Support NeoGAF

[VibratingDonkey]

This could easily be fixable with a two-tier identification system. Shoot an email to the registered address asking if you're authorizing the recovery of your account on another console. DONE. Steam guard does this and I don't think i've ever heard about stolen accounts ever again, at least not from smart people that don't have the same password on their email addresses.

What's peculiar is that Microsoft actually has two-step verification set up. Here you can put in your phone number and an alternate email. To verify these security details they send a randomly generated 7 digit code to your phone or a wacky link to your email.
THIS IS NOT USED WHEN CHANGING YOUR PASSWORD, MIGRATING YOUR XBOX 360 REGION OR WHEN ATTEMPTING TO LOG IN FROM AN UNVERIFIED SYSTEM.

It's like, what the fu why wouldn't...?

 

[CartridgeBlower]

So what's worse, this or when Sony got hacked?

And if it's this, why are more people not talking about it?

 

[Argyle]

Are you sure about that? When I add money to my PSN wallet I'm not required to type any CC info. Why would someone else with my account be asked to do so? Does it detect different hardware?

edit: I'm referring specifically to buying money for the PSN wallet with a stolen PSN account.

IIRC yes, they know if you are logging in from a different PS3. On the new PS3 it will ask for the CVV number, if that fails the credit card information will be deleted on the account (so you will have to re add it on your original PS3).

 

[bigtroyjon]

So what's worse, this or when Sony got hacked?

And if it's this, why are more people not talking about it?

Something affecting 10's of millions of people will always get more attention that something affecting 10's of thousands even if the second thing is much, much worse.

 

[FStop7]

Thanks for the reminder to confirm I've deleted all saved payment sources on my Live account.

This fucking sucks so bad for the people who've been hit. And Microsoft's endless denials are going to come back to bite them in the ass.

I guess it's time for MS to thaw out the clones (Stepto, Major Nelson, E, and Paul Thurrott) to go on another PR blitz to make sure this story stays suppressed for a few more months.

 

[Gaogaogao]

What's peculiar is that Microsoft actually has two-step verification set up. Here you can put in your phone number and an alternate email. To verify these security details they send a randomly generated 7 digit code to your phone or a wacky link to your email.
THIS IS NOT USED WHEN CHANGING YOUR PASSWORD, MIGRATING YOUR XBOX 360 REGION OR WHEN ATTEMPTING TO LOG IN FROM AN UNVERIFIED SYSTEM.

It's like, what the fu why wouldn't...?

doesn't that completely defeat the purpose? Microsoft fucking blows my mind.

 

[WickedCobra03]

Yeah, as much as I like Patrick Klepecks reporting on stories and news, he tripped up on the Microsoft one. He first makes a little stink about Microsoft not getting back to a prominent journalist about questions he has which they totally should have. But then... when this Stephen Toulouse does agree to do an interview, Patrick seemed totally docile and content with the beating around the bush that Stephen did the entire time and just ends his article there... I mean WTF?

 

[KevinRo]

In-game friends list. You hack one account, log in and look at their friends list, hack those, etc. I was the one whose circle of friends was all hacked, and none of us know anyone else's information, nor would any of us have socially engineered the other even if we did. To suggest is preposterous.

It was already mentioned on a previous page, but one plausible scenario involves the fact that you can completely bypass password authentication when logging into your console if you've ever downloaded the profile. For example, put your profile on a USB stick and go take it to another console. Notice you do not have to enter your password. It stands to reason that if there were a way to download a profile through some sort of backdoor or vulnerability in the XBL API, then game would be over.

Note that things like this actually are common and happen all the time.

Things like customer service reps giving out user's information in droves happens... Well, rarely, to say the least.. It is also a slow process. Do you know how inefficient it would be to have to place 10,000 phone calls and hope you don't get the same rep in the process who would be like "hey didn't you just call 30 minutes ago?" Do you also know how absolutely unequivocably trivial it would be for Microsoft to identify and put a stop to this if it was in fact the problem?

This is like clinging to the idea that that TV in your living room that is flickering and all your friends say is broken is actually fine, but you're rapidly being sent back and forth between a different dimension where things look slightly distored, so you end up with a flicker effect, as opposed to simply just saying the damn thing is broken.

I mean yea, it's theoretically possible by the laws of the universe that this is what's happening, but if so then go buy a mega millions ticket because the random number generator used by Mother Nature is going absolutely insane.

You have no idea what you're talking about.

The amount of people working the call centers for the millions of xbl users would statistically guarantee the callers would never get the same person in a row. Not only that but they don't go in and attempt one account at a time. That's novice work. They call in consecutively hoping to find that one rep who will slip up and listen to them. Once they find that person they go through a list of accounts to reset. Also, they can't be traced because they're using Skype(which is hard to trace) or they're spoofing their phone numbers.

 

[Unhandled Exception]

I don't have the energy to sift through this entire thread so I'm just gonna ask and hopefully a kind soul will support my laziness.

If I have not received any strange emails regarding my Xbox Live account and purchasing points and or password resets, do I have anything to worry about? Would it be too late to remove my credit card from the account, and should I change my password to the account itself? I have no idea if this breach is still currently happening and accounts are being stolen at this very minute, or if its something that happened and is no longer happening. Thanks.

 

[cpp_is_king]

That's a lot more likely than hackers having the ability to hack accounts and doing it slowly over a long period of time and not going as fast and hard as they can like every other hacking case.

I don't think you realize how likely "having the ability to hack accounts" actually is. Anyone who works in security certainly does though. It happens every day, there are people who make their living finding and selling these exploits for large sums of money. All it takes is 1 researcher who finds an exploit and then sells it on the black market to whoever wants to pay. This might sound like a conspiracy theory, but I really don't know how else to emphasize to you that it happens all the fucking time. Ask any person who works in a field related to computer security (like, for example, me).

f I have not received any strange emails regarding my Xbox Live account and purchase points and or password resets, do I have anything to worry about? Would it be too late to remove my credit card from the account, and should I change my password to the account itself? I have no idea if this breach is still currently happening and accounts are being stolen at this very minute, or if its something that happened and is no longer happening. Thanks.

Yes you have something to worry about, no it's not too late to remove your credit card, and yes you should change the password (the 3rd part may not help, but do it anyway)

You have no idea what you're talking about.

I think I have a much better idea what I'm talking about than you think I do.

Edit: And are you fucking kidding me? Now you're telling me that they get ONE REP on the phone and go through AN ENTIRE LIST OF ACCOUNTS to reset? Jesus christ, we're done here.

 

[Joni]

Are you sure about that? When I add money to my PSN wallet I'm not required to type any CC info. Why would someone else with my account be asked to do so? Does it detect different hardware?

edit: I'm referring specifically to buying money for the PSN wallet with a stolen PSN account.

It "detects" new hardware. (When you link a PSN account to a new console, it asks you to re-enter certain details) Your CC details are linked to Hardware + PSN. You won't be able to open up the CC details on a new console without retyping your CC. (I didn't knew it either until I saw someone open an existing account on another PS3.) We could access the store, redownload all games, buy games using money in the wallet, but not add money.

 

[bigtroyjon]

I don't think you realize how likely "having the ability to hack accounts" actually is. Anyone who works in security certainly does though. It happens every day, there are people who make their living finding and selling these exploits for large sums of money. All it takes is 1 researcher who finds an exploit and then sells it on the black market to whoever wants to pay. This might sound like a conspiracy theory, but I really don't know how else to emphasize to you that it happens all the fucking time. Ask any person who works in a field related to computer security (like, for example, me).

As someone who works in security, how often do these exploits stay open for years at a time?

How often do people find an exploit and milk it slowly instead of selling it to every person possible and blowing the shit up?

Social engineering is far more likely in this situation than some exploit that Microsoft has decided to randomly not fix. The social engineering problem can be explained by them doing a cost/benefit analysis and determining the costs of hacking don't outweigh the costs of having to change their Customer relations program.(I'm guessing this has happened which is why it's such a fail and piece of shit move on their part)

I can't really think of any benefit for them to leave open an exploit

 

[cpp_is_king]

I can't really think of any benefit for them to leave open an exploit, especially considering they just completely redid the OS.

They don't necessarily know what the exploit even is. From what I can tell (and I do have at least a little more information that the average Joe does about this, but you'll just have to take my word for), at least some parties involved actually do think it's a direct phishing attack on the victims.

This suggests to me they simply haven't even taken the problem seriously.

 

[iceatcs]

I think the problem is the way MS deal with it, nothing to do; why it haven't on headline yet or how easy to hack compare to other system.

If it happened while ago (Major Nelson knew it for years), why MS didn't change or update the security yet?

 

[dreamcastmaster]

I don't have the energy to sift through this entire thread so I'm just gonna ask and hopefully a kind soul will support my laziness.

If I have not received any strange emails regarding my Xbox Live account and purchasing points and or password resets, do I have anything to worry about? Would it be too late to remove my credit card from the account, and should I change my password to the account itself? I have no idea if this breach is still currently happening and accounts are being stolen at this very minute, or if its something that happened and is no longer happening. Thanks.

You're OK until you get an email that says you've changed your details. You're best to take off the card tied to your account and buy points cards or add and remove the credit card only when you need points.

 

[Raonak]

Huh...


So how is this all happening? social engineering? actual hacking?

 

[Rapstah]

Is there any way to untie your Hotmail account from the rest of your Live ID? I remember these sorts of hacks happening through Hotmail seven years ago and it's sort of useless for me to get a 40-character password if it's going to be shared with Hotmail.

 

[Lord Error]

If you, for instance, call Netflix and somehow get them to give you your Netflix password, there's a chance that the same password is being used on the 360. As one service "ties" into the other, both have Credit Card information, both need to be seucre. What do you do? You use your "good" password in both services. Boom, you're screwed.

Netflix, or anyone else for that matter, will not be able to give you your Netflix password even if they wanted. What they have is only a hash of your password, and the most they can do is do a password reset - send you a new randomly generated password that you'll be able to use on Netflix and nowhere else.

 

[Garcia el Gringo]

Hack or phishing, I don't care what it is at this point. I'm less interested in finding who's to blame and more interested in a solution. 2-step authentication.

I think the problem is the way MS deal with it, nothing to do; why it haven't on headline yet or how easy to hack compare to other system.

If it happened while ago (Major Nelson knew it for years), why MS didn't change or update the security yet?

The crew of Giantbomb speculated that the security limitations might be due to the 360's outdated online systems. Some of the account migration issues and the DLC licensing involved with that is limited by the current system in place. I fully expect Microsoft to have security figured out in time for next-gen (even though we should have had 2-step authentication for a while now).

 

[bigtroyjon]

They don't necessarily know what the exploit even is. From what I can tell (and I do have at least a little more information that the average Joe does about this, but you'll just have to take my word for), at least some parties involved actually do think it's a direct phishing attack on the victims.

This suggests to me they simply haven't even taken the problem seriously.

So all the huff and puff about it not being social engineering and now you are saying your inside info suggests it might be social engineering?

Gotta love internet discussions!

 

[cpp_is_king]

So all the huff and puff about it not being social engineering and now you are saying your inside info suggests it might be social engineering?

Gotta love internet discussions!

Wow, you seriously just failed at reading comprehension.

1) a phishing attack on users is not a CSR social engineering attack
2) Despite what they may or may not think, its not a phishing attack.

Point being, they actually might be clueless

 

[V_Arnold]

An interesting little bit is that I know one case where someone got banned (account AND console ban!) for using the "buy cheap points with an account, use the points fast and tie it to your account" method.

Which means that Microsoft can definitely track this AND they have taken the neccessary steps as well. Only question is, how frequent will this banning be.

 

[faulty_fork]

I don't think this is an exploit on Microsoft's side. There's regularly sites that get hacked and their user and password databases get leaked. The hackers then just have to have scripts that go through these leaked databases and check for people that have used the same e-mail/password for Xbox Live accounts. With every big leak they're bound to get hold of a bunch of accounts that have credit cards tied to their accounts.

Microsofts verification methods need to get better though and we should learn to not use the same password everywhere.

 

[Unhandled Exception]

Holy shit, you can't remove all of your credit cards from Microsoft's database if you have an active gold account? Even if auto-renew is off, and even if you've already paid for the gold itself. What. The. Fuck.

 

[cpp_is_king]

I don't think this is an exploit on Microsoft's side. There's regularly sites that get hacked and their user and password databases get leaked. The hackers then just have to have scripts that go through these leaked databases and check for people that have used the same e-mail/password for Xbox Live accounts. With every big leak they're bound to get hold of a bunch of accounts that have credit cards tied to their accounts.

Microsofts verification methods need to get better though and we should learn to not use the same password everywhere.

This was actually my original theory but it happened to a friend who, after the PSN incident, created a new password exclusively for XBL that was a random string of 17 characters, never used on any other site. Still got hacked.

I think they are bypassing the password mechanism entirely.

More evidence for this (and against the CSR thing, as if any more is even needed) is that after you get hacked your password is not changed or reset. Everyone i know who has had this happen has been able to log in through the website and console using the old password after getting hit. Even though the chances of a CSR resetting a password is non-zero, the chances of them actually reading a password off to you over the phone is actually 0, i dont care how little faith you have in them. That would mean XBL stores passwords in plain text, and sorry but no im not even going to entertain that line of discussion because its just THAT far out of the realm of possibility

 

[Unhandled Exception]

Well I'd like to protect myself from a potential failure on your part Microsoft, but you see I fucking CAN'T BECAUSE I HAVE ONE OF YOUR GOLD SUBSCRIPTIONS. GREAT SYSTEM, GUYS.

 

[Sixfortyfive]

Holy shit, you can't remove all of your credit cards from Microsoft's database if you have an active gold account? Even if auto-renew is off, and even if you've already paid for the gold itself. What. The. Fuck.

If you paid for your current subscription with a credit card, then you can't remove that card from the system until your current sub expires.

Yes, it's absurd.

 

[ukresistance]

Huh...


So how is this all happening? social engineering? actual hacking?

That's the whole problem. No one person has been able to answer this!

We have had plenty of theories as to the cause and they all seem plausable. The problem is without a difinitive answer, many of us who have been following this story are in the dark about what we can and can't do to protect our account. Fuck, for all we know there is nothing that can be done.

The best thing to do is keep this story rolling. We all need answers!

An interesting little bit is that I know one case where someone got banned (account AND console ban!) for using the "buy cheap points with an account, use the points fast and tie it to your account" method.

Which means that Microsoft can definitely track this AND they have taken the neccessary steps as well. Only question is, how frequent will this banning be.

I guess you missed the following quote from the OP then?

"It will never let your console be banned according to our experience of more than two years"

Now don't think I am happy coming across as flippant or childish but i'm going to post the line a few more times.

"It will never let your console be banned according to our experience of more than two years"
"It will never let your console be banned according to our experience of more than two years"
"It will never let your console be banned according to our experience of more than two years"

This scares the hell out of me, because it is so fucking stupid. Without consequences there is nothing to stop this mess or at least slow it down. Permanent bans for all 360's that use a stolen account should be mandatory. If someone could refute the above, please do so. I would appreciate it.

 

[Sye d'Burns]

it's not grounds for disclosure.

So some con men fool a few costumer service reps with information obtained from external sources....I don't think that's a significant or extraordinary event.

When you say it that way, it sounds downright callous.

Careful, you may jinx yourself.

Imagine for a moment that was your money and your account.

 

[Unhandled Exception]

If you paid for your current subscription with a credit card, then you can't remove that card from the system until your current sub expires.

Yes, it's absurd.

I am vulnerable to financial theft until 2013 because of this insanely anti-consumer policy. That is, unless I cancel that card. Which I will be doing tomorrow. Fuck this shit.

 

[def sim]

I have the option to remove my only card on file and I'm pretty sure I had to do deal with the pain in the ass support just to get it. IIRC, auto-renewal charged an expired card of mine and I was locked out of my account for some time so they allowed me to take off and alter all payment options after some complaining.

 

[V_Arnold]

I guess you missed the following quote from the OP then?

"It will never let your console be banned according to our experience of more than two years"

Now don't think I am happy coming across as flippant or childish but i'm going to post the line a few more times.

"It will never let your console be banned according to our experience of more than two years"
"It will never let your console be banned according to our experience of more than two years"
"It will never let your console be banned according to our experience of more than two years"

This scares the hell out of me, because it is so fucking stupid. Without consequences there is nothing to stop this mess or at least slow it down. Permanent bans for all 360's that use a stolen account should be mandatory. If someone could refute the above, please do so. I would appreciate it.

Again: the user's console (who bought the account and then used the points for XBLA purchases) DID get banned.

IT HAPPENED.
IT HAPPENED.

So...?

 

[acm2000]

So what's worse, this or when Sony got hacked?

And if it's this, why are more people not talking about it?

because that was sonys fault, and there is still no evidence to say this is anything to do with MS

remember people, gaming forums/psn accounts info, were all stolen last year in the big hacking storm, most people will use the same user/pass/email on XBL, it doesnt take a genius to take that stolen info, and then try it on xbox.com to see if its the same

 

[libregkd]

remember people, gaming forums/psn accounts info, were all stolen last year in the big hacking storm, most people will use the same user/pass/email on XBL, it doesnt take a genius to take that stolen info, and then try it on xbox.com to see if its the same

Expect for the part where there are reports of people's accounts getting accessed despite the fact they were using a password that was exclusive to XBL.

 

[Gintoki]

Its mind boggling how some are buying from those shady sites

 

[MikeHaggar]

This was actually my original theory but it happened to a friend who, after the PSN incident, created a new password exclusively for XBL that was a random string of 17 characters, never used on any other site. Still got hacked.

I think they are bypassing the password mechanism entirely.

More evidence for this (and against the CSR thing, as if any more is even needed) is that after you get hacked your password is not changed or reset. Everyone i know who has had this happen has been able to log in through the website and console using the old password after getting hit. Even though the chances of a CSR resetting a password is non-zero, the chances of them actually reading a password off to you over the phone is actually 0, i dont care how little faith you have in them. That would mean XBL stores passwords in plain text, and sorry but no im not even going to entertain that line of discussion because its just THAT far out of the realm of possibility

so you think the hackers have found a way to access people's accounts without having to even provide a password? that would be worse for microsoft than what happened to sony imo.

i agree that it's not social engineering of the csr's (on the whole--it may happen on a rare occassion). there's just too many hacked accounts at this point. i'd really like this to get resolved...

 

[Ronok]

So what's worse, this or when Sony got hacked?

And if it's this, why are more people not talking about it?

It's not being talked about as much, because Sony recognised the problem and took steps in order to correct the situation. This put them in the spotlight as they had to turn off the PSN service in order to protect peoples accounts.
Microsoft refuse to recognise the problem, and haven't taken any steps to rectify it. This, strangely enough keeps them out of the spotlight... That and keeping the gaming "journalists" in their pocket.

because that was sonys fault, and there is still no evidence to say this is anything to do with MS

remember people, gaming forums/psn accounts info, were all stolen last year in the big hacking storm, most people will use the same user/pass/email on XBL, it doesnt take a genius to take that stolen info, and then try it on xbox.com to see if its the same

Yup, the PSN fuckup was Sony's fault. It really was. However, this is just as much Microsofts fuck up as that was Sony's. Whether or not this social engineering, hacking, whatever, this continued situation is Microsoft's fault. They could easily implement a system like Steam Guard, but they refuse to. I don't see how anyone can defend this.


I assume this has already happened, but has anyone written to BBC Watchdog or similar about this issue? :-/

 

[Synless]

Just what is this FIFA hack I've been seeing on here? How do they get your account?

 

[Droog]

I think they are bypassing the password mechanism entirely.

The number of accounts being hijacked would be far higher than they currently are if this was the case.

 

[Ronok]

The number of accounts being hijacked would be far higher than they currently are if this was the case.

I'm not saying I agree with the idea that they are able to bypass accounts, but assuming they are, wouldn't it make sense to only hack accounts as fast as they can sell them? I mean, it's not as though they are able to extract the credit card details from the account right? They have to sell on the account with points, or sell on them Fifa cards or whatever. Taking this into account it doesn't actually make sense to gain access to as many accounts as possible, potentially bringing too much attention to the exploit, and actually forcing Microsoft to do something about it.

 

[MikeHaggar]

I'm not saying I agree with the idea that they are able to bypass accounts, but assuming they are, wouldn't it make sense to only hack accounts as fast as they can sell them? I mean, it's not as though they are able to extract the credit card details from the account right? They have to sell on the account with points, or sell on them Fifa cards or whatever. Taking this into account it doesn't actually make sense to gain access to as many accounts as possible, potentially bringing too much attention to the exploit, and actually forcing Microsoft to do something about it.

i currently have my security settings so that my password is required when signing into live from any other console. it's scary to think hackers have found a way to bypass the password mechanism altogether. that would mean that particular security setting is worthless.

 

[Respawn]

Yep.

That woman's account should be mandatory reading for anyone who wants to come in here saying it's no big deal. Peoples' accounts are being stolen wholesale now, along with hundreds of dollars.

Microsoft's silence on this matter is damning. Not to mention their active deception of the public by silencing games journalists who get hacked.

Wow that's just plain disgusting

 

[Droog]

I'm not saying I agree with the idea that they are able to bypass accounts, but assuming they are, wouldn't it make sense to only hack accounts as fast as they can sell them? I mean, it's not as though they are able to extract the credit card details from the account right? They have to sell on the account with points, or sell on them Fifa cards or whatever. Taking this into account it doesn't actually make sense to gain access to as many accounts as possible, potentially bringing too much attention to the exploit, and actually forcing Microsoft to do something about it.

Hmm, I see where you're coming from. I was also considering the FIFA points thefts in addition to the actual selling of accounts that the OP mentioned, to be honest. Either way, the rationale for using exploits is that because they are (usually) patched sooner rather than later, it's best to make use of it while you can as it could disappear at any time without warning. Unfortunately since we don't know even know if/what the exploit is in this situation, we can only guess at the thieves' timeframes for their actions.

 

[Feature]

Isn't it possible to remove your credit card information after you bought something? making a hacking of your account useless?

 

[Pie and Beans]

What gets me about the defence of this not getting the same level of outrageous press the PSN Hack got, is the millions versus thousands argument.

The basis of this is that millions of PSN users were 'affected' by their credit card details possibly being compromised in the future, so passwords had to be changed along with security measures. This X360 hack stuff right here though isn't a breach or case of "maybe your card will be targeted", this is a groundswell of people that have been legitimately thieved from RIGHT NOW via their Xbox Live accounts.

In many ways I consider this WORSE than the PSN hack because goofy Lulzsec nutters out to prove a point may or may not have used such information for illegal gains while this X360 stuff has clearly been coming from the skeeziest of internet asshole operations.

 

[Blue Ninja]

Glad I got rid of my CC on my account. Might just switch to another e-mail adress for it, too.

 

[intheinbetween]

well, this isn't new, this is happening since 2007 or so. back in the day you could even find these 10000mspoints for <30$ in ebay, but it got banned.

if you take a look at taobao.com you can find a lot of sellers with 2100> mspoints accounts, sometime they're brand new accounts (created with mspoints generated from CC stolen money) and sometimes the sellers are so lame that they sell the whole existing account of the stolen user, I mean, including his friend list, personal data, etc..

 

[TGMIII]

Just what is this FIFA hack I've been seeing on here? How do they get your account?

Most likely through social engineering/people being morons like clicking on those links that say they'll give you free xbox live points. There's other stuff too like forum databases being exposed and a ton of users using the same username/email password combination for their xbox live accounts. I don't think there's any known hole in Live right now that people are exploiting?

I've got a friend who works for EA on the support team and he was telling me about a call he got where the guy on the phone wanted to know why he couldn't get onto his xbox live account after he "went to a website where EA were giving away fifa points for free". Even after it was explained to him that it was fake and he got his account stolen and that he should be speaking to MS support he still didn't get it and asked if my friend could reset his password.

 

[Dave Long]

You know, that thing where you can't remove your card, that might not be PCI (Payment Card Industry) compliant on Microsoft's end. It could be that Visa/Master Card/etc. could be used to leverage Microsoft into changing that. There are fines if you're not compliant.

 

[Kinky John]

Is there any way to untie your Hotmail account from the rest of your Live ID?

I don't know about that (I don't think so), but I'd advise anyone who has has their Xbox live account messed around with to log into the Live account associated with their gamertag and check to see if a 'Trusted PC' has been created (Security Info>Manage). The 'Trusted PC' seems to stay active after a password change, so that would allow someone to take control of your Live ID again.