Dr Stabbingworth
Member
Just got Fifa'd. I don't even own that fucking game. Pretty sad that MS still hasn't fixed this. Now my account is locked. This is the last straw for the xbox.
I haven't kept up to date on this stuff. Should I be worried? What should I be looking for?
- 25th & 27th of november-The date it occurred
-Your "damages" (points spent, games played you don't own, etc.)
-Your current situation with MS (if your account is suspended, under investigation, etc.)
-If you have an EA account of any kind, or have played any EA games in the past few months
-If your password, to your knowledge, was a unique one between your EA and MS account.
-How old your Gamertag/Live account is, and
-Your compensation, and whether it's been resolved or not.
-If your security question was changed, and if so, whether the new answer has Chinese characters.
-Did you have the 4-button security pass code enabled for your account? (thanks ukresistance!) (also can anyone confirm if this passcode is local console only or tied to the account?)
Do they remove the Fifa 12 Achievements from your profile?
I'm so paranoid about this shit that I drained my MS Points down to 80 and I'll only add more when there's something I really want to buy. Gone are the days of happily sitting on a 4000 point balance and making purchases with them on a whim.
Whoever hacked my console didn't play Fifa 12, but Gears of War 3 is still on my profile from the hack, the content he bought is still in my purchase history, and I have 0 points in my account (in direct contradiction to the email I received from MS).
I want those points back.
It took 5 days (after I got access to Live) and several phone calls to get my full refund. Definitely ring up support.
On a side note, I've played so many games on the 360 in the past few weeks so those fucking Fifa 12 achievements are pretty buried and out of sight now. I wish I could delete them, but whatever. That shit still irks me if I see it for a second and remember that it messed with my achievement stats.
I think i'm in the middle of a hack attempt, I was just playing sonic generations when it signed me out saying I was signed in on another console. I signed in immediately then it happened again. I just quickly changed my password what else should I do?
Crazy that this is still happening.
Anyway, in answer to your question. Check your secret question to make sure it hasn't been changed and check your email account that's associated with the GT, might also be a good idea to change your password and secret question again after you've checked your email account.
My email and secret question is still the same, since changing my password I haven't been signed out again. Still nervous however, as I have no idea how my account was compromised. Hoping I just got lucky that I was online at the time the hack was taking place.
After I discovered the fraud, I took a look at http://www.xbox.com/security and found that, by default, profile logins from other consoles are not authenticated by password. This means that, should a hacker find a way to download your profile, he has full access to it without knowing your password.
Just got Fifa'd. I don't even own that fucking game. Pretty sad that MS still hasn't fixed this. Now my account is locked. This is the last straw for the xbox.
By the way, does anyone know if it is now possible to change the ID and email tied to the live account? Prior to the dashboard update it didn't work.
The only efficient protection is
- don't leave ms points hanging around
- don't save payment information. E.g. use an "empty" credit card to replace the one(s) you actually use
- don't use paypal (it saves every information needed, thus invalidating any advantage paypal may give, like additional passwords, 2-step verification, etc.).
If you need ms points, buy a code online, redeem it, and use every point left. So even if you get hacked, there's nothing for those scumbags to do.
Fifa on the 360 is a plague. I play it every day, and every day I get fishing messages.
By the way, does anyone know if it is now possible to change the ID and email tied to the live account? Prior to the dashboard update it didn't work.
- don't leave ms points hanging around
Wait, the recover profile without a password doesn't make sense. I bought a new 360 late Nov and had to enter my password to download my profile.
Yea, that's why I mentioned a potential backdoor. There is simply no way people are brute forcing a 17 character password that is both strong and unique across all other accounts. Not happening.
So it stands to reason that they are SOMEHOW getting in without entering a password at all.
That's all good advice and it's how I roll now. I used to like having a nice, big balance of points in my account and being able to buy stuff on a whim, but MS no longer have that type of customer in me since I can't be sure that their platform is secure.
Which leads me to believe that CS are in on this or are being tricked into handing over details.
I wouldn't be surprised if it was the former, although I'm leaning toward it being the latter.
Which leads me to believe that CS are in on this or are being tricked into handing over details.
I wouldn't be surprised if it was the former, although I'm leaning toward it being the latter.
If you know some personal details about the account owner, you could phone Ms CS and just ask for the password.
Then why is it happening in large batches? Go look at twitter, it was relatively quiet and then now over the weekend there's an explosion of new people talking about Xbox live hacks. You think that Customer Service didn't think it was weird when thousands of people called up on the same day asking to reset their passwords? You don't have an operation of this size where a person has to manually call someone up on the phone and talk to them. It's scripted and automated.
Not sure if this was posted yet, but a co-worker of mine was hacked over the weekend. He also used a 17 character unique password that was never used anywhere else.
Here's a post he made about it on a different forum:
http://forum.beyond3d.com/showpost.php?p=1609811&postcount=104
Here's the important thing to note:
It's true, you can see it yourself directly on Microsoft's website:
I'm inclined to agree with him that there is some sort of backdoor allowing people to gain access to others' profiles without a password. I can pretty much guarantee you that if you have a 17 character password that has never been used anywhere else, then the hackers got in without your password.
Bottom line - if they can get your profile on their console, it's game over even if you change your password.
It is a weakness/flaw if the system allows users to call in and ask for another person's password.
Then why is it happening in large batches? Go look at twitter, it was relatively quiet and then now over the weekend there's an explosion of new people talking about Xbox live hacks. You think that Customer Service didn't think it was weird when thousands of people called up on the same day asking to reset their passwords? You don't have an operation of this size where a person has to manually call someone up on the phone and talk to them. It's scripted and automated.
That's probably not how it works.
It's entirely possible/probable that the thieves (I assume it's a select group of people not just randoms every time it happens) are doing it batches. Taking a couple of weeks to retrieve all the necessary info from MS CS and then moving ahead once they have enough details.
That way the calls to MS CS wouldn't seem suspicious and would fall through the cracks as they probably do get more than a few legitimate calls about accessing accounts, etc in any given day.
That method does explain why it happens in batches and why there are lulls between the hacking incidents.
It is really poor security if the customer service gives out the password over phone like that. It should only be sent over to the account email or through physical mail (signed-for, so you have to show ID to get that mail).
But i dont think this is the case to be honest. I would at least assume that the people working at customer service are aware of this problem, seeing how widespread it is. So if they still give out the passwords over the phone like that, then i dont really know what to say. This could be tested though. Just call to the customer service and try to make them give out the password to your own account.
True about many reps, but i dont think that they should ever give out passwords over the phone, especially when all these hacks is going on, even if it is a legit user that calls.Someone with some free time should try this. See how much info they give away over the phone.
While you're right to think that MS CS should catch on, never forget you rarely get the same rep twice and they have reps all over the world, which can make noticing high volumes of people calling to get acc info difficult, but I might be wrong.
True about many reps, but i dont think that they should ever give out passwords over the phone, especially when all these hacks is going on, even if it is a legit user that calls.
Yep, it is really bad security if they do so at least. I could see it slip in a few isolated cases, but not when we talk about perhaps thousands of cases.They dont, that would be absolutely asinine. Guys running a business out of their garage could figure out not to do that, there's a higher chance of the world ending on Dec 21, 2012 than this hack being due to CSR reps giving out passwords
If you know some personal details about the account owner, you could phone Ms CS and just ask for the password.
That's why I always said this is not a hack. Live security isn't compromised. The problem is someone is giving out passwords and/or information.
What kind of question does Ms ask when you call them because you forgot your password/email? How do they check it's actually you?
When you consider the volume of attacks, there's no way this is being performed through social engineering.