WTF reading comprehension FAIL
Where the hell did I say they read the passwords? LOL
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
UPDATE: Hackers are selling stolen Xbox Live accounts on foreign auction sites. (!)
- Thread starter chubigans
- Start date
WTF reading comprehension FAIL
Where the hell did I say they read the passwords? LOL
I am using that as well ever since it was introduced. That does not mean that when the other millions without it are hacked one way or another, then it is Blizzard's fault. That was kinda my point.
test_account
XP-39C²
It doesnt really matter if there isnt a server-side hack like with PSN if accounts can be abused regardless. There seem to be no pattern here either about who gets their account hacked, so it doesnt seem that anyone is immune.
Has anyone ever tried this on a test account? edit: never mind
I'm assuming it doesn't work based on the few comments and lack of notoriety, given how easy it was to find (I was actually looking for the alleged password-reading reps video, lol).
cpp_is_king
Member
No they didnt
Zoe
Member
So tell us, how are they accessing the accounts in your scenario?
FlawlessCowboy
Member
The fact that we can't remove our credit card information from xbox live without contacting their customer service line is BS.
Screw you, MS.
Screw you, MS.
cpp_is_king
Member
Jesus christ how many times are we going to have to repeat this. Please list one alternative to reading passwords over the phone that does not involve a password reset, since we already know passwords aren't being reset.
Droog
Member
I don't know nor did I ever claim to. Coopolon asked how social engineering could work and I gave an example. Whether this example is being used on LIVE we don't know. Plus I thought it had been established that some accounts that had been hijacked DID have passwords/secret questions changed?
Rebel Leader
THE POWER OF BUTTERSCOTCH BOTTOMS
Zoe
Member
It depends on where you live. If your local laws don't require them to allow you to remove the payment source, they won't give you the option.
yeah, but the fact that many haven't had their accounts reset makes the "social engineering" theory a lot less likely
Well that's right, you got me there. But I'm inclined to think this comes from one of these 3rd party operations. These places are usually not regulated as they should by the parent company at all.
Reallink
Member
I just can't imagine the implications if that turns out to be true, it will be crazy.
Psychotext
Member
Bah, I didn't even see this new thread. There are like 5 of these now.
iceatcs
Junior Member
That's possible but still lot of other theories.
I hope MS do something about the FIFA thing because we don't have power to prevent it if you still using CC (or Paypal look like can't be removed). Only MS, maybe EA can do it. That's why we want it on the media many as possible to hurry MS up and get fuck on it.
Barkley's Justice
Member
geez, microsoft, you really need to acknowledge this shit.
It doesn't have to explode if the hack is time consuming, or need some conditions to line up, to execute. It doesn't have to be phishing also.
That woman's report actually highlights a few weak points in MS's security process, specially their customer service. It is probably not in MS's interest to write it all off as "just phishing" or "not our problem"
The CC info was encrypted but they admitted that any other information, such as passwords, wasn't in any way.
No, they mentioned that password was not kept in plain text.
Zoe
Member
Passwords were confirmed to be hashed/salted as according to industry standards.
Psychotext
Member
I personally consider my name, address and date of birth to be sensitive information, though I can see from facebook and the like that most don't.
From this woman's story, it doesn't seem like FIFA game is involved ? Did she mention she is a FIFA player ?
Psychotext
Member
It's never been specifically about FIFA. That's just the end result.
There has always been suspicion of EA's involvement though (especially with regard to the sharing of credentials / account data with them).
Ive never played fifa in my life and the same thing happened to me
only they charged over 700 bucks...
cpp_is_king
Member
Passwords were encrypted (hashed to be more specific). What wasn't encrypted was personal information like name / address. That's not that abnormal.
Zoe
Member
I didn't see it on her gamer profile at xbox.com.
Does XBL send your/her PayPal info over to EA ?
She seems to think she only deals with Xbox.com and PayPal.com.
Psychotext
Member
Impossible to say without intricate knowledge of their systems. They certainly share your normal data, as obviously EA runs their own online infrastructure alongside xbox live.
RedNumberFive
Banned
Just get it over with and hand over your wallet to Microsoft.
When you buy EA DLC, do you buy it from XBL or EA store ? i.e., using points or dollars ?
LQX
Member
Yep, other night I tried to take off my sisters credit card from my nephews console because he keeps charging points when he is not suppose to and they wouldn't let us. They are already paid yet still holding hostage the debit card which is allowing the kid to run up points.
Yeah, I was wondering the same thing. I ended up chatting with Microsoft support, and they cancelled my account to get the PayPal information off. I got sent prepaid codes to make sure my Live Account expired at the same time. It was a hassle, but better than risking it.
I'm not turning on victims here, but I'm stunned how many people have a debit card or Paypal account tied to Xbox Live (or any other service for that manner).
Credit cards people. One call to the issuing bank and I get charges disputed in minutes, virtually no questions asked. Believe me, you get better customer service when you're holding their money hostage, and not the other way around.
Still, I don't tie any payment method to my account. Buy codes from a trusted third party, like Amazon.
Credit cards people. One call to the issuing bank and I get charges disputed in minutes, virtually no questions asked. Believe me, you get better customer service when you're holding their money hostage, and not the other way around.
Still, I don't tie any payment method to my account. Buy codes from a trusted third party, like Amazon.
I think as long as there are points in the system, the hackers can use them. And some people stock up those points ahead of spending because of promos and point discounts.
I understand that, but there are a couple of things even there:
1. With no payment info on file, the damage is limited to the points in the account. No situation where bill money is stolen.
2. Every promo I've taken advantage of issues codes. No need to immediately redeem them.
Psychotext
Member
I'm guessing points, so yeah, probably no need to transfer any info. I don't know for sure though.
iceatcs
Junior Member
That's I said FIFA thing as refer on the common one has been heard many times. I know it is nothing to do OP story. But it sound worse than FIFA gold pack hijack account. Poor her.
I'm going to put my head out on the chopping block and volunteer my own theory on how my XBL account was hacked. (Sept 7th, 6000/4000 points purchased on attached credit card that was close to expiration, account transferred to Brasil, still not recovered after ongoing investigation)
First off, I created my account years and years ago, back when I had a very insecure password system. I never updated that password.
As I'd told my Xbox to remember my account password, I had completely forgotten that I was using "that" password (one that I had also used lots of other places) until it was too late.
Anyway, turns out that very password was that one that was disclosed, albeit encrypted, in the infamous Gawker Breach of 2010 (damn, over a year ago now.) The databases from that leak are still readily accessible online if you poke around.
You can search for the MD5 of your email address over here - http://www.google.com/fusiontables/DataSource?dsrcid=350662 to see if you are in this list. Remember that this is only ONE of multitudes of databases that have been fully compromised from various websites over the years, so being in here or not really doesn't mean much.
One characteristic unique to my XBL account being hacked is that that same evening, I received a "welcome back!" message from Facebook, which I'd created years prior, again, with the same password, but had deactivated and had left dormant. Turns out whoever got my XBL login also was trying it on Facebook, and who knows where else. I'd say I have enough data to tie all of these incidents together.
It is extremely profitable for criminals to obtain lists of compromised usernames and passwords and script logins to popular services in hope of getting bites. This is why it's so important to never use the same email address/username/password combination ANYWHERE.
This does not, in any way, explain why users such as cpp_is_king, who has confirmed that he has had a 100% unique email address with a unique password tied to his XBL account, and still managed to have the account compromised. That shit baffles me.
For everyone else, it is highly likely that the account password for EITHER your XBox Live account or the MS Live ID that is tied to it was the same as an account you had used elsewhere, which had been compromised, and the database owners never thought to let you know about it. It happens all the time.
Again, the only way Microsoft is going to truly nip this in the bud is to implement a true two-factor authentication/verification system for XBox Live which will require authentication from something you HAVE (digipass/etc or cellphone code) to approve charges to the account, account transfers, or a myriad of other functionality that can be defined from your XBox Live account preferences.
I am not reactivating my Gold account until this is present, period.
Of course I am using a secure password system now, and admit I was a complete moron to not be more vigilant, but hey, life's made up of tough lessons.
First off, I created my account years and years ago, back when I had a very insecure password system. I never updated that password.
As I'd told my Xbox to remember my account password, I had completely forgotten that I was using "that" password (one that I had also used lots of other places) until it was too late.
Anyway, turns out that very password was that one that was disclosed, albeit encrypted, in the infamous Gawker Breach of 2010 (damn, over a year ago now.) The databases from that leak are still readily accessible online if you poke around.
You can search for the MD5 of your email address over here - http://www.google.com/fusiontables/DataSource?dsrcid=350662 to see if you are in this list. Remember that this is only ONE of multitudes of databases that have been fully compromised from various websites over the years, so being in here or not really doesn't mean much.
One characteristic unique to my XBL account being hacked is that that same evening, I received a "welcome back!" message from Facebook, which I'd created years prior, again, with the same password, but had deactivated and had left dormant. Turns out whoever got my XBL login also was trying it on Facebook, and who knows where else. I'd say I have enough data to tie all of these incidents together.
It is extremely profitable for criminals to obtain lists of compromised usernames and passwords and script logins to popular services in hope of getting bites. This is why it's so important to never use the same email address/username/password combination ANYWHERE.
This does not, in any way, explain why users such as cpp_is_king, who has confirmed that he has had a 100% unique email address with a unique password tied to his XBL account, and still managed to have the account compromised. That shit baffles me.
For everyone else, it is highly likely that the account password for EITHER your XBox Live account or the MS Live ID that is tied to it was the same as an account you had used elsewhere, which had been compromised, and the database owners never thought to let you know about it. It happens all the time.
Again, the only way Microsoft is going to truly nip this in the bud is to implement a true two-factor authentication/verification system for XBox Live which will require authentication from something you HAVE (digipass/etc or cellphone code) to approve charges to the account, account transfers, or a myriad of other functionality that can be defined from your XBox Live account preferences.
I am not reactivating my Gold account until this is present, period.
Of course I am using a secure password system now, and admit I was a complete moron to not be more vigilant, but hey, life's made up of tough lessons.
Yes, if you only redeem on demand, it will reduce the damage regardless of how MS handles XBL security.
cpp_is_king
Member
It's quite possible that there are multiple avenues of attack. As you mention, obtaining lists of UN/PW is absolutely the easiest avenue of attack for any Joe Schmoe hacker. I'd be surprised if at least some of the attacks weren't a direct result of that.
Absolutely, and your case in particular fascinates me. I don't know what other avenues would exist for someone whose account information is so closely guarded. Had it been a long time since you'd last logged into your Xbox? Are you on a home network which has any unencrypted or easily decrypted connections at all?
One thing I remember about the brief unauthorized access to my Facebook account, is that the moment I received the email letting me know it was lit back up, I logged into it and looked at the active connections, and the only one in there was one that was completely unknown to me from my same (albeit huge) hometown.
Switching paranoid mode on completely, it is fully possible that whomever was trying to completely milk out accounts attached to my compromised credentials was using a local compromised machine as a gateway. All it would have taken at the time would be one look at my public XBL profile to see the city I live in.
cpp_is_king
Member
It had been well over a year since I last logged into that Xbox (the actual console), and I don't think I'd ever logged into Xbox.com before I got hacked. The WLID was used for various Microsoft developer forums once upon a time, but that was many years ago, and under a different password. I also always ran my Xbox wired, not over WiFi.