[chubigans]

So things just got a whole lot more interesting, as Zoe posted in the Xbox Live Hacking thread.

The news of Xbox Live hacked accounts has been going on still, which was already discussed in a few stories on Giantbomb and Kotaku. It's assumed that Fifa has something to do with all this; that is, people are buying Fifa Ultimate Team packs and flipping them on ebay. Just some random guy and social engineering or something.

But what's new is the fact that one person was hacked twice, with hundreds of dollars taken from her paypal account.

http://hackedonxbox.tumblr.com/post/...-heart-or-soul

It's an interesting, horrible story, but here's the fascinating part: she was able to chat with the person who hacked her account. And he revealed that he bought the account on TradeTang.

A look at the site (warning: this may be a harmful site so it's NSFW and you should visit it on a secure browser) reveals over a thousand Xbox Live accounts, ready to buy. (edit: a lot of these accounts are ones created specifically for stolen credit card purchases, and not necessarily stolen accounts. Thanks volturnus.)

http://www.tradetang.com/wholesale-V...ducts_c40.html (if mods need me to take down this link, I will)

A look at some of the entries:

Quote:

At your own risk ~ Points are easy to disappear. Please as soon as possible, using the account

Quote:

live points 10000 points 2 hours warranty used account please note: now only offer 2 hours warranty.you have to use all points and download all games in 2hours, after 2 hours we won't provide any help

Quote:

Nature of the goods: This is not used the new ID, you can modify your password after you, and permanently retained; use this ID to download or the content, all the ID of this machine can be used, not necessarily to use this, and with your machine where the server version and the old ID has nothing to do, please rest assured to use! What we supply? ---ID with Password From 4000 Points to 12000 points You need to be Noted: ---What we supply is an account with password which has point available, we don't supply any subscription code! How we offer the accounts? ---we will send the account information By tradetang message

Quote:

10K Points Live Points accounts 10000 Points US Version the warrantity is 2hours, when buy it,must use all points within 2 hours.thanks. the warrantity is 2hours, when buy it,must use all points within 2 hours.thanks. the warrantity is 2hours, when buy it,must use all points within 2 hours.thanks.

Quote:

please note: now only offer 2 hours warranty.you have to use all points in this account in 2hours and transfer all contents to your main account :)

Quote:

Dear friends : Since the points might expire , please use up the points within the warranty time ,any way ,the sooner the better . . Thank you. . If you do not agree with these please buy them eleswhere . thanks for your time : 1 . The accounts are not gold . And it is better not to buy gold membership for the account because it won't last too long . how ever the other items you buy with the points in the account can be there for ever and you can use them on your main account . 2. It will never let your console be banned according to our experience of more than two years . 3 . Please tell me which version you need before you place it 4 . Any other quesitons please feel free to ask me on line through "contact now " or "ask supplier " .. thanks . Ｉ am always ready to help you with any questions . Thank you !! 5 .Please complete the order in time after you have received the account and give a possitive feedback as well . We will be grateful for you and give you better and better service . 6 . Scamers / Liers buy eleswhere !!! Befor place it Please choose the right option of the points.And ask us the warranty time if you want ,there is diffrent warranty time sometimes

Hackers aren't necessarily gaining access to accounts to get some Fifa cards; they're selling them to people that can gain access to your account, buy a bunch of stuff with your points & tie it to their console. Then they abandon the account and you're left with the mess.

This is pretty unreal, and somewhat of a breakthrough as to why there's been so many hacked accounts lately. What's still unanswered: how these people are managing to gain access to all these accounts.

[RedNumberFive]

GAF - doing game journalism better than paid game journalists! Bravo!

[Raxus]

Well I am glad I never used my actual credit card for ANY of my online accounts.

You'd think Xbox would have taken as much flak as Sony for this shit.

[Sysgen]

Has MS implemented a Steam Guard equivalent?

[Garcia el Gringo]

The number of accounts up for sale at just this moment alone is baffling. Give us some 2-step verification, Microsoft.

[Nelo Ice]

Well good thing I've never bothered to update the expired CC on my account.

[metareferential]

So this is how those accounts were created in the past years?

This is no new habit. I've seen those accounts even on ebay.

[Yagharek]

Originally Posted by RedNumberFive:

GAF - doing game journalism better than paid game journalists! Bravo!

No-one on GAF is being silenced with free hardware and premium customer service/complaint resolution though.

[volturnus]

Those are not fifahacked accounts, they're recently created accounts with points bought on maximuscards.com or similar websites with stolen credit cards.
Warranty used to be 24hs, but now it's 2hs only because the guys at maximuscards wave warned several authorities and are pissed off already.

[Friedreich]

I thought they were doing this the whole time? I can't imagine why they would not considering the information they supposedly have.

Originally Posted by volturnus:

Those are not fifahacked accounts, they're recently created accounts with points bought on maximuscards.com or similar websites with stolen credit cards. Warranty used to be 24hs, but now it's 2hs only because the guys at maximuscards wave warned several authorities and are pissed off already.

Well then, probably a mix of stolen and created accounts.

[drizzle]

That's nothing new. It's the easiest way to come through "easy points".

You buy an account that has 10k points in it, you activate the account on your console, you buy the content you want with that gamercard.

If somehow Microsoft gets that account back, since xbox live content is assigned to both the gamertag that bought it AND the console it was bought on, all the content can be used on that console legitimately.

If/when the account is retrieved back by Microsoft/the purchases are removed from the account, the "buyer" of the hacked account can never download that content again (his account doesn't have it and he doesn't have access to the account he used to purchase it), but as long as he doesn't delete the content, it's usable forever.

For the longest time those "accounts" were available on regular auction sites (in other words, you could find them on eBay). After a while, these auctions started to get pulled faster and faster, so it pretty much went all into forums or obscure Chinese auction sites.

The difference between this and the FIFA thing is that, in this case, the accounts are being sold because of the MS points funds in them. With the FIFA thing, the points and game content are bought on the stolen account and traded away through EA's trading system.

tl;dr: This is not new at all.

Edit:

Originally Posted by volturnus:

Those are not fifahacked accounts, they're recently created accounts with points bought on maximuscards.com or similar websites with stolen credit cards. Warranty used to be 24hs, but now it's 2hs only because the guys at maximuscards wave warned several authorities and are pissed off already.

Yes, that's also how this can be done.

They're completely different scenarios of fraud.

[Yagharek]

Originally Posted by volturnus:

Those are not fifahacked accounts, they're recently created accounts with points bought on maximuscards.com or similar websites with stolen credit cards. Warranty used to be 24hs, but now it's 2hs only because the guys at maximuscards wave warned several authorities and are pissed off already.

If you read the OP, you would know that the woman who was hacked found this site since her account was sold off via it.

[chubigans]

Originally Posted by volturnus:

Those are not fifahacked accounts, they're recently created accounts with points bought on maximuscards.com or similar websites with stolen credit cards. Warranty used to be 24hs, but now it's 2hs only because the guys at maximuscards wave warned several authorities and are pissed off already.

Then how did the girl with the twice-hacked account end up on that site?

I'm sure there are accounts like that, but hers were among them. And I'm sure plenty more are too.

[Sye d'Burns]

Ahhh, a FOTY contender for 2012.

[Brazil]

After I was hacked last year and Microsoft told me I had to wait two months before they could do anything and that I should keep calling them (through the international line) to get reports on the situation, I just threw it all up in the air and waved the service good-fucking-bye.

They didn't even recognize the mass hacking waves as a "thing", and their customer support is one of the worst freaking jokes in the industry. I'll never get back to Live, ever.

So maybe someone out there has bought my account by now. Hope they rot with it.

[Zoe]

Originally Posted by RandomVince:

If you read the OP, you would know that the woman who was hacked found this site since her account was sold off via it.

She even chatted with the person.

[Garcia el Gringo]

Originally Posted by Sye d'Burns:

Ahhh, a FOTY contender for 2012.

Well, I was one of the three people who voted for it for 2011. Hopefully MS fixes this screw-up before it becomes a true contender for FOTY 2012.

[Thoraxes]

WTF is this shit I just saw in the ToS (i'm probably a slowpoke on this):

Quote:

16. LIABILITY LIMITATION. You can recover from us for all successful claims only direct damages up to a total amount equal to your Service fee for one month. You cannot recover any other damages, including consequential, special, indirect, incidental, or punitive damages and lost profits. This limitation applies to anything related to this contract, for example: the Service; loss of data; your content, third party content (including code), third party programs, or third party conduct; viruses or other disabling features that affect your access to or use of the Service; incompatibility between the Service and other services, software, or hardware; delays or failures you may have in initiating, conducting, or completing any transmissions or transactions in connection with the Service in an accurate or timely manner; and claims for breach of contract; breach of warranty, guarantee, or condition; misrepresentation; omission; strict liability; negligence; or other tort. It also applies even if this remedy does not fully compensate you for any losses, fails of its essential purpose or we knew or should have known about the possibility of the damages. Nothing in these terms except the agreement to arbitrate and class action waiver in Section 18.1 will affect the statutory rights of any consumer. Nothing in these terms will exclude or restrict liability for death or personal injury arising from our negligence, fraud, gross negligence or willful intent. Some or all of these limitations or exclusions may not apply to you if your state, province, or country does not allow the exclusion or limitation of incidental, consequential or other damages.

Quote:

18.1.6. CLASS ACTION WAIVER. YOU AND MICROSOFT AGREE THAT ANY PROCEED­INGS TO RESOLVE OR LITIGATE ANY DISPUTE, WHETHER IN ARBITRATION, IN COURT, OR OTHERWISE, WILL BE CONDUCTED SOLELY ON AN INDIVIDUAL BASIS, AND THAT NEITHER YOU NOR MICROSOFT WILL SEEK TO HAVE ANY DISPUTE HEARD AS A CLASS ACTION, A REPRESENTATIVE ACTION, A COLLECTIVE ACTION, A PRIVATE ATTORNEY-GENERAL ACTION, OR IN ANY PROCEEDING IN WHICH YOU OR MICROSOFT ACTS OR PROPOSES TO ACT IN A REPRESENTATIVE CAPACITY. YOU AND MICROSOFT FURTHER AGREE THAT NO ARBITRATION OR PROCEEDING WILL BE JOINED, CONSOLIDATED, OR COMBINED WITH ANOTHER ARBITRATION OR PROCEEDING WITHOUT THE PRIOR WRITTEN CONSENT OF YOU, MICROSOFT, AND ALL PARTIES TO ANY SUCH ARBITRATION OR PROECCEDING.

[Yagharek]

Originally Posted by Zoe:

She even chatted with the person.

Yep.

That woman's account should be mandatory reading for anyone who wants to come in here saying it's no big deal. Peoples' accounts are being stolen wholesale now, along with hundreds of dollars.

Microsoft's silence on this matter is damning. Not to mention their active deception of the public by silencing games journalists who get hacked.

[drizzle]

Originally Posted by Brazil:

After I was hacked last year and Microsoft told me I had to wait two months before they could do anything and that I should keep calling them (through the international line) to get reports on the situation, I just threw it all up in the air and waved the service good-fucking-bye. They didn't even recognize the mass hacking waves as a "thing", and their customer support is one of the worst freaking jokes in the industry. I'll never get back to Live, ever. So maybe someone out there has bought my account by now. Hope they enjoy it.

Couple of things:

• Skype makes free calls to 800-my-xbox. That's how I solved my stolen account issues.
• The two month thing is because there's so many hacked xbox accounts that they can't solve all the issues in a timely manner. Yes, this sucks horribly. My account was given back to me in 2 weeks on the button. It sucks to wait 2 months, but you would probably get your account back.
• They will NEVER admit that there's a problem. Mostly because I don't think there's a hacking problem. Most of these issues seem to be from Social Engineering and user dumbness: I had the same password on my Live account as my PSN account. It's good to remember that your Windows Live Messenger uses Windows Live as well. Same account, same password. That was pretty idiotic of me.

Also, this will be a 5-10 page discussion exactly the same as the last one: Bitter people complaining about shitty support, 3 people saying they got their accounts back without any issues.

This could easily be fixable with a two-tier identification system. Shoot an email to the registered address asking if you're authorizing the recovery of your account on another console. DONE. Steam guard does this and I don't think i've ever heard about stolen accounts ever again, at least not from smart people that don't have the same password on their email addresses.

[volturnus]

Originally Posted by RandomVince:

If you read the OP, you would know that the woman who was hacked found this site since her account was sold off via it.

Maybe they're using new forms of getting CC numbers, then.

One of the guys I talked to said he worked in an office in Hong Kong with 12 other people that steal CCs from random sources and use them to buy points online with fresh accounts. Accounts were sold at $15 with 6000 points and the guy said his ''team'' is operating since 2007.

(btw: I was hacked once and did a thorough investigation by myself, I've never bought any account)

[Zoe]

Originally Posted by volturnus:

Maybe they're using new forms of getting CC numbers, then. btw: I was hacked once and did a thorough investigation by myself, I've never bought any ccount) One of the guys I talked to said he worked in an office in Hong Kong with 12 other people that steal CCs from random sources and use them to buy points online with fresh accounts. Accounts were sold at $15 with 6000 points and the guy said his ''team'' is operating since 2007.

It's not credit card numbers, it's the accounts. People who are hacked are only seeing charges related to Live via the payment set up on their account. The cards themselves are not compromised.

And for this girl, it was a Paypal account.

[Boogalogist]

Why isn't this splashed all over the news like the PSN account hack?

[Brazil]

Originally Posted by drizzle:

Couple of things: Skype makes free calls to 800-my-xbox. That's how I solved my stolen account issues. The two month thing is because there's so many hacked xbox accounts that they can't solve all the issues in a timely manner. Yes, this sucks horribly. My account was given back to me in 2 weeks on the button. It sucks to wait 2 months, but you would probably get your account back. They will NEVER admit that there's a problem. Mostly because I don't think there's a hacking problem. Most of these issues seem to be from Social Engineering and user dumbness: I had the same password on my Live account as my PSN account. It's good to remember that your Windows Live Messenger uses Windows Live as well. Same account, same password. That was pretty idiotic of me. Also, this will be a 5-10 page discussion exactly the same as the last one: Bitter people complaining about shitty support, 3 people saying they got their accounts back without any issues.

You can bet I'm bitter.

And how can someone get their account back "without any issues" when losing their account in the first place is a huge issue? It's the kind of thing that simply can't happen. And when it happens, it should be solved as quickly as possible. Not after weeks of "investigation".

For me, it just wasn't worth it to keep involved with a service that offers no security and that is run by people that don't feel in the need to be honest with their customers. I know I could get my account back, but I don't want it anymore. It's not worth the effort.

[metareferential]

Originally Posted by Boogalogist:

Why isn't this splashed all over the news like the PSN account hack?

Because it's been happening for a few years now, and Microsoft even denies the very existence of the issue.

EDIT: problem with the Live ID is that you can't fucking change it xD

Every time I try to change the ID tied to my gamertag, I just get an error. Everything else works perfectly.

[volturnus]

Originally Posted by Zoe:

It's not credit card numbers, it's the accounts. People who are hacked are only seeing charges related to Live via the payment set up on their account. The cards themselves are not compromised. And for this girl, it was a Paypal account.

I thought those were the Fifa hack incidents?

[Friedreich]

Originally Posted by Boogalogist:

Why isn't this splashed all over the news like the PSN account hack?

Because it's not system wide. If that we're the case, almost everyone who has an XBL account will be here complaining. The point of these threads is to find a reason how select people are being targeted.

[Sixfortyfive]

Glorious digital distro future.

[Sysgen]

Originally Posted by Boogalogist:

Why isn't this splashed all over the news like the PSN account hack?

You would think. MS is profiting off of the monetary losses of their customers.

[Zoe]

Originally Posted by volturnus:

I thought those were the Fifa hack incidents?

Did you read the link in the OP?

[volturnus]

This is the website I was talking about:
http://www.xbox360-point.com/ (take down if necessary, I'm posting it so people can report as well)

10k point account for $50, that would cost $125 legally.

[funkystudent]

Originally Posted by Raxus:

You'd think Xbox would have taken as much flak as Sony for this shit.

You would think that but MS are a whole lot better at PR and spreading a positive message and keeping the media folk happy.
Plus game journalists dont normally have to deal with the normal lengthy systems MS has set up for normal people. They had there own separate quicker channel to go through when RROD was a thing and I bet MS have or are planning something similar for any media people who get there account compromised since this problem is only getting bigger.

Actually this doesn't seem to be connected to the Fifa scams... still pretty fucked up though that people are abusing the system like that.



Still I hope MS and every other console maker introduce some form of 2 step verification since that seems like a good way to protect peoples accounts.

Maybe even sell some kind of XBL USB authenticator thats similar to the WoW authenticator blizzard sells.

After last year any other security features they can add would be great.... Just add more.

[cpp_is_king]

Originally Posted by Sysgen:

Has MS implemented a Steam Guard equivalent?

Of course not. They can just sweep this under the bus and it will go away, right?

[Garcia el Gringo]

Originally Posted by Brazil:

They didn't even recognize the mass hacking waves as a "thing", and their customer support is one of the worst freaking jokes in the industry. I'll never get back to Live, ever.

Support was so inconsistent with this when I was dealing with them. Some knew exactly what the "Fifa hack" was and would try to help me right away, some were completely incompetent with unauthorized access (not knowing what it was or how to begin helping me). Some support reps would admit that the call center had been swamped with people claiming that they were robbed, others would pretend like I was the first and only victim in the history of Xbox Live.

Originally Posted by Boogalogist:

Why isn't this splashed all over the news like the PSN account hack?

Because most people can still play their games online and have their MS point balance untouched, so "sucks to be you." Journalists, besides Patrick Klepek, don't seem to care about the issue until it effects them.

[henhowc]

Is it just me or are there problems with the xbox.com site? Trying to remove my PayPal but the site isn't responding.

[A Twisty Fluken]

Originally Posted by Sye d'Burns:

Ahhh, a FOTY contender for 2012.

This is actually FOTY 2009.

[Codeblue]

It sucks when the only way for this to get attention is to start your own blog.

There is no part of this that hasn't been mishandled.

[metareferential]

Originally Posted by henhowc:

Is it just me or are there problems with the xbox.com site? Trying to remove my PayPal but the site isn't responding.

Yes, had problems here too, trying to log in/out of it.

It really sucks sometimes.

[drizzle]

Originally Posted by funkystudent:

You would think that but MS are a whole lot better at PR and spreading a positive message and keeping the media folk happy. Plus game journalists dont normally have to deal with the normal lengthy systems MS has set up for normal people. They had there own separate quicker channel to go through when RROD was a thing and I bet MS have or are planning something similar for any media people who get there account compromised since this problem is only getting bigger.

This is a much bigger issue. Hacking happens, people lose their accounts because they have idiotic passwords ALL THE TIME. Fuck, I still use the same password that got hacked on my Windows Live account on some shitty websites and forums on the web that I don't care about.

Now, the fact that Microsoft actively bumps journalists to the top of the pile, quickly solve their issues, negates the amount of compromised accounts and doesn't even care enough to come up with a system to protect the accounts, like SteamGuard and it's two-tier authentication system, is fucking ABSURD. It's ABSURD. It's the 3RL scenario ALL OVER AGAIN, but with a much bigger issue, imho.

People should focus on that. Support sucks, what else is new? You'll get your account back, if you keep complaining. It'll take two months, but you'll get your shit back. I recently bought a cellphone online on a big store (I'm not from the US, so I can't use Amazon) and it was never delivered. It took them 45 days to give me a new phone. Support sucks, sure. What are you going to do? Are you saying "fuck it" and giving up the right to have your product?

Complain about the real issue: Lack of a system engineered to prevent authentication of your account in the case your account is stolen. "I'm an idiot and my password was weak and Microsoft didn't return the account to me immediately! I'm so angry at them!" will gets us nowhere.

[Ardenyal]

Originally Posted by Boogalogist:

Why isn't this splashed all over the news like the PSN account hack?

Because the hackers don't want any publicity. The PSN hacking was on the news only because the hackers were gaming the media with PR statements etc. MS also wants to keep a low profile on this matter, every youtuber/media person has had their hacking resolved within days...

[PsychoRaven]

Wow. Reading her story is just flooring. That's the type of total failure on Microsoft that leads to lawsuits.

[gundamzeta209]

I see a lot of people throwing the term "social engineering" around In this thread. what does that mean in this context? Im guesing that We arent talking about federal and state social policies here

[Face it Tiger..]

Now that's some all-star investigating, Detective-GAF.

I hope these ass clowns get what's coming, swiftly.

EDIT: aggregating & elaborating information for me for me as a reader is key, mindlog.

[Neuromancer]

Originally Posted by Sysgen:

Has MS implemented a Steam Guard equivalent?

No but they need to; this is getting absurd.

[Friedreich]

Originally Posted by Ardenyal:

Because the hackers don't want any publicity. The PSN hacking was on the news only because the hackers were gaming the media with PR statements etc. MS also wants to keep a low profile on this matter, every youtuber/media person has had their hacking resolved within days...

Some tin foil hat stuff right here. XBL, or any service, being completely compromised would be a huge story anywhere. Get some perspective, the PSN hack is in a different level than this. Both are still awful though.

[saunderez]

Originally Posted by gundamzeta209:

I see a lot of people throwing the term "social engineering" around In this thread. what does that mean in this context?

Basically pretending you're someone else and using that to your advantage. With enough information you can easily impersonate anyone when - for instance - calling Xbox Support. I blame Facebook for the explosion in social engineering, it's incredible how much information morons put there for the public to see.

[drizzle]

Originally Posted by Sysgen:

Has MS implemented a Steam Guard equivalent?

Originally Posted by Neuromancer:

No but they need to; this is getting absurd.

They really need to. The only thing they added is the "Xbox 360 Profile Protection System", which is an option that requires any xbox out there to re-download your profile: https://live.xbox.com/en-US/Profile/Protection

In other words, they need to input your account password on that machine again to re-download the profile.

Which is fine and dandy when you go to a friends house, download your profile and, somehow, you forget to delete it from the console. If he tries to get back in, he'll need your password and will be screwed.

HOWEVER, this doesn't help in the event of a console being hacked AT ALL. We really need two-tiered activation, Steam Guard style.

Originally Posted by gundamzeta209:

I see a lot of people throwing the term "social engineering" around In this thread. what does that mean in this context? Im guesing that We arent talking about federal and state social policies here

Originally Posted by saunderez:

Basically pretending you're someone else and using that to your advantage. With enough information you can easily impersonate anyone when - for instance - calling Xbox Support. I blame Facebook for the explosion in social engineering, it's incredible how much information morons put there for the public to see.

Exactly. "Social Engineering" is not hacking a system, a database. It's "hacking" the person on the other line of a phone line. Pretending to be somebody else with enough information to make that person believe you're the user of that account, and acquire even more information. And it's not only on Xbox Support.

Let's say you call some other service that, instead of changing your password, provides you your password through the phone. Let's also say you're one of the millions of people that have tiered password system: One for stupid websites on the internet, one for regular sites you care but don't have any credit card information and another password (usually this one is really good! It has numbers and shit!) for those sites that do have Financial/Personal information.

If you, for instance, call Netflix and somehow get them to give you your Netflix password, there's a chance that the same password is being used on the 360. As one service "ties" into the other, both have Credit Card information, both need to be seucre. What do you do? You use your "good" password in both services. Boom, you're screwed.

I'm specifically calling out Netflix because, in prior threads, some reports of people socially engineering through Netflix have been found.

[Codeblue]

Originally Posted by Tiger uppercut:

[IMG]http://i307.photobucket.com/albums/nn309/thtswhatshesaid/slowclap.gif[IMG] Now that's some all-star investigating, Detective-GAF. I hope these ass clowns get what's coming, swiftly.

And I hope the hackers get caught too.

[Mindlog]

Originally Posted by Tiger uppercut:

http://i307.photobucket.com/albums/nn309/thtswhatshesaid/slowclap.gif Now that's some all-star investigating, Detective-GAF. I hope these ass clowns get what's coming, swiftly.

I don't quite understand how the reposting qualifies as GAF detective work -_-

Now, what someone should be doing, 'Hello Kotaku, GB, IGN, Shacknews, etc etc etc.' Setup a script to monitor the shady auction sites for a period of several weeks. That will give you a rough estimate of compromised accounts. Some actual number to pin to the headline.

[Mxrz]

However you want to put it, its still MS' customers being fucked. That isn't a positive. Surprised the site manages to be as low-key as it is. Or was, hopefully this gets MS to doing something.