesn't necessarily mean that it's from you or someone you know. It could mean convincing a phone support person that you're the account holder and having them reset the password or somehow grant account access to the thief.

And this. There are many methods of social engineering. Not all cases are due to victim's error.

[Grecco]

Originally Posted by VibratingDonkey:

That's good, particularly the faster recovery process, but not good enough until two step verification is a thing.

I dont think 2 Step verification will be launched, well at least till the next system is released in 2013.

[Satchel]

epmode also made a good point. Most customer support services ask for nothign more than a name, DOB and address. That info can be easily obtained from anyone's Facebook page.

They can simply call up Xbox Live, give the standard info and BAM they have your account. But that sort of slack phone security isn't exclusive to Microsoft, almost all companies are that slack, which is a problem within itself.

But either way, people need to give up this whole "Xbox Live has been hacked". Because it's not true. If it was, then the account details for ALL of us would be out there and they would have gone around to all of us and done this by now, same way ALL our details were obtained with the PSN hack, because it was the actual network itself that was hacked.

I'm amazed people find it so hard to distinguish between the 2 situations.

Is Microsoft dealing with all of these cases in the right way? Nope, but that's different to people saying their network has been hacked when it hasn't.

[Curufinwe]

Originally Posted by Satchel:

Nope, but that's different to people saying their network has been hacked when it hasn't.

Again, you do not know that for a fact.

[Garcia el Gringo]

Originally Posted by Grecco:

I dont think 2 Step verification will be launched, well at least till the next system is released in 2013.

Yup, two-step is a sure bet for next gen. I'm sure MS can only do so much with the 360's 2005 online tech foundation. It'd sure be nice if the could work out a little something in the meantime though.

[Grecco]

Originally Posted by Curufinwe:

Again, you do not know that for a fact.

And the people claiming that its happening dont know it either.

[Satchel]

Originally Posted by Curufinwe:

Again, you do not know that for a fact.

Read the post right above yours.

If the actual network itself had been busted open, this wouldnt be affecting a tiny percentage of the millions of Xbox Live users, it would be affecting ALL of them.

[Zoe]

Originally Posted by Satchel:

Read the post right above yours. If the actual network itself had been busted open, this wouldnt be affecting a tiny percentage of the millions of Xbox Live users, it would be affecting ALL of them.

Depends on their motives and how much was exposed. The actual stealing part is a manual process.

[bigtroyjon]

I don't understand the logic behind MS execs and employees risking jail time in order to cover up being hacked but logic usually doesn't enter the picture in conspiracy theories so I'm not surprised.

[Curufinwe]

Originally Posted by Grecco:

Anyways http://majornelson.com/2012/02/07/a-...your-security/

One of the commenters pointed out something MS could easily implement to improve security, even if two-step isn't possible.

Quote:

The point being missed is Xbox Live ability to allow points to be brought on an account without the need to re-enter the Credit Card CVC code from the back of the registered card. That is a FAILING of Xbox and Microsoft. What other online purchase system allows an item to be bought without using your CVC code to validate the card. If this STANDARD security measure had been in place my Xbox Live accounts then the hackers couldn't of made any MS point purchases in the first place!

[Satchel]

Originally Posted by Zoe:

Depends on their motives and how much was exposed. The actual stealing part is a manual process.

It is, but even then, we're talking about a very small percentage when you take even just gold accounts into...account.

This would be happening to Silver members too no?

That makes the percentage of members affected even more minscule, which is what suggests that this isn't a breach of Live. Either way, I didn't risk it, I took my credit card off a couple of weeks ago.

Right now, if my account cops it (just changed the password last week too), the most I lose is 700 points. I can live with that.

[Curufinwe]

I recommend picking up 100 points thru Bing Rewards if you're in the US, then buying an 800 point game. That way your balance will be zero and even if your account gets stolen they won't be able to buy anything and permanently ruin your Achievement list.

[Zoe]

Originally Posted by Satchel:

This would be happening to Silver members too no?

It is.

[Satchel]

Originally Posted by Curufinwe:

I recommend picking up 100 points thru Bing Rewards if you're in the US, then buying an 800 point game. That way your balance will be zero and even if your account gets stolen they won't be able to buy anything and permanently ruin your Achievement list.

I'm in Australia so yeah, I can more points through Xbox Live rewards. I think I'm almost at 100.

[FollowSmoke]

Originally Posted by Satchel:

With this stuff, it's the Windows Live IDs being hacked, not Xbox Live as a service or network.

I don't see the point in your argument. Actually, I do, but it's inconsequential. Windows Live is tied to Xbox Live. So what's the difference? If I broke into your house through your garage and then entered your house, I can't claim that I didn't break into your house, I broke into your garage. Actually, I can, but it's only a technicality.

None of which takes Microsoft off the hook and none of which makes it any less disgusting that they're blaming phishing and malware.

[Satchel]

Originally Posted by FollowSmoke:

I don't see the point in your argument. Actually, I do, but it's inconsequential. Windows Live is tied to Xbox Live. So what's the difference? If I broke into your house through your garage and then entered your house, I can't claim that I didn't break into your house, I broke into your garage. Actually, I can, but it's only a technicality. None of which takes Microsoft off the hook and none of which makes it any less disgusting that they're blaming phishing and malware.

Let me make it easier for you.

PSN situation: Network itself was hacked, so all our details INCLUDING email and password were obtained

Xbox Live situation: Windows Live ID email and password were obtained (somehow) and then used to access and hijack Xbox Live account.

If you still can't differentiate then all is lost for you. My point was never about what's right or wrong. I said Microsoft doesn't seem to be handling the situation well, and I myself removed my credit for my own piece of mind, but I was merely correcting people who were in fact wrong, and explaining to those people why Microsoft won't (and technically shouldn't) announce that Xbox Live has been hacked. Because it hasn't.

[bigtroyjon]

Originally Posted by FollowSmoke:

I don't see the point in your argument. Actually, I do, but it's inconsequential. Windows Live is tied to Xbox Live. So what's the difference? If I broke into your house through your garage and then entered your house, I can't claim that I didn't break into your house, I broke into your garage. Actually, I can, but it's only a technicality. None of which takes Microsoft off the hook and none of which makes it any less disgusting that they're blaming phishing and malware.

Why would MS employees risk jail time by covering this up?

There's no upside, these companies all have insurance to protect themselves against an attack and there's no reason for the rank and file employees to cover this up.

[bryanee]

Just happened to a mate, all his points used up. Not sure if he has any card details attatched.

[Benjamin1981]

I just logged into my Paypal and it tells me last payment of 199,13 Euro to Microsoft could not be completed.

WTF, i sold all my Xbox stuff. How did this happen? Crazy stuff. Will have to call Xbox and Paypal tomorrow.

[Genesis Knight]

So after waiting for 2 months with nothing happening, I filed a BBB complaint and it was fixed the next day.

[Garcia el Gringo]

Originally Posted by Genesis Knight:

So after waiting for 2 months with nothing happening, I filed a BBB complaint and it was fixed the next day.

Very good. Welcome back.

[pyrealnova]

Originally Posted by Genesis Knight:

So after waiting for 2 months with nothing happening, I filed a BBB complaint and it was fixed the next day.

Came here to post this. My account was hacked in October and got the runaround from MS for more than 3 months. Emailed BBB on Monday, complaint was sent to MS on Wednesday, account was restored today.

Not sure if this is a problem with MS customer service being clueless, or just crappy internal communication.

long story short: if your account isn't recovered in 25 business days, file a complaint with BBB!

[Truespeed]

So something odd just happened yesterday when I fired up my 360. I haven't played it in about a month or so, but when it prompted me to select a profile and there was this new profile on the HDD that I never created. The avatar had a wife beater shirt and had the word "money" followed by numbers (I can't recall the actual name of the profile because I deleted it). I had no points in my account or any financial data tied to it. Does anyone know what might have happened? I just find it incredibly odd that this profile would even exist on my system (I'm the only one that uses it).

[Zerokku]

So nearly 6 months later, after filing a second complaint with the BBB, I finally have the last portion of the money refunded.

Jesus christ microsoft.

[Remy]

Sad thing about the BBB tactic is I had to take the same one after my RROD way back when to get my points refunded, since back then getting your XBLA purchases transferred was impossible. Good to know it still works, though!

[Genesis Knight]

Though they restored my account and my spacebux, they haven't restored by 2+ years of Gold subscription I had accrued.

[Nuborn]

So I just got hit by this stupid thing, Right now i'm in control of the account by changing the password and requiring it on sign in.

-Valentines Day 2012, yay...
-1920 M$ points, had 2400, was keeping them for Alan Wake and I am Alive
-Not contacted them yet because I still have my account and am about to change the email adress, then I will call them. (And complain very loudly)
-I do have an EA account, was playing the Mass Effect 3 demo last night until about 1AM in the morning.
-Passwords were unique
-Account is 4 years old, security question is still in english.

[Diablohead]

Originally Posted by Nuborn:

So I just got hit by this stupid thing, Right now i'm in control of the account by changing the password and requiring it on sign in. -Valentines Day 2012, yay... -1920 M$ points, had 2400, was keeping them for Alan Wake and I am Alive -Not contacted them yet because I still have my account and am about to change the email adress, then I will call them. (And complain very loudly) -I do have an EA account, was playing the Mass Effect 3 demo last night until about 1AM in the morning. -Passwords were unique -Account is 4 years old, security question is still in english.

have you checked billing.microsoft.com? it will give you a list on what you spent points on, or what those missing points were used for and when.

[Nuborn]

Originally Posted by Diablohead:

have you checked billing.microsoft.com? it will give you a list on what you spent points on, or what those missing points were used for and when.

Yeah it was all FIFA gold packs. Knew it happened as soon as I saw the "Account has been signed in on another console" message.

I know if I call up MS support they'll most probably close my account and never refund my points so I am not going to bother.

[Castor Krieg]

I can see how this is a plague, because on Polish auction site (dunno if I can post links) there are loads of cheap games being sold for ~10EUR, all with (make sure to download within 48 hours) note.

[CoryCubed]

So is it safe to play Mass Effect 2, or what is the best practice so far to avoid this (if any)? I have an expired card on file and 300 points, but with all the EA talk I have been scared to finish the game and prepare my file for Mass Effect 3.

[Garcia el Gringo]

Originally Posted by Nuborn:

Yeah it was all FIFA gold packs. Knew it happened as soon as I saw the "Account has been signed in on another console" message. I know if I call up MS support they'll most probably close my account and never refund my points so I am not going to bother.

They refunded my $75 in promotional points from a T-Mobile exploit. I had to explain to them how I got them, but they honored it. If anyone's account was going to be closed, it would have been mine. Why do you feel like your account will be closed forever if MS gets a hold of it? Just incompetence on their end, or something on your end?

I'd say it's worth a shot. Supposedly the turn around for cases is just like 3 days now.

[Big Ass Ramp]

Fuck me. Woke up this morning to find that both my Xbox account and iTunes account have been hacked. $50 spent on iTunes on KingdomConquest and its inapp purchases. ~10000 MS points bought on XBL. Stopped all of them with my bank. The two accounts did not have the same password.

-Today
-~$150
-I have an EA Account
-EA account pass and XBL pass were the same
-4 Years old
- n/a
-security question was not changed. I think I caught this early enough to stop that.
-no 4 button pass for XBL

also was a victim of the Gawker password theft. Never played Fifa, plenty of NCAA 12 however.

[bigtroyjon]

Originally Posted by Big Ass Ramp:

Fuck me. Woke up this morning to find that both my Xbox account and iTunes account have been hacked. $50 spent on iTunes on KingdomConquest and its inapp purchases. ~10000 MS points bought on XBL. Stopped all of them with my bank. The two accounts did not have the same password. -Today -~$150 -I have an EA Account -EA account pass and XBL pass were the same -4 Years old - n/a -security question was not changed. I think I caught this early enough to stop that. -no 4 button pass for XBL also was a victim of the Gawker password theft. Never played Fifa, plenty of NCAA 12 however.

Might want to wipe your computer, 2 different services at once sounds like you are infected with something.

[Big Ass Ramp]

Originally Posted by bigtroyjon:

Might want to wipe your computer, 2 different services at once sounds like you are infected with something.

it does, doesn't it. Actually already did that a week ago, so should be safe on that front.

[Psychotext]

More importantly, you might want to change your email password / security questions.

[Big Ass Ramp]

Changed passwords and security questions for most of my accounts.

[Curufinwe]

Mock if old, but Alex Garden (the GM of Xbox Live) said this at 1:00:38 of the most recent Major Nelson podcast.

http://majornelson.com/cast/2012/02/...nd-a-farewell/

Quote:

We're working really hard on two-factor authentication, and in fact in the next couple of months we're gonna be rolling it out across the entire network.

[Garcia el Gringo]

[Psychotext]

About time really. Good news though.

[Weevilone]

-Hacked 10/8/2011
-Damages: slightly less than 4000 points stolen; FIFA '12 achieves
-After chasing them for 4.5+ months I got my points refunded on 2/21/12
-Yes, I was linked to EA
-I believe that my passwords were unique and strong between Live and EA
-Gamertag is original from when Live launched. 10 years? Long time, anyways..
-4000 points refunded
-My security question was not changed, as I caught it quickly. I was able to recover on my own.
-I do not have any 4 button codes.

I work in IT security so I'm fairly tuned into not doing stupid things. I'm also on UNIX systems most of the time and very much feel that I don't have any malware, etc.

At one point during the investigation I was told by a MS rep that since my case was so old, my case # was closed out as resolved and a new one was created. I was told this was done to make their metrics look better. He also said this sent me "back to square one" in terms of response time.

[Lexxon]

Just got nailed today.

-Hacked 2/25/12
-Damages: 2920 points gone, all that I had.
-Contacted support, no response yet.
-Linked via EA for Mass Effect, I believe.
-Passwords were possibly the same, security admittedly pretty poor. (And I work in IT...good job!)
-Gamertag is roughly 6-7 years old.
-I was always able to log into my account--I was still able to log in and change my password. I may have caught them in the act or right after it.
-No 4-button codes.

[Mental Patient]

My brother got hacked on 2/24/12 and they spent the 1600 points he had on the account on FIFA gold packs. The only game he played during that time was the arcade game NBA JAM. Changed the password on the account, hopefully it doesn't happen again.

[CTE]

I have EA links to my account. ME and Amalur. I always spend all my points when I get them and only use pre paid cards to buy Live. EA and Live passwords are different. Anything that I might be missing to enhance my security?

I think the not having a CC on file in the account and always spending all my point as I get them are the best tactics. What does it leave them to go on after that?

[Danthrax]

I just saw an email in my Gmail account about FIFA 12. In it, it says, "Thanks for playing FIFA 12!"

I've never played FIFA ... oh God

I try to sign into xbox.com, password's been changed. Check my gamertag profile, FIFA is the most recently played game

Trying to sign in through my Xbox 360 right now, but the motherfucking thing is updating some hugeass fucking update that I don't give a shit about because I JUST GOT FIFAD



[edit] the email is dated 9:06 a.m. Monday ... it just happened 16 hours ago, basically

[edit 2] Finally signed in. Played FIFA on Saturday, March 3, got three achievements: New Club in Town, I'll have that one, and How Great is that?.

I have 20 spacebucks left in my account. Pretty sure I had like 1300 or 1600 spacebucks.

[sonicmj1]

An update on this situation: two months after my account got restored, I still hadn't had the 4000 points spent refunded to me. It took two separate calls to support to get the situation escalated to the point where they gave me a 4000 point code to use.

It really shouldn't have been that difficult. I'm glad everything eventually got resolved, but this point refund situation has made me more skeptical about using Xbox Live in the future.

[PudgyBunny]

There is a part of me that is so glad that I dont play the Xbox aside from Netflix for this reason lol. So sorry it happened to you Dan :(