It's bothersome to me that there are seemingly different security systems protecting every platform you can log into Live on, with different lock-outs if any and so on. That suggests to me that the system they're logging into has very little security and can't trace what is logging into it.
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
UPDATE: Hackers are selling stolen Xbox Live accounts on foreign auction sites. (!)
- Thread starter chubigans
- Start date
If games journalist report on this they might not get FREE GAMEZ!!!
The Faceless Master
Member
nah. that would make it easier for people to social engineer accounts.
so they're just brute forcing passwords?
wouldn't Microsoft have logs that show somebody tried to access your account potentially thousands of times? Surely this would raise a red flag.
Eurogamer is retarded.
Bruteforce hacking has been happening forever. Any 13 year old can write a program in VB and load up some dictionary lists and proxy lists.
Pie and Beans
Look for me on the local news, I'll be the guy arrested for trying to burn down a Nintendo exec's house.
Yes and normally sites/services let you know if people are doing this. If MS aren't, then thats the kind of security flaw that should shame them into 2-step verification and more, and this should blow up into a pretty big thing. Won't though, but should.
blitzcloud
Banned
Didn't mean to imply or that it wasn't important data. In fact, I believe it was good that it reached the media (not with the doomsday theme it took). Banks were aware, people were aware. By the time they actually could/can get the CC data decrypted, it won't do any harm. What I meant to say is that they have some data that really can't be used to an extent like... let's say... identity theft, like some suggested back in the day. And considering the huge bulk of users, it's unlikely that they will use it in such a way.i'm ok with the fact that you don't mind the idea that someone in possession of your personal data, some of which like credit card details are all but meaningless. someone who in this case is not even remotely entitled to be in possess of said data and may or may not use it to illegal purposes.
but it would be a bit of a stretch to think that the same goes for everyone that has had his data stolen from Sony. you don't mind? fine. i'm sure that among the millions of people that got their data stolen there are quite a few that "mind".
now you say the Sony hack had barely any negative effect. first of all saying it had barely any negative effect is like saying Microsoft has no responsibility in the hacks some users here are reporting. both are baseless statements simply because we don't know. second i think the theft of millions of accounts data is itself a negative effect. a huge one if you allow me to say.
see, i definitely agree with you with the fact that this whole Fifa hack thing deserve WAY more media exposure and that Microsoft should be hard pressed to take a clear position in this regard and provide users with better means to protect themselves from the hack and provide better answers to people that got caught in this hack (this whole 30 days "investigations" that usually gets to nothing are laughable).
but this in no way means that the bad press that Sony got for their hack was in any way undeserved nor should put them in any way at less fault just because we can't directly see any worse effect to all that stolen data (like credit card scams, identity theft, and god knows what else).
that said your post makes your position more clear than your first one, as i said in part i can agree on what you said.
People have been doing this for years. They actively crawl the site to see if any new login links have limits or not. If they don't they abuse it until some sysop admin see's the unusual activity and shuts it down. This is not new. Sites don't let people or consumers know that random people are bruteforce hacking their website. It's BAD PUBLICITY. If anything they just set rate limits and implement CAPTCHA codes to stop them. Thus the reason for rate limits on login attempts. They just didn't implement them for no apparent reason.
Again, this is a stupid article to bring up. Most people here don't realize it takes FOREVER to bruteforce an account. This method of attack is predicated on the fact that the account holder has a dictionary password. Or a common password like qwerty1234.
Not to mention the fact that most people on the thread have admitted to having numbers, capital letters, and random letters in their password. So this automatically rules out bruteforcing as the culprit.
Sure, but I was more addressing the article as this guy apparently "figured it out" so I did a search for my tag and had no idea how a hacker could find my email this way to then brute force it.
* I havent been hit but I was trying his example
Psychotext
Member
Good god, is no-one here capable of reading? 8 isn't a hard limit. You literally just have to click another button to reset it.
I could get tens of thousands of attempts per hour in on that page (as it stands), which is all I'd need to compromise hundreds of accounts which use the top 1000 bad passwords.
Sure, realistically there's a good chance it's not the vector here (we've seen plenty of people stating they had complex passwords)... but it's still utterly retarded security. Funnily enough, I know for a fact it's also completely contrary to their best practice security docs too. (I had to study them at quite a detailed level for certification)
First, Eurogamer doesn't explain it well. Second, you wouldn't get people with decent passwords, and there's several people who insist they have very strong passwords who have been hacked. Third, it doesn't look like anyone's tried to verify it yet, and even I don't think MS is so inept as to ignore such a basic bruteforce attack. And by verify, I mean actually hit their server with thousands of attempts to see if there's any automatic delays that kick in.
Also worth noting, Windows Live ID passwords are not case sensitive.
Psychotext
Member
Mine seems to be.
@androvsky: I'm sure someone's probably verifying it right now... just probably no-one trustworthy.
Mine seems to be.
@androvsky: I'm sure someone's probably verifying it right now... just probably no-one trustworthy.
lol, true
Mine seems to be.
@androvsky: I'm sure someone's probably verifying it right now... just probably no-one trustworthy.
I hope they are because I just changed my password recently to have a bunch of capital letters in it.
Mine seems to be.
@androvsky: I'm sure someone's probably verifying it right now... just probably no-one trustworthy.
That's really odd, because I changed mine recently with all this stuff going on. When I went to sign in (via hotmail) I noticed if I typed it all in lower or upper case (or camelcase as I set it) it didn't matter and let me log in.
http://explore.live.com/windows-live-sign-in-cant-faq
Also to note, the rate limit means nothing when brute force cracking. All you have to do is load up a proxy list and boom you're good for eternity. Seriously, you're more at risk of having your account reset through the weakness in your security questions then you are at being brute forced.
So I'm the only one that can log into hotmail with their Windows Live ID and type their password in all caps or all lowercase? That's messed up. I just tried it again. It lets me in no matter the case I use.
Edit: I just changed my password again via Hotmail. It's camelcase and I can use any case I'd like to login. Maybe it has something to do with one of the special characters I'm using? I have no idea what is going on.
Edit: I just changed my password again via Hotmail. It's camelcase and I can use any case I'd like to login. Maybe it has something to do with one of the special characters I'm using? I have no idea what is going on.
MrGame&Watch
Member
I thought this might have been a thing after I got hacked.
My account was hacked and charged 50 dollars. Luckily I saw it right away and blocked him out of my account. I was on the phone with Microsoft after and they said I would need to put my account under a criminal investigation for at least a month. I have gamefly and I'm paying 22 dollars a month, so in the end I didn't bother. The whole thing angered me all day though. I changed my 8 character password to one over 20 that day.
My account was hacked and charged 50 dollars. Luckily I saw it right away and blocked him out of my account. I was on the phone with Microsoft after and they said I would need to put my account under a criminal investigation for at least a month. I have gamefly and I'm paying 22 dollars a month, so in the end I didn't bother. The whole thing angered me all day though. I changed my 8 character password to one over 20 that day.
VibratingDonkey
Member
Yeah this failure to protect against brute forcing could be responsible for the taking of accounts with weaker passwords, but that's pretty much it.
Also you probably want to enable profile protection on xbox.com. If it's disabled, once a person has recovered the profile to a 360 they will not be asked to put in a password again, even if you change it.
But Live ID's have a 16 character limit?
Also you probably want to enable profile protection on xbox.com. If it's disabled, once a person has recovered the profile to a 360 they will not be asked to put in a password again, even if you change it.
Don't know about Hotmail since I don't use it, but it's case sensitive on xbox.com. Does it matter for you which site you're logging in to?Phreaker said:
That's it! Thank you. Yes it is case sensitive at xbox.com, but not to log into hotmail.com
Community Forum
Member
I have a 4000 point card. Is it okay to add it to my account, or should I wait until I'm ready to spend most of it? Does it matter? I mean, will I make myself a target if I have a bunch of points?
This also suggests that any security we see is only in the outer shell and in reality there's an inner system that doesn't have too good security at all!
Wow, that sounds like a line from MGS2.
Theres literally no way someone can tell how many points you have in your account, unless they access it. So theres no way you make yourself a "Target"
Community Forum
Member
Well that's good to know!
Psychotext
Member
Mine is still case sensitive for hotmail.com. I have absolutely no idea what's going on with that poster's password.
Mine is still case sensitive for hotmail.com. I have absolutely no idea what's going on with that poster's password.
Thanks for checking. I spent quite a bit of time this weekend trying to resolve it, but to no avail. At least I am not alone. Seems people noticed this years ago:
http://answers.microsoft.com/en-us/...ensitive/c24bfcff-a2e9-42e9-a79f-214ef73d7c0c
http://windowslivehelp.com/thread.aspx?threadid=83e7120b-fafa-41b8-a4f6-f390c3d21b21
http://www.vistax64.com/system-security/184795-windows-live-id-password-issue.html
It may have something to do with the fact that this was a hotmail account before MS even bought hotmail. The only reason I used it for my profile/gamertag (10 years ago) was because it was the only "Windows Live" account I had. At any rate, at least I am not alone with this problem, but I doubt it impacts that many people.
Question folks.
https://live.xbox.com/en-GB/Profile/Protection
The second part - Consoles that require your password for sign in
If it has a date of a console below that what 'Exactly' does it mean does anyone know for certain.
I only have one console and the date for the section - Consoles that do not require your password for sign in - the date is correct.
I only have one console and only ever use console that to login to live but i have a date of the 11th Jan for the second part.
Does that mean a console with my profile logged onto live on that date. MS seem to think so and advised me to change all my details and even change my windows live id associated with my tag.
The thing is loads of my m8's and i mean loads have something similar - different dates ranging from the 12th back to the 30th december - one guy has about 6 entries all with different date.
https://live.xbox.com/en-GB/Profile/Protection
The second part - Consoles that require your password for sign in
If it has a date of a console below that what 'Exactly' does it mean does anyone know for certain.
I only have one console and the date for the section - Consoles that do not require your password for sign in - the date is correct.
I only have one console and only ever use console that to login to live but i have a date of the 11th Jan for the second part.
Does that mean a console with my profile logged onto live on that date. MS seem to think so and advised me to change all my details and even change my windows live id associated with my tag.
The thing is loads of my m8's and i mean loads have something similar - different dates ranging from the 12th back to the 30th december - one guy has about 6 entries all with different date.
I don't know, but had the same question when I was being paranoid this weekend. Mine currently shows this, but I haven't logged in to Live with my console today (I did yesterday though). I was playing with my password and requiring a password to login last week, so I assume that's why I have my Most Recent Console 1/12/2012 listed under Consoles that require your password for sign in.
Consoles that do not require your password for sign in
VISITED CONSOLES LAST VISITED
Most Recent Console 1/16/2012
Consoles that require your password for sign in
VISITED CONSOLES LAST VISITED
Most Recent Console 1/12/2012
Previous Console 8/1/2010
(The Previuos Console was one that I assume RRoDed)
Consoles that do not require your password for sign in
VISITED CONSOLES LAST VISITED
Most Recent Console 1/16/2012
Consoles that require your password for sign in
VISITED CONSOLES LAST VISITED
Most Recent Console 1/12/2012
Previous Console 8/1/2010
(The Previuos Console was one that I assume RRoDed)
D
Deleted member 47027
Unconfirmed Member
Good news. 5 days after I reported being FIFA'd, MS has resolved the issue. Five days! This also includes a weekend and holiday as well, so that's excellent. Full refund for everything spent. Excellent news. Still sad it happened in the first place, but their customer service is doing everything right by me.
secretanchitman
Member
great to hear! definitely almost 3 weeks less than what it took for me (exactly 25 days with 2 free months of live).
A couple of us questioned this a few pages back and determined that page is almost worthless.
It lists Xbox.com logins, XBL logins, and GFWL logins as a "console" so you might have 5-6 consoles on there despite only owning 2 or 3 actual Xbox 360s.
Manp
Member
i wonder how hard could it be to make it "less worthless" like making it list on which "device" every login was actually made.
you'd think that would be a no-brainer... not for Microsoft...
I haven't owned an Xbox since March 2010. I just purchased a new one over the weekend. I logged in with my account and some how, Fruit Ninja and Bayonetta were purchased on 9/11/2011 as well as someone played Ninja Gaiden II that same day. I changed my password on the Xbox site after seeing that. I hope that helps and I don't have anymore trouble with it.
RedAssedApe
Banned
Its these other websites getting hacked that is the usually the source of the problem. Most people still use the same passwords for everything.
http://consumerist.com/2012/01/24-million-zappos-accounts-may-have-been-compromised.html
http://consumerist.com/2012/01/24-million-zappos-accounts-may-have-been-compromised.html
If that were the only problem, then PSN accounts would be getting FIFA hacked just as often as Xbox Live accounts.
Princess Skittles
Prince's's 'Skittle's
Apparently PS3's online store has a half-step of extra security when making a purchase that the 360 doesn't (like verifying the security code on your credit card or something).
If you have access to a 360 account (that has a linked payment), that's literally all you need to rack of purchases (same with iOS, I think).
RedAssedApe
Banned
Could just be a coincidence. PSN is free so maybe people don't have a credit card on file? There's no equivalent to PSN points right? To be honest I've never bought anything over PSN so I'm unfamiliar with the process. I'm just saying that, personally brute-force seems unlikely considering how long that would actually take for anything more than a very weak password like abc123 or some standard dictionary word with no special characters or alternate casing used.
Kosh, if your account/profile/gamertag has been compromised I do not believe just changing your Windows Live ID is enough. If someone else already has your account on another Xbox they will likely NOT be prompted to enter the new password just because you changed it. You either have to go to https://live.xbox.com/en-US/Profile/Protection and/or I saw a setting on the Xbox's Dashboard (buried under settings somewhere) and mine was set to only allow this console to login without a password, HTHs.
Here's a great post on CAG describing what to do if you think you've been hacked: http://www.cheapassgamer.com/forums/showthread.php?t=312463
Several people that have been hacked have said they use LastPass or similar service where they have strong, unique passwords for every site. These same people have said they know what to lookout for with pishing, which I believe if they are using something like LastPass. I think there's something more going on.
No, PS3 does not require additional security code input for CC purchase. Sony seems to be able to detect and shutdown fraudulent login though. They caught 100,000+ suspicious logins a few months ago and alerted the account owners ahead of time.
Speedymanic
Banned
Pretty sure your CC details are wiped if your account is accessed from someone else' PS3, but I might be wrong.
I do know that it doesn't store the 3 digit security unless you specify and even then it's stored locally on your console.
Yes, some PSN users have CC on file because of convenience, PS+, and other reasons. Others use prepay cards to deposit fixed amount of $$$ in PSN for shopping.
When you shop on PSN, some residual $$$ (your change) also remain in the account.
New (today) report from Eurogamer: Xbox.com security secretly tightened : http://www.eurogamer.net/articles/2...d-xbox-com-security-secretly-tightened-report
Princess Skittles
Prince's's 'Skittle's
I swear in one of these threads, somebody pointed out a step that PS3 has that 360 doesn't that allows someone that would have the same login/password working on both systems only able to make purchases on the 360.
I'm not saying there's not something else going on (as noted above, some people have strong cases as to being hacked with NO reasonable explanation [unique LastPass passwords, etc.]), but I would still surmise that a decent portion are also coming from passwords picked up from a hacked forum or whatever. It's probably not all coming from ONE source.
Speedymanic
Banned
Bro was wrong in any case, brute hacking just isn't possible unless you have an email address and it's not at all easy to find someone's email account details by just googling their gamertag.
Princess Skittles
Prince's's 'Skittle's
But databases of hacked blog/forum information can just be plugged into xbox.com/iTunes until a match is found.
Speedymanic
Banned
Doesn't the amount of time/effort involved make that a little futile?
Even if it doesn't, it doesn't explain the number of people who were 'hacked' and were claiming both password and email address were entirely unique and not used elsewhere.