Live Free or Die
Banned
Eh, its MS. the gaming media and people here on gaf will give them a pass on this. Just like they did with the rrod issue.
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
UPDATE: Hackers are selling stolen Xbox Live accounts on foreign auction sites. (!)
- Thread starter chubigans
- Start date
cpp_is_king
Member
Listen, I don't know how else to explain this to you. The people are not getting phished.
Wonder if you'd be singing the same tune if it was your money being stolen. Sure as shit the woman from the OP link wouldn't want to be called "insignificant", because she pretty clearly specifies this is her monthly living expenses getting impacted by this, which in turn impact her child.
RedAssedApe
Banned
Still can't remove my Paypal via xbox.com. Remove link is broken.
sloppyjoe_gamer
Gold Member
This.
How do you know? Your secret contacts inside MS? This is very likely phishing attacks nothing more. You really seem to want it to be more.
cpp_is_king
Member
Because I know what a phishing attack is, and I know I have not been phished. I fucking work in security. I do not click ANYTHING. I browse from a VM almost 100% of the time. The account I got hacked on had not been used in over 18 months (meaning I also had not used my Xbox in over 18 months), and the Windows Live Id was used exclusively for XBL and nothing else, and had a unique password that was very strong. I did not even know what the password was because I store it in KeePass and it's a string of garbage that there's no way I could remember. So please fucking explain to me how I could have been phished.
Uno Venova
Banned
True, I think it's pathetic people have to be afraid of this happening to them on what's supposed to be a secure service, worst of all they can't take off their info to avoid the issue.
Pie and Beans
Look for me on the local news, I'll be the guy arrested for trying to burn down a Nintendo exec's house.
Even if this was a case of phishing, which multiple people have said its not, and hell I've had a hotmail account cracked by chinese super-computers that just try to hack accounts all day round until they hit the money, the fault lies with Microsoft's lack of two-step verification and better security around how your credit card info can be used for purchases.
What madness is it that someone can just log in to your Live account on the other side of the planet, add 10,000 points to the basket, your card auto-pays and your account will get locked for months at a time and theyve even written in a clause that says you'll get 30-days of Live back but no refunds?
This has always been what I don't understand about people saying "Oh, it's just social engineering/phishing."
How could someone hack an account like this via social engineering/phishing? Sure, most people aren't very security aware, but we've heard multiple reports of people who were very security aware also having their accounts hijacked.
secondspace
Member
There's a way to cancel it on the Paypal website, someone posted a way in a previous thread about this.
Droog
Member
I'll agree this is theoretically possible (if improbable in my eyes) but if a hacker had access to potentially every Windows Live ID in existence, wouldn't they be capable of far more damage than what we appear to be seeing?
Wouldn't "social engineering" cover someone tricking MS support into changing the pass?
Zoe
Member
Passwords aren't getting changed, BTW. The hijackers use the original account information.
cpp_is_king
Member
And to top it off, they did NOT change my password because i logged into it through the website immediately after the compromise.
So it wasnt phished, it wasnt changed, and it wasnt brute forced. How many options are left?
Hey, if you are right then we should see this thing explode soon but I dont think so. Not worried at all.
So it can't be either phishing/social engineering or mystery hack. The latter of which implies XBL has been totally compromised for almost three years but the hackers aren't doing much with it. That doesn't make sense so there must be some fourth exploit no one has figured out yet.
So this would mean that the hackers are actually looking up individual people, reading through their facebooks/google +/myspace etc. to figure out birthdays, pet names, addresses, whatever, then calling Microsoft? Wouldn't that be incredibly time intensive and easy to spot?
And even if that is happening, wouldn't that mean the passwords are getting reset? But a lot of people's passwords aren't getting reset.
RedNumberFive
Banned
I suppose it takes time to list the compromised account on auction sites, and then facilitate the transfer of it. That's your likely bottleneck right there.
Zoe
Member
Windows Live accounts are vulnerable in all of this because of MS's investigation. They lock down the account completely (or, at least they're supposed to) across all services.
The people with the stolen accounts are only using the Xbox portion of the account. What other damage could they do with that apart from spend up all of the person's money?
There's the economy of it too. They probably wouldn't be able to make as much if they just flooded the "market" with what they've taken.
Droog
Member
It's been suggested that the weak link could be via Microsoft Support, i.e. the thief calls MS Support pretending to be the owner of the account they're trying to steal. They either research the account enough beforehand to have enough details to fool the support rep into giving them access or they're able to glean enough new info about the account that they can try again on a new service rep which they're likely to get on a subsequent call. Nobody knows for sure currently.
cpp_is_king
Member
Its possible the problem is not with WLID but with Xbox's usage of it. So the problem could still be limited to just xbox.
Also, in case it wasnt clear, im not saying that my theory is the absolute 100% answer, as every single person here can only really guess. But the people who have never been hacked, dont read entire threads, and just stand around proclaiming they know how *I* got hacked when they probably know nothing about computer security anyway, is pretty damn annoying
Felix Lighter
Member
All the console wars political bullshit that goes on in these threads make them completely useless. I can't read this thread and collect any useful information because both sides have such obvious agendas.
It's true that there are probably dudes here with agendas but most people are probably just trying to figure out how not to get fucked over in the future.
cpp_is_king
Member
Please find me one company on the planet that will read your damn password to you over the phone. Fuck im getting sick of this argument, you honestly think XBL password is stored in plaintext? That would be the biggest story since Watergate
People have been doing things like that for years, it can be amazingly profitable.
Yeah if they're going about it that way it has to be reset unless they're being told the password over the phone, which would obviously be insane as no one would store information in plaintext, but at that point I'm just throwing thoughts out there as I'm sure MS have support calls closely monitored for anything like that. If there really is a hole in Live that is being exploited then MS need to get nailed hard for it, I'm still amazed at how easy Sony got off, right now they're being amazingly tight lipped so all anyone can do is speculate but it's becoming more obvious what is and isn't happening.
To be fair Sony had sensitive information in plain text. I'm not defending his point but just sayin'.
Droog
Member
Where did I once say the password itself would be read over the phone? I'd imagine it's more like they'd get the password reset. I'm not even the proponent of this theory, merely answering coopolon's question on social engineering.
If this is true, I don't think it's really a much better defense for Microsoft then just getting hacked because it means their customer service is pretty incompetent. I know you're not saying it is a good defense, so this is more just in general.
Plus, how can anyone protect themselves against this? Obviously controlling your personal info on places like facebook, but if it's the latter there's nothing anyone can do.
Zoe
Member
Then how are they getting onto the accounts when the passwords aren't getting changed?
cpp_is_king
Member
Whats the alternative, considering passwords are confirmed as not being reset or changed?
Xbox Live has expanded into many different countries, and with that, its call-centers have had to be installed in different locations to reach people across the globe. Of course this is done by outsourcing these local operations to third parties, who hire peons for the least possible wages.
These people have access to account details and can retrieve them en masse by just checking the database. These details usually can be used to answer secret questions on different services, including xbox live itself.
These people have access to account details and can retrieve them en masse by just checking the database. These details usually can be used to answer secret questions on different services, including xbox live itself.
This is 100% what happened to me
on 12/31 I woke up with 5 paypal receipts in my inbox that were all from xbl, I knew immediately what had happened, by the time I got into my xbl account there were 16 purchases for over $700
I changed all my xbl info, suprised whoever hacked it didnt to that first, called microsoft, called paypal, called my local bank since the charges had spilled over onto that account as well. Got it all locked down. My bank didnt even see the charges yet but I told them that they were coming. The bank assured me they would take care of it and not let the charges go thought and paypal canceled my billing agreement with microsoft. Low and behold the bank let all the charges go through and hit me with 200 bucks of overdraft fees. I am working to get things resolved with my bank but...
A few days later I turned on my xbox to find it auto logged into my account. It hadnt been shut down by microsoft at all even though I got an email confirming it had been temporarily disabled at my request. I checked a few things because I suspected what was happening. I knew since they didnt actually still have my account they must have attempted to funnel the points to another account. Sure enough there were 2 accounds based in Europe that were brand new, never been played on, that were on my friends list that I sure as shit didnt put there. I think the accounts have already been sold since one was playing forza last night and one played some xbl game this morning.
I literally laid out for microsoft exactly what happened both before and after it actually happened and I am going to have to wait and deal with all this shit with paypal and my bank and not have my xbl account for up to 6 weeks. May be a blessing in disguise with the semester starting soon but I was stranded on new years eve in another city with most of my electronic funds completely locked out because of this bullshit
M$ get your shit together or this will blow up bigger than Sony's situation ever did
tl;dr - acct hacked, points xfered to dummy euro accounts
on 12/31 I woke up with 5 paypal receipts in my inbox that were all from xbl, I knew immediately what had happened, by the time I got into my xbl account there were 16 purchases for over $700
I changed all my xbl info, suprised whoever hacked it didnt to that first, called microsoft, called paypal, called my local bank since the charges had spilled over onto that account as well. Got it all locked down. My bank didnt even see the charges yet but I told them that they were coming. The bank assured me they would take care of it and not let the charges go thought and paypal canceled my billing agreement with microsoft. Low and behold the bank let all the charges go through and hit me with 200 bucks of overdraft fees. I am working to get things resolved with my bank but...
A few days later I turned on my xbox to find it auto logged into my account. It hadnt been shut down by microsoft at all even though I got an email confirming it had been temporarily disabled at my request. I checked a few things because I suspected what was happening. I knew since they didnt actually still have my account they must have attempted to funnel the points to another account. Sure enough there were 2 accounds based in Europe that were brand new, never been played on, that were on my friends list that I sure as shit didnt put there. I think the accounts have already been sold since one was playing forza last night and one played some xbl game this morning.
I literally laid out for microsoft exactly what happened both before and after it actually happened and I am going to have to wait and deal with all this shit with paypal and my bank and not have my xbl account for up to 6 weeks. May be a blessing in disguise with the semester starting soon but I was stranded on new years eve in another city with most of my electronic funds completely locked out because of this bullshit
M$ get your shit together or this will blow up bigger than Sony's situation ever did
tl;dr - acct hacked, points xfered to dummy euro accounts
Like it has been said before, Microsoft are really good at keeping issues from blowing up, just like RRoD.
The fact that they have been pretty quick to solve any issues that high profile people have had without publicly acknowledging the problem suggests that once again they are doing the most they can to keep it low
They (or your bank) will reimburse you of any charges on your Credit Card or MS Points balance.
Why would you care? The woman specifically said to me that I HAD TO cancel my Credit Card, because that's what's used as the main proof of account stolen. The charges are then taken care and I'm either never charged for it by the CC company or i'm later refunded (which, yes, takes much more time).
If you have so many certainty about the information about how this is done, why don't you contact the press and tell everybody how it's done, and provide some proof? This "i can't tell you how, but believe me, I know it's not phishing!" shit is not cutting it anymore.
Edit: While I was writing this, you posted why you're so certain that you were not phished. Here's the rest of my argument:
There's too many variables! Maybe your password was reset using personal information acquired through a couple calls to a couple places where you have account, combined with your email address and personal information. "but some passwords aren't changed". Did your password get changed? Oh, you don't know, because you don't remember the password?
Maybe it didn't, maybe there's a security flaw somewhere that allows the recovery of gamertags. It still doesn't discount every single phishing scenario out there. Cmon, I reported my account stolen and got it back to me and I didn't know the answer to my secret question. I told the attendant that I didn't know. She told me to try to figure it out a couple times. The question was "what is your preferred food". I tried to guess "pasta" and she said "hmm.. I took you more for a meat kind of guy"... shrugged it off and continued with the process of flagging my account as stolen. she hinted heavily at the answer to the secret question. There's no denial that phishing is a possible solution. I happen to believe that's the most common way to get access to these gamertags.
cpp_is_king
Member
Please read like, oh idk, 2-3 posts above yours. You do not just look in a database and read a password off. End of discussion
Zoe
Member
And if they do... that is horrible security and MS should absolutely be held accountable.
I'm not sure how likely that'd be, but if it was the case, the hackers are certainly doing more with it than they did with PSN.
Rebel Leader
THE POWER OF BUTTERSCOTCH BOTTOMS
Nope
Zoe
Member
What "sensitive" information?
We're terrible roommates. I didn't even know you had a GAF account.
What about paypal? Obviously she should have cancelled the link between paypal and xbl, but it's not actually very easy to find on the PayPal website (although if you search for cancel subscription on paypal help it does give you a good guide). But people could get seriously screwed if Microsoft keeps taking money out of paypal even after being told the account is being fradulently used. Like this lady who is saying she's now going to struggle to feed her kid. Yes they will get the money back eventually , but being out a few hundred dollars for 6 weeks is a pretty big deal for some people.