That's how the PR cookie crumbles. "We had a problem, here's what could go wrong, here's the significantly smaller list of what's actually gone wrong, sorry it took us a week to compile this" is what people say they want, but just gets interpreted as "there is a nightmare scenario, it's our fault, and we've been hiding it". Deny, deny, deny, then when the pressure finally gets too hot give everyone a free month of Live or 800msp with a $10 authenticator, and odds are you'll be praised for giving security options and freebies.
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
UPDATE: Hackers are selling stolen Xbox Live accounts on foreign auction sites. (!)
- Thread starter chubigans
- Start date
That's how the PR cookie crumbles. "We had a problem, here's what could go wrong, here's the significantly smaller list of what's actually gone wrong, sorry it took us a week to compile this" is what people say they want, but just gets interpreted as "there is a nightmare scenario, it's our fault, and we've been hiding it". Deny, deny, deny, then when the pressure finally gets too hot give everyone a free month of Live or 800msp with a $10 authenticator, and odds are you'll be praised for giving security options and freebies.
VibratingDonkey
Member
PistolPete in the process of becoming the new hackedonxbox?
http://www.analoghype.com/video-gam...o-his-account-following-30-day-investigation/
I don't oppose that idea. There must be something fundamentally wrong with how Microsoft handles their customer support if something like this can happen. Enforcing ridiculous policies that don't exist, the punishment being the revoking of your account and all associated content. What the fuck is that? How can that happen?
http://www.analoghype.com/video-gam...o-his-account-following-30-day-investigation/
I don't oppose that idea. There must be something fundamentally wrong with how Microsoft handles their customer support if something like this can happen. Enforcing ridiculous policies that don't exist, the punishment being the revoking of your account and all associated content. What the fuck is that? How can that happen?
Speedymanic
Banned
Indeed. I had a feeling it was CS related, that is nowhere in the ToS so it made no sense for them to do it.
In any case, this is going to continue to be a problem for as long as MS and many other companies farm out CS related jobs to countries where English isn't the first language.
blitzcloud
Banned
you see, I really don't mind that almost meaningless data that wouldn't allow you to get anything really important from them (except apparently xbox LIVE accounts through customer service).
And the further attacks on Sony weren't as important in the media. The thing, The thing is that SONY Computer Entertainment. (that incompetent company according to some security experts), noticed they were hacked or something of the likes in about 1 day and called a HALT all activity. They addressed it in the most polite way one could imagine it (unlike many sites that get hacked, never realize it and never tell it, reason why my CC number was stolen and used when it was only used on UK game imports).
Now please, bear with me a second. People, getting their money stolen, getting their accounts suspended for investigation. And this begun in a small scale almost 4 months ago... and it's clearly escalating with Microsoft Xbox LIVE just doing "shrug", everything's fine... it's just that for whatever reason lot's of people are getting hacked. Not our fault.
And this barely breaks into gaming journalism, let alone mainstream media.
So in my opinion: a bazillion accounts that "may" have been compromised with barely any negative effect (some people got their CC used, but it could've been a prior steal and they just used it on the most appropiate moment of confusion) and got fixed is less important than a lot of hacked accounts with real side effects such as: player blackout from the service for quite some time, loss of money, no actual plausible explanation.
Sorry, that was long.
Keep in mind that I was comparing the PSN hack to this, not the further hacks on other branches of Sony that aren't related to SCE.
MesserWolf
Member
I agree.
Speedymanic
Banned
I wouldn't say it's escalating, people are just becoming more vocal through various blogs, sites, etc.
You have to keep in mind that the number of affected (though admittedly might be higher than we know) is relatively low compared to the very high number of active users.
blitzcloud
Banned
I know the ratio is low. But we're talking about a problem that still doesn't have a plausible cause, thus neither an answer. And since a month ago at least, when it became more widespread, we could be talking that most of the cases would have been avoided if MS made a security call to change your passwords or add an extra hop of security.
This is my concern, the "shrug" attitude to a very real problem that suspends you from your enjoyment (and temporally, money) because they didn't take appropiate actions in all this time, after it became obvious.
You're looking at this situation too much in the terms of black and white. People tend to latch on the person thats more vocal, but have you ever gone to the banned section of Xbox.com? Yeah, pages full of users being banned for phising, selling illegal account.
Microsoft should not get a free pass though, because:
a) they have not made a public statement that this is going on.
b) their security, by all accounts, is poor and something needs to be done.
Speedymanic
Banned
The only answer is that MS themselves don't know why the 'hacks' are happening. A problem related to CS is likely but is hard to prove. CS have been proven to be incompetent, lying morons, so it's not hard to imagine they give up details over the phone to 'hackers'.
Rebel Leader
THE POWER OF BUTTERSCOTCH BOTTOMS
There haven't been a "Hitler rant" about this?.. I can see it work well with it
Audioboxer
Member
I'm sure youtube pulled all the hilter rants (at least the famous ones) on copyright?
Garcia el Gringo
Member
Wow at Jim Sterling getting through a post about unauthorized access without insulting the victims and making assumptions about how we practice account security. Progress.
another way to handle this would be to buy a pre-paid Visa card $25 even, and add that to your account then you can remove the current card from auto-renewal and you have a few bucks there for Points if you need them and low risk.
edit:
oh and as for the scenario of old GT infor being recovered, a long time ago being used again, how would changing the Live ID associated with the Xbox affect that as that is a fairly simple process these days.
edit2
also you can remove and add card info at billing.microsoft.com
unless people are saying the info is still accessible unless you call???!
accoding to FAQ at microsoft.billing...
so sounds to me like removing it online secures it
Where can you remove your card at billing.microsoft.com? I'm not seeing that option...
Okie dokie then....................
Zoe
Member
You can only remove it online if you're in certain regions.
I believe the option is there for everyone but it only works without fail in certain regions*. If you have an active Gold subscription, most regions will throw an error message once you try to remove it.
I can't believe that such a well-known company can get away with this kind of policy with such a ubiquitous service. I mean, it's not like the functionality to remove credit cards (or disable auto-renew) isn't in the website... the site was specifically programmed to only allow such options when the customer's location legally requires them to have the option available.
*and by "regions", I don't mean USA vs Europe. Microsoft even changes the site's functionality based on your state (and maybe even by town).
I can't believe that such a well-known company can get away with this kind of policy with such a ubiquitous service. I mean, it's not like the functionality to remove credit cards (or disable auto-renew) isn't in the website... the site was specifically programmed to only allow such options when the customer's location legally requires them to have the option available.
*and by "regions", I don't mean USA vs Europe. Microsoft even changes the site's functionality based on your state (and maybe even by town).
VeryGooster
Banned
Someone else actually mentioned basically if you have a big enough megaphone, MS will jump through hoops for you.
Something about changing your state to Illinois, I think?
Well in the 3rd party advertising world that has been gaming journalism/media this gen, it's not surprising. Look how long they kept brushing the RRoD under the rug, and even when it was finally brought out in major media sites, they just talked about it like a passing thing, despite having years of faulty designed hardware that was a massive inconvenience to the consumer. So now you have these hackings going on and the RRoD, yet MS will come out smelling like a rose. Sony gets put out in the pillory when this happens though. Though all media has been crashing down on Sony in all product segments lately. Either they're trying to nudge them to make defining products again, or they just want to go after the big guy of years.
It could just be flat out bias though as well. I mean, look how Bethesda got a free pass from gaming media, even GOTY from many sites. It's disgusting, and the final nail in the coffin for gaming media this gen ousting them as advertising agencies, and not really in it for the consumer.
Zoe
Member
Quick, somebody start a blog about how Skyrim is a buggy piece of shit!
WickedCobra03
Member
I feel like the ps3 version should not be excluded from the whole game itself when sites are giving it as their GotY... I mean that version is busted as hell, and joeblow-ps3-owner is not going to think about that, and once he has opened it and is 25 hours into it, he has no strong recourse with anyone except to just take it up the butt and sit there with a what is basically a non-functioning game.
Garcia el Gringo
Member
IGN's made this front page news. Nothing new is said, but it's one of the bigger sites to give this UA nonsense some attention.
Microsoft Discusses Xbox Live Security Problems
"Security is a journey, not a destination. We do have to get better at doing it. It's on us to keep security on the forefront and to improve it...and we've been getting better." ~ Stepto
2-step, Stepto. 2-step.
Microsoft Discusses Xbox Live Security Problems
"Security is a journey, not a destination. We do have to get better at doing it. It's on us to keep security on the forefront and to improve it...and we've been getting better." ~ Stepto
2-step, Stepto. 2-step.
RedNumberFive
Banned
Wow at the comments following that story! I've never seen so many brain-damaged individuals collected in one place.
Regardless, "Stepto's" response seems as disingenuous as ever. I wonder how much bad press they have to get on this issue until there is a proper response.
Manp
Member
i'm ok with the fact that you don't mind the idea that someone in possession of your personal data, some of which like credit card details are all but meaningless. someone who in this case is not even remotely entitled to be in possess of said data and may or may not use it to illegal purposes.
but it would be a bit of a stretch to think that the same goes for everyone that has had his data stolen from Sony. you don't mind? fine. i'm sure that among the millions of people that got their data stolen there are quite a few that "mind".
now you say the Sony hack had barely any negative effect. first of all saying it had barely any negative effect is like saying Microsoft has no responsibility in the hacks some users here are reporting. both are baseless statements simply because we don't know. second i think the theft of millions of accounts data is itself a negative effect. a huge one if you allow me to say.
see, i definitely agree with you with the fact that this whole Fifa hack thing deserve WAY more media exposure and that Microsoft should be hard pressed to take a clear position in this regard and provide users with better means to protect themselves from the hack and provide better answers to people that got caught in this hack (this whole 30 days "investigations" that usually gets to nothing are laughable).
but this in no way means that the bad press that Sony got for their hack was in any way undeserved nor should put them in any way at less fault just because we can't directly see any worse effect to all that stolen data (like credit card scams, identity theft, and god knows what else).
that said your post makes your position more clear than your first one, as i said in part i can agree on what you said.
VibratingDonkey
Member
Don't worry, I "Y U NO"d him.
Speedymanic
Banned
Indeed. Have you received any response to your email/direct message? Still nothing on my end.
:/
Stepto wasn't on the last Major Nelson podcast, but Major Nelson was talking about how he wants to get one of those Nest Labs thermostats and his co-host e joked that he hopes it has good authentication security or else he might hack into it and make it really cold or really hot in Major's house.
I found it amusing, but not for the same reasons they did .
I found it amusing, but not for the same reasons they did .
D
Deleted member 47027
Unconfirmed Member
I just got hit today. This sucks. Not much else to say
I just got hit today. This sucks. Not much else to say
i feel youbro getting hacked sucks, at first i felt angry, then not that much but just really violated
Rebel Leader
THE POWER OF BUTTERSCOTCH BOTTOMS
Now we should be asking...Why fifa?
Stumpokapow
listen to the mad man
to say nothing of "j allard"
because fifa sells consumable repeatably-purchasable in-app purchases, duh.
The hackers are brute-forcing the passwords with a max of 8 tries? How about no?
maquiladora
Member
Kinky John
Member
Stumpokapow
listen to the mad man
Appropriate security would dictate some combination of the following:
- After the 8 failed attempts, an email saying "Someone is trying to log into your account" would be dispatched to the email address of the gamertag. This would be mandatory, not optional. (Side effect bonus: This would very easily detect whether or not hack attempts were brute-force attempts or phishing schemes)
- After, say, 20 failed attempts measures are taken to prevent the person from logging in. You can do this by IP, or by Live ID, or whatever. Start by blocking them from logging in for 60 seconds, then 120, then 240, then 480. Cap out at an hour or something. This effectively blocks brute forcing.
- Allow users to turn off online account access entirely.
- Allow users to turn on email notification every time someone logs into their account, including at least: What type of device (PC browser, PC GFWL, Xbox 360, mobile device), IP address with Geo-IP info including country, and a one-click "This was not me. Investigate this as a hack." link. Perhaps also including emailing users every time their account is accessed from a different country than the last time.
- Allow users to turn off out-of-country access entirely. Allow this setting to be turned back on after a phone verification call, in case someone moves without turning the setting on.
- Block purchasing of DLC for FIFA 12 in specific by any Gamertag that has not played FIFA 12. If EA doesn't like it, tough shit.
- After the 8 failed attempts, an email saying "Someone is trying to log into your account" would be dispatched to the email address of the gamertag. This would be mandatory, not optional. (Side effect bonus: This would very easily detect whether or not hack attempts were brute-force attempts or phishing schemes)
- After, say, 20 failed attempts measures are taken to prevent the person from logging in. You can do this by IP, or by Live ID, or whatever. Start by blocking them from logging in for 60 seconds, then 120, then 240, then 480. Cap out at an hour or something. This effectively blocks brute forcing.
- Allow users to turn off online account access entirely.
- Allow users to turn on email notification every time someone logs into their account, including at least: What type of device (PC browser, PC GFWL, Xbox 360, mobile device), IP address with Geo-IP info including country, and a one-click "This was not me. Investigate this as a hack." link. Perhaps also including emailing users every time their account is accessed from a different country than the last time.
- Allow users to turn off out-of-country access entirely. Allow this setting to be turned back on after a phone verification call, in case someone moves without turning the setting on.
- Block purchasing of DLC for FIFA 12 in specific by any Gamertag that has not played FIFA 12. If EA doesn't like it, tough shit.
Ah, analoghype explains it better, thanks. Still, it's difficult to believe the server doesn't have flood detection; usually logins will have a short retry delay to make brute-forcing take forever.
Stumpokapow
listen to the mad man
This would not be a practice consistent with broader web security practices. Typically the lockout would be time-limited, and if it was not time-limited, there would be an email account reset option as well as a phone one. Moreover, the lockout would be better applied to web login attempts than accounts in general.
The process you're suggesting leaves accounts vulnerable to a DDOS--I do not like you because I think you're cheating in Call of Duty. Thus I spam false login attempts at your account, and get you logged out. Because it's night on a Friday, it takes a week for you to get your account unlocked. The evidence against me is flimsy at best, I am not punished in any way.
Microsoft should adopt best-of-breed industry standard practices. They don't need to innovate here, just do what everyone else would do.
I wasnt suggesting outright blocking the account, just blocking the option to log on www.xbox.com Which is where it seems the liability is at. It shouldnt take a normal person 20 tries to log on to the website. Jmo of course.
Stumpokapow
listen to the mad man
Well that definitely lowers the DDOS potential, but still the phone should definitely be a last resort. In my list of suggestions there, the only thing that's phone based is something that absolutely, positively cannot be done through an online system.
Psychotext
Member
Yeah, at minimum they should have stepped duration IP locks on the login services to handle that sort of thing. With a very simple bit of scripting I could have cloud servers endlessly smashing the live site brute forcing passwords.
Still, that doesn't really explain those of use that didn't have passwords that would fall to a reasonable (IE not years) duration brute force / dictionary / intelligent password attack.
As for fraud activity detection, whilst it would be very easy to code, I don't think we're ever going to see it. At least not whilst it's not costing them more money / reputation than it currently is. Could you imagine a credit card which didn't offer this sort of protection in this day and age? Would be unheard of. No reason online transaction handling systems can't be just as intelligent.
Still, that doesn't really explain those of use that didn't have passwords that would fall to a reasonable (IE not years) duration brute force / dictionary / intelligent password attack.
As for fraud activity detection, whilst it would be very easy to code, I don't think we're ever going to see it. At least not whilst it's not costing them more money / reputation than it currently is. Could you imagine a credit card which didn't offer this sort of protection in this day and age? Would be unheard of. No reason online transaction handling systems can't be just as intelligent.
Stumpokapow
listen to the mad man
gamertag -> email obfuscation should not be considered a security layer. In general, username -> email obfuscations should not be considered security layers. Using email address access as a secondary authenticator or fallback for things like notifications or password resets is acceptable, but treating the email address itself as privileged in any way is not good security.
Stumpokapow
listen to the mad man
Well ultimately I'm not convinced by Eurogamer's case, least of all because they appear to be blindly forwarding info sent to them in an email rather than actually approaching it with any knowledge of the situation, but whether or not WLID web logins are the source of the hacks, they could still easily mitigate or prevent other potential hacks by making some quick changes