Thousands of people are getting their accounts compromised and money stolen, in what is probably due to a security flaw with MS/EA/FIFA, and you dont think the media should make a big deal out of it?
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
UPDATE: Hackers are selling stolen Xbox Live accounts on foreign auction sites. (!)
- Thread starter chubigans
- Start date
Thousands of people are getting their accounts compromised and money stolen, in what is probably due to a security flaw with MS/EA/FIFA, and you dont think the media should make a big deal out of it?
I expressed myself poorly. I think you have the option to create a hotmail account in the dashboard when you're making a new gamertag and use that as your attached email OR insert the email you use.
It's been a while since I made a new gamertag, but I think that option is there. As a company, one would like to integrate their services in this manner.
intheinbetween
Member
as far as I remember you just need a Live ID wich is linked to a MS Passport ID in which you can use any email account, not only MS ones (@hotmail.x or @msn.com)
MS should streghten their security system but I'm afraid that wouldn't stop scamming from phishing emails, even more, I'm sure many of the hacked accounts are non MS based (hotmail or msn for example). I don't think this is a flaw in LIVE system but a hack on the user's end (email account), MS should ask to the auctions sites to ban those sellers otherwise they would suit them, that would reduce these frauds.
Zoe
Member
That's why I've always followed this closely. I use my Windows Live account for EVERYTHING :\
Oh fuck, I went to xbox.com to disable auto-renewal and could do so successfully. I followed that up by trying to remove my PayPal account linked to my Xbox (as I figured that would be safer than directly linking my credit card). I could not. I click on the link to see what services are linked to my payment option:
Not only will I be unable to remove this from my account until when my free months of Live run out, I actually will have to wait until my free app hub trial membership through my university runs out, which depending on what classes I take might be in three years. Bullshit.
EDIT: Meh, at least I can remove my credit card from the PayPal account if something goes very wrong and dispute it all. It'll screw my Live account over, but I prefer that to all the other options in this case.
- Xbox Live Gold 3 months 60% off
- App Hub trial membership 12 months
Not only will I be unable to remove this from my account until when my free months of Live run out, I actually will have to wait until my free app hub trial membership through my university runs out, which depending on what classes I take might be in three years. Bullshit.
EDIT: Meh, at least I can remove my credit card from the PayPal account if something goes very wrong and dispute it all. It'll screw my Live account over, but I prefer that to all the other options in this case.
Princess Skittles
Prince's's 'Skittle's
Oh? Any further details?
There's lots of theories on how these accounts are being hacked, that I think it warrants some experiments to see which ones can/cannot work. I'm sure we have some resourceful people in GAF who could run some detective work, no?
It would be nice if some people could determine the weak security links through hacking/engineering demonstrations.
It would be nice if some people could determine the weak security links through hacking/engineering demonstrations.
You're not serious right?
PSN gets hacked and we get downtime, during which very few if any people lose money, and it's the exact same thing as people getting money stolen from them on a regular basis and nobody's doing anything about it?
Baron_Calamity
Member
Infamous Chris
Banned
Did I say that? No. I even said in an earlier post that MS should take notes from Steam.
I commented on someone saying this is a hack and why did the PSN hack get more coverage. It's not a hack, period, and is obviously social engineering that happens all the time. For years people would get their account stolen by phishing; someone would play CoD and send a message to recent players saying "go to this site for a free MS points generator!" and tons of kids would get their account stolen by stupidly putting info on a random site. Those stolen accounts have always been for sale and nobody cared.
This Fifa thing is different, and while MS needs to input a similar system ala Steam in my opinion, it isn't as full blown as certain people want to make it seem. I've seen posts saying this has affected 100,000 and others saying 1-5million people. What? It's a few thousand at most; had it reached those levels it would be plastered on every gaming site available and not "just GAF." I think if it reaches those levels MS would respond and retaliate, because they have a very vocal customer helpline on Twitter/FB, etc. Although they should just nip it in the butt now and get it over with.
That said, after the PSN debacle I never leave my CC info or use it digitally unless buying online like Amazon. Prepaid all the way.
Lord Error
Insane For Sony
I agree with you in a sense that PSN hack really was much ado about nothing - no one got materially damaged in any way, and in fact we were all compensated really well in the end. But on the other hand, you can't say that MS is not doing anything about this - they do refund you and reopen the account, but are just really slow to do this, probably because of the volume of affected people.
How is it any different? It's just accounts being phished, the credit cards on file being used, and the FIFA Cards being traded away.
Zoe
Member
But it's only "a few thousand at most"!
Sony publicly stated that the network had been illegally compromised, and provided information to help users protect against loss and identity fraud, less than a week after they found out they were hacked. I have heard about zero confirmed cases of cc info obtained from PSN actually being used to make fraudulent purchases or having their identity stolen. Really, the only consequence of the PSN hack was a month of PSN being voluntarily shut down by Sony so they could ensure it was secure when it went back up.
On the other hand, there is obviously a security hole in Microsoft's XBL system that allows accounts to be hijacked and we have confirmed accounts of people's credit cards being used fraudulently. Unlike the PSN hack, this XBL issue is actually costing customers money. Affected users are also blocked from using their account for weeks and sometimes months. These attacks have been going on for months and Microsoft has not publicly admitted there's a vulnerability nor taken any apparent action to fix it. Microsoft has allowed these attacks to continue unabated. Now we find that it's so easy to do, there's even a black market for it.
The PSN and XBL attacks are different, sure, but it amazes me that some people still give MS a pass. I guess Microsoft is smart to not shut anything down so this stops and they can actually fix it; some of you are apparently more content with their denial and non-action.. perhaps because it has yet to happen to you or you find playing on a different account acceptable.
Infamous Chris
Banned
I thought the FIFA thing was worse?
Zoe
Member
Stoffinator
Member
I don't get how people are getting accounts with these Fifa DLC or whatever. :-s
turnbuckle
Member
Is this the case? I decided not to change my CC after the PSN hack last year. I rarely used that card for anything other than buying gas and PSN/XBL content. A few months after the hack my card stopped working so I called Discover to see what was up. Turns out someone was making purchases on my card from a hotel I've never been to in a country I've never been to (can't remember which now, some tropical island nation) and Discover put a hold on the account.
I chalked it up to the PSN hack, but I guess the account could've been compromised by some other means.
CartridgeBlower
Member
Have any gaming websites/podcasts really picked this story up and ran with it? Can't believe shit like this probably falls into the 'bite the hand that feeds you' category of gaming journalism.
metareferential
Member
CC used in these cases though are not compromised.
Hackers (or whatever you may call them) can use the CC because the information needed are saved within the gamercard. That's why the only thing they can buy are MS points/items from xbox live.
In Sony's case every CC was virtually compromised, even though there were very few (if none) reports.
Infamous Chris
Banned
The FIFA thing is, as said earlier, just another way to monetize the stolen accounts.
Once you get a Gamertag, you have two ways to make money out of it:
You either buy a Family Pack, buy a shitload of points on the main account and gift those to the "sister" accounts and then sell those sister accounts
OR
You buy a shitload of points on the account, buy FIFA Card Packs and trade those Card Packs away.
I, personally, don't see the difference. In both scenarios, the "hacker" gets money from selling shit they bought on somebody else's CC for much cheaper.
I used to say the same thing, and then I remembered: My Xbox Live password was the same as my PSN password.
People make mistakes, people use the same password on two different services, people share their passwords with other people that are not as cautious as they are. It happens.
As I said earlier in this very page, The entire LIVE PASSPORT SYSTEM uses the same password. Hotmail, MSN.com, Windows Live Messenger, Xbox Live. All share the same password. If one of them is compromised, everything is.
HOWEVER, I'd like to state again that YES, there might be a security breach at Microsoft in some place. The "insert gamertag name on gamertag retrieve package" theory is the best one I heard in a while.
If they shut it down, it would certainly make logging into other people's accounts and using their money impossible. It would stop it in its tracks, which is exactly why Sony shut down PSN.
I do not understand how people cant grasp the difference between a security breach IN PSN servers and between thousands and thousands os people getting their accounts stolen/hacked through the usual means (social engineering, malware, trojans, keyloggers, whatever).
World of Warcraft has a 10-12 million userbase and THERE thousands(!444) of people are getting hacked. Who the hell cares? They are, but it is not plastered as "omg, is the media hiding it ? It must be Blizzard's fault!!!".
No it is not. And it is most likely not MS's fault either. PSN breach WAS due to Sony's bad security, this does not seem like it.
World of Warcraft has a 10-12 million userbase and THERE thousands(!444) of people are getting hacked. Who the hell cares? They are, but it is not plastered as "omg, is the media hiding it ? It must be Blizzard's fault!!!".
No it is not. And it is most likely not MS's fault either. PSN breach WAS due to Sony's bad security, this does not seem like it.
Blizzard actually takes steps to offer better security to customers. So, there's that.
edit: this is what I'm talking about: http://us.blizzard.com/store/search.xml?q=authenticator
DenogginizerOS
BenjaminBirdie's Thomas Jefferson
We'll see what the public thinks after they read these stories. I sent emails to people I know in the news media with links to the NeoGAF threads describing these issues. Let's see if anything comes of it, but I can't imagine any reputable news organization would ignore this much evidence now and not do a story.
It's not Microsoft's fault that the accounts are being stolen. However, it is Microsoft's fault that they're not doing anything to improve the security when we're talking about retrieving gamertags in different consoles.
Focus on that. Don't focus on stories like "MICROSOFT IS GETTING HACKED AND IT"S COVERING IT UP BY PAYING JOURNALISTS THIS IS OUTRAGEOUS".
I suppose the wording was a bit off. I meant not actually informing the people, and like stated above perhaps measures to stop this by shutting shit down and implementing a guard system much like, again as stated above, steam.
Princess Skittles
Prince's's 'Skittle's
Yeah, this is my disgust with the whole scenario.
MS has no problem banning console IDs that have activated a stolen gamertag. Click through the threads in this forum for some chuckles.
http://forums.xbox.com/xbox_forums/xbox_support/f/2366.aspx
By the way, I still haven't gotten my old gamertag back from when it was ganked in early September. I did get an update from MS a few weeks ago letting me know they were STILL working on it. I've got two free month codes sitting around that I'm really not interested in bothering with until MS can get some type of console lock with two-factor authentication going on their service.
http://forums.xbox.com/xbox_forums/xbox_support/f/2366.aspx
By the way, I still haven't gotten my old gamertag back from when it was ganked in early September. I did get an update from MS a few weeks ago letting me know they were STILL working on it. I've got two free month codes sitting around that I'm really not interested in bothering with until MS can get some type of console lock with two-factor authentication going on their service.
It took Blizzard a couple of years to institute this and make those authenticators avaiaible. Accounts were stolen for years before.
I logged into mine on xbox.com and just removed it there. It looks like it removes it from your whole Windows live account thing.
As trailblazers perhaps, but now pretty much everyone's doing it right off the bat. ToR launched almost with it.
I'm not saying Microsoft is being "hacked" or that journalists are being paid off. I'm saying Microsoft's security for user accounts is laughable and you don't see the same problems, to the same degree, on PSN or Steam. Microsoft is at fault: there's a hole somewhere that makes gaining other users accounts easier than it should be. Gaming journalists should know what they're doing and they still get hit. Hell, even Major Nelson has lost his account in the past. It doesn't seem to matter how careful the user is, they are too vulnerable.
The technical details might be different, but this XBL issue is comparable, if not worse, than the PSN hack in terms of damage.
Zoe
Member
This just boggles my mind. What is so difficult about their "investigations" that it can take months for a resolution?
In my personal case, I was told it has to do with the fact that my original gamertag underwent a country transfer. Apparently it is easy to get it out, but difficult to get it back in.
I wouldn't be nearly as pissed if all of the game saves I cared about weren't tied to that gamertag and can't be transferred to another.
What about developers? Where we could not use their services?
cpp_is_king
Member
For all we know, every single account in the world is already hacked, but its a very small number of people doing it and then selling the accounts, in which case new reports of hacks are limited by how fast buyers can turn around the fifa scam process. If this is the case, the fifa guys arent hacking anything, theyre just buying hacked accounts which means they need to recover their investment, which is where the 1-2 month period between attacks comed in
Infamous Chris
Banned
Lol, holy shit. You think Microsoft should shut down XBL, a userbase of 40+ million people, just because an extremely small (small enough to not get noticed or garner care from the gaming media) percentage are being phished? You think Sony would do the same?
You are wrong; Sony shut down PSN because it was compromised and there was no telling what could happen. For all we know, all that CC info would have been stolen (instead of a small, insignificant amount that was reported here and there) and Sony would be filing for bankruptcy from all the lawsuits and money owed (they are already in a bad position in several divisions, this would have been an awful nightmare.
Ok, you clearly have no idea what you are talking about. Major Nelson, Stepto etc were hacked because someone hacked thier website (stepto.com, for example) and from there it wasnt hard getting his into his XBL account. What does that have to do with Microsoft security?
Sony had a "account retrieval" homepage that allowed people to get back in after the "PSN is down" fiasco. That webpage was EASILY HACKED to change accounts passwords without clicking the link in the confirmation e-mail. That page got taken down 2 days after the event, and it has never came up again. The only way to change passwords on PSN now is either through a console and, I believe, on the QRocity service page. If I didn't have my PSN handy (my only PSN-enabled device, as I don't have a PS3), I'd be screwed.
Blizzard had no protection on password change for the longest time. Time and time again, accounts were stolen and items sold for Gold. This went on for YEARS before they decided they had to have something more secure as a "password change" and "login" systems.
Steam is the worst offender. We sink thousands of dollars on the service and, until the invention of Steam Guard, you didn't even need a confirmation email to reset the password. You couldn't request a password change from the outside, even with access to the registered email. If you lost your registered email and needed a password change (no hacking involved), you were screwed. The support would take weeks to even answer your first contact. Steam Guard solved the issue of getting your account stolen in the first place, but Support is still laughable bad and slow.
Sure, most of these issues were solved, but it took them YEARS (in Blizzard and Steam scenarios) to be fixed. Sony took one and a half months to bring a service that developers REQUIRE to make games back. Microsoft is sure as hell guilty of not doing anything to improve the situation, but they're not the only ones that made mistakes and were lethargic to present a solution to the issue.
At this point I think assuming all these hacked Xbox accounts are happening thru the usual means is naive.
RedNumberFive
Banned
You must have been a victim of social engineering! That's the only logical conclusion!
He should have tweeted Stepto rather then just mention his job to a customer support supervisor.
They are the ones who after being notified an account is being used fraudulently, continue allowing that account to buy stuff and steal money from the legitimate owner. I actually think this is the main point of the OP's linked story. The woman contacted Microsoft immediately and said "I did not buy those things", Microsoft said okay we are locking your account, and then continued to accept money from the account even though they were already notified it was fraudulent. Should be illegal, you shouldn't be allowed to take the money after being informed the purchases are fraudulent.
Dr Frasier Crane
Member
Now hit Eurogamer, only 8 hours after I sent them the link!!
http://www.eurogamer.net/articles/2012-01-06-a-january-account-of-xbox-live-hacking-and-fraud
They're asking for people who have been "hacked" to contact them and give them their stories. So do it.
http://www.eurogamer.net/articles/2012-01-06-a-january-account-of-xbox-live-hacking-and-fraud
They're asking for people who have been "hacked" to contact them and give them their stories. So do it.
cpp_is_king
Member
This is weird. Back when I got hacked a few months ago I was almost positive I had removed my CC info from my account. I went back in just now to be safe, and it was there. There's a possibility I never actually removed it the first time around, but I was really pretty sure I did.
Hmph.
Hmph.