Support NeoGAF

[Speedymanic]

It had been well over a year since I last logged into that Xbox (the actual console), and I don't think I'd ever logged into Xbox.com before I got hacked. The WLID was used for various Microsoft developer forums once upon a time, but that was many years ago, and under a different password. I also always ran my Xbox wired, not over WiFi.

Interesting, I thought you hadn't used the ID anywhere else but now you're saying you used on various forums.

And you've also changed your story from never logged into Xbox.com to maybe/you don't think you did.

Not making anything out of it, just find the subtle changes interesting.

 

[oddigy]

I think the major point here is that for anyone who's been on the Internet for years, it's highly unlikely that they have used a unique username/email/password combination for every single site they'd ever patronized.

We should have an option through a service which stores our payment information and allows payment to be processed without requiring a second factor of authentication (read: xbox live) to tighten security on our accounts if we choose.

Steam has been phenomenal in implementing their Steam Guard. Blizzard has authenticators, Google allows you to turn on two-factor auth, and even Facebook lets you lock that shit down tighter than Fort Knox if you choose, sending cell phone notifications with required code entry if you try to log into the account from an unknown location.

This may be the message we want to get loud about, rather than offering pure speculation as to how our accounts are being compromised in the first place.

If that is not possible, then at the very fucking LEAST they should require that you type in the 3 digit CVV of your card before a purchase can go through, and for PayPal, it should generate some type of checkout link that requires that you re-confirm your PayPal password.

 

[cpp_is_king]

Interesting, I thought you hadn't used the ID anywhere else but now you're saying you used on various forums.

And you've also changed your story from never logged into Xbox.com to maybe/you don't think you did.

Not making anything out of it, just find the subtle changes interesting.

It was so long ago that I actually forgot about it. It was like... 2005ish? Anyway, it was a different password. I also don't think I ever said that I never logged into Xbox.com before. But even if I did, maybe tone doesn't carry well over the internet, but when I said "I don't think I'd ever logged into Xbox.com before" it meant "I have about 99.9% certainty that I'd never logged into Xbox.com before". And for all intents and purposes, 99.9% is 100%

 

[coopolon]

I'm not turning on victims here, but I'm stunned how many people have a debit card or Paypal account tied to Xbox Live (or any other service for that manner).

Credit cards people. One call to the issuing bank and I get charges disputed in minutes, virtually no questions asked. Believe me, you get better customer service when you're holding their money hostage, and not the other way around.

Still, I don't tie any payment method to my account. Buy codes from a trusted third party, like Amazon.

In my experience Debit Cards have a similar level of protection. When I was a kid someone got my debit card # (parents thought I was too young for a credit card) and signed up for some real nasty porn. Bank refunded me immediately. That was fun trying to convince my parents I wasn't into animals though.

Paypal also offers similar levels of protection I believe with their dispute process.

I agree though that with debit cards/paypal the hijackers are actually stealing your money while with credit cards they are stealing the banks money so unless you live life right below your credit limit it will have much less effect on you if you catch it relatively early.

If that is not possible, then at the very fucking LEAST they should require that you type in the 3 digit CVV of your card before a purchase can go through, and for PayPal, it should generate some type of checkout link that requires that you re-confirm your PayPal password.

I really agree with this. I still find it pretty terrible that online stores are allowed to get away without requiring the 3 digit CVV.

 

[obonicus]

Interesting, I thought you hadn't used the ID anywhere else but now you're saying you used on various forums.

And you've also changed your story from never logged into Xbox.com to maybe/you don't think you did.

Not making anything out of it, just find the subtle changes interesting.

Are you cross-examining him?

 

[oddigy]

Are you cross-examining him?

In his defense, I find it reasonable and acceptable to not have a perfect answer regarding account details in 2006. This is reality. My password shouldn't matter if there's a failsafe on the account that requires the cell phone I have in my hand to verify a significant charge or change to my account. This is where online account security needs to move in general.

 

[VibratingDonkey]

If you paid for your current subscription with a credit card, then you can't remove that card from the system until your current sub expires.

Yes, it's absurd.

Oh so it's inherent to the way their system works. XboxSupport twitter dude acted like it was a glitch.

That's fucked up. Luckily I paid for my subscription using Paypal, so I've just removed my debit card from Paypal.

 

[obonicus]

In his defense, I find it reasonable and acceptable to not have a perfect answer regarding account details in 2006. This is reality. My password shouldn't matter if there's a failsafe on the account that requires the cell phone I have in my hand to verify a significant charge or change to my account. This is where online account security needs to move in general.

I just got a vibe of 'I'm just a simple country hyperchicken, but it seems to me that if you can't remember the details about when you logged into Xbox.com then maybe you can't remember whether you were phished or not.'.

 

[cgcg]

Passwords aren't getting changed, BTW. The hijackers use the original account information.

So those who are screaming social engineering basically saying MS stores passwords in plain text?

 

[Zoe]

So those who are screaming social engineering basically saying MS stores passwords in plain text?

Sure.

 

[drizzle]

I just got a vibe of 'I'm just a simple country hyperchicken, but it seems to me that if you can't remember the details about when you logged into Xbox.com then maybe you can't remember whether you were phished or not.'.

Which is kind of true, isn't?

"I did not get phished, i'm a computer security expert! I never used the account anywhere else!"
"what was your password?"
"i don't remember"
"did you use it anywhere else, like in a developer forum or anything like that, before your account was compromised?"
"i'm not sure"

 

[Speedymanic]

Are you cross-examining him?

No, but I feel people should be 100% sure before making certain claims as it helps to narrow down where the fault lies.

 

[Speedymanic]

Which is kind of true, isn't?

"I did not get phished, i'm a computer security expert! I never used the account anywhere else!"
"what was your password?"
"i don't remember"
"did you use it anywhere else, like in a developer forum or anything like that, before your account was compromised?"
"i'm not sure"

Pretty much, but I didn't want to get into a long back and forth.

 

[cpp_is_king]

Here's a theory that should make everyone happy. As usual, this is just one plausible explanation.

1) Your account was cracked at some point in time since you created your XBL account. Could have been 5 years ago, doesn't matter. It doesn't have to be a phishing attack, it could be that a UN/PW database was found from some other compromised website and you used the same password twice. (This is probably the single most common means of getting compromised in existence, btw)
2) Attacker logged in, downloaded your profile, and archived it.
3) Attacker builds up a massive collection of archived profiles but doesn't do anything with them personally.
4) Attacker sells "accounts" to buyers, but what he's really selling is the profile. If you don't have profile protection enabled, then this is as good as gold. You could have changed your password 1000 times since it got hacked, and it wouldn't matter.

Using this scheme, you could be hacked today and only find out about it 3 years from now.

It also explains why it happens in waves. A buyer isn't going to buy the whole database, he'll buy a portion of accounts at a time, whatever he can afford.

 

[drizzle]

Here's a theory that should make everyone happy. As usual, this is just one plausible explanation.

1) Your account was cracked at some point in time since you created your XBL account. Could have been 5 years ago, doesn't matter. It doesn't have to be a phishing attack, it could be that a UN/PW database was found from some other compromised website and you used the same password twice. (This is probably the single most common means of getting compromised in existence, btw)
2) Attacker logged in, downloaded your profile, and archived it.
3) Attacker builds up a massive collection of archived profiles but doesn't do anything with them personally.
4) Attacker sells "accounts" to buyers, but what he's really selling is the profile. If you don't have profile protection enabled, then this is as good as gold. You could have changed your password 1000 times since it got hacked, and it wouldn't matter.

Using this scheme, you could be hacked today and only find out about it 3 years from now.

It also explains why it happens in waves. A buyer isn't going to buy the whole database, he'll buy a portion of accounts at a time, whatever he can afford.

Yes, this is precisely what I said earlier. Some people don't have Credit Cards attached to the account. Do you think that if some "hacker" gets a hold of that account and find out they can't profit from it, they toss that account away? No way in hell, they keep it forever in a "future source" pile. When/If you attach a credit card to that account, they swoop in and take control, buy points, buy FIFA cards, gift points away... it doesn't matter.

That's why the Xbox 360 Profile Protection section (https://live.xbox.com/en-US/Profile/Protection) introduced with the latest update is good: It allows you to de-authorize consoles where your Gamertag was already recovered to to login with it, unless they re-download the profile to that console (in other words, unless they type in your password).

It's NOWHERE near enough, but it's something at least. Only thing that can 100% protect you from this scenario (as long as your email is not a Hotmail email, which Live Password is the same as the Xbox Gamertag in the first place) is a two-step confirmation/authorization system. Which Microsoft doesn't have. That's the thing we all should be screaming and demanding from them.

 

[cpp_is_king]

Yes, this is precisely what I said earlier. Some people don't have Credit Cards attached to the account. Do you think that if some "hacker" gets a hold of that account and find out they can't profit from it, they toss that account away? No way in hell, they keep it forever in a "future source" pile. When/If you attach a credit card to that account, they swoop in and take control, buy points, buy FIFA cards, gift points away... it doesn't matter.

That's why the Xbox 360 Profile Protection section (https://live.xbox.com/en-US/Profile/Protection) introduced with the latest update is good: It allows you to de-authorize consoles where your Gamertag was already recovered to to login with it, unless they re-download the profile to that account (in other words, unless they type in your password).

It's NOWHERE near enough, but it's something at least.

Now that I think about it, this theory also explains why attacks only started happening recently. Imagine an attacker sitting there harvesting profiles for years waiting for the right opportunity, and then what happens? FIFA comes along and accidentally provides a way to easily monetize points. Boom, now there's actually demand for these profiles. Not to mention the transferring points to family accounts (isn't that also fairly new?)

 

[VibratingDonkey]

Here's a theory that should make everyone happy. As usual, this is just one plausible explanation.

1) Your account was cracked at some point in time since you created your XBL account. Could have been 5 years ago, doesn't matter. It doesn't have to be a phishing attack, it could be that a UN/PW database was found from some other compromised website and you used the same password twice. (This is probably the single most common means of getting compromised in existence, btw)
2) Attacker logged in, downloaded your profile, and archived it.
3) Attacker builds up a massive collection of archived profiles but doesn't do anything with them personally.
4) Attacker sells "accounts" to buyers, but what he's really selling is the profile. If you don't have profile protection enabled, then this is as good as gold. You could have changed your password 1000 times since it got hacked, and it wouldn't matter.

Using this scheme, you could be hacked today and only find out about it 3 years from now.

That is kind of scary. Think most people have used poor security procedures at some point in the past. I know I have. Guess profile protection is good for something after all.

 

[Speedymanic]

Here's a theory that should make everyone happy. As usual, this is just one plausible explanation.

1) Your account was cracked at some point in time since you created your XBL account. Could have been 5 years ago, doesn't matter. It doesn't have to be a phishing attack, it could be that a UN/PW database was found from some other compromised website and you used the same password twice. (This is probably the single most common means of getting compromised in existence, btw)
2) Attacker logged in, downloaded your profile, and archived it.
3) Attacker builds up a massive collection of archived profiles but doesn't do anything with them personally.
4) Attacker sells "accounts" to buyers, but what he's really selling is the profile. If you don't have profile protection enabled, then this is as good as gold. You could have changed your password 1000 times since it got hacked, and it wouldn't matter.

Using this scheme, you could be hacked today and only find out about it 3 years from now.

It also explains why it happens in waves. A buyer isn't going to buy the whole database, he'll buy a portion of accounts at a time, whatever he can afford.

That is actually pretty plausible and one of the theories that makes the most sense. Good call.

Now that I think about it, this theory also explains why attacks only started happening recently. Imagine an attacker sitting there harvesting profiles for years waiting for the right opportunity, and then what happens? FIFA comes along and accidentally provides a way to easily monetize points. Boom, now there's actually demand for these profiles. Not to mention the transferring points to family accounts (isn't that also fairly new?)

I believe it is, but those gold packs in FIFA were available in '11. (I think)

 

[cpp_is_king]

That is kind of scary. Think most people have used poor security procedures at some point in the past. I know I have. Guess profile protection is good for something after all.

Exactly. The scary thing about this is that if you have EVER, EVER, EVER used a password on XBL that you used on any other site ever, regardless of what your password is now, you are at risk. This is such an embarrassing oversight on Microsoft's part if this turns out to be what's happening, and honestly the more I think about it the more I think it is the most likely scenario I've heard to date. From 2-state authentication, to Steam Guard style authentication, there are least 3 different ways in this and the other thread that they could be using to mitigate this.

AND to top it all off, it would be difficult/impossible for Microsoft to prove that this is what's happening, because the actual compromise of the account could have happened at any point in time. They probably don't even have logs going back that far.

 

[metareferential]

I believe it is, but those gold packs in FIFA were available in '11. (I think)

They were; from 2010, or even earlier.

This "hacks" date back to as early as 2010, in fact.

 

[Speedymanic]

Exactly. The scary thing about this is that if you have EVER, EVER, EVER used a password on XBL that you used on any other site ever, regardless of what your password is now, you are at risk. This is such an embarrassing oversight on Microsoft's part if this turns out to be what's happening, and honestly the more I think about it the more I think it is the most likely scenario I've heard to date. From 2-state authentication, to Steam Guard style authentication, there are least 3 different ways in this and the other thread that they could be using to mitigate this.

AND to top it all off, it would be difficult/impossible for Microsoft to prove that this is what's happening, because the actual compromise of the account could have happened at any point in time. They probably don't even have logs going back that far.

How is this embarrassing for MS? They can't do anything about others sites security. If your details were obtained from another site, what they can realistically do?

The way MS have handled is very embarrassing and for that they need to held to account, but I'm not seeing how MS could be held accountable if the above is the cause of the 'hacks'

 

[drizzle]

How is this embarrassing for MS? They can't do anything about others sites security. If your details were obtained from another site, what they can realistically do?

The way MS have handled is very embarrassing and for that they need to held to account, but I'm not seeing how MS could be held accountable if the above is the cause of the 'hacks'

By not having a two tiered gamertag retrieval/account registration system in place, a system that would have prevented this entire scenario to happen this widespread in the first place.

 

[Speedymanic]

But not having a two tiered gamertag retrieval/account registration system in place.

Many still don't. It's not so much embarrassing, it's more a lack of pre-emptiveness on their part, which is pretty odd considering their history and having to deal all manner of 'hacking' attempts throughout the years.

 

[cpp_is_king]

How is this embarrassing for MS? They can't do anything about others sites security. If your details were obtained from another site, what they can realistically do?

The way MS have handled is very embarrassing and for that they need to held to account, but I'm not seeing how MS could be held accountable if the above is the cause of the 'hacks'

1) Because they dont implement even the simplest security features that other people have been doing for years which would make this entire attack useless
2) because they denied there was a problem and tried to absolve themselves of all responsibility

 

[Speedymanic]

1) Because they dont implement even the simplest security features that other people have been doing for years which would make this entire attack useless
2) because they denied there was a problem and tried to absolve themselves of all responsibility

1) Many still don't have that 'basic' security measure in place.

2) They can still deny there's a problem on their end, because there isn't. Unless you have some new information that you'd like to share?

What you have is a possible explanation, nothing substantial to back it up so dial down the accusations until there's proof.

 

[tranciful]

How is this embarrassing for MS?

After changing your password, they can still log in and use your account without knowing your new password.

 

[cgcg]

lol he was so fast and happy to agree with you when you proposed a theory that clears MS but the minute you say anything not in favor of MS he turns hostile.

 

[AranhaHunter]

But what's new is the fact that one person was hacked twice, with hundreds of dollars taken from her paypal account.

http://hackedonxbox.tumblr.com/post/15365217063/microsoft-a-company-with-no-brains-heart-or-soul

It's an interesting, horrible story, but here's the fascinating part: she was able to chat with the person who hacked her account. And he revealed that he bought the account on TradeTang.

Wow. That's fucking horrible.

I would be WAY more pissed than she was if I logged into my account and all these $50, $80 transactions were happening.

 

[Codeblue]

1) Many still don't have that 'basic' security measure in place.

2) They can still deny there's a problem on their end, because there isn't. Unless you have some new information that you'd like to share?

What you have is a possible explanation, nothing substantial to back it up so dial down the accusations until there's proof.

I think when you lock an account and people can still use it, that's a problem.

 

[VibratingDonkey]

Profile protection did seem like a pretty useless feature before this theory. Now to a suspicious degree. This is totally the way I could see a company handling an embarrassing security flaw like that. This is quite interesting.

Only thing that can 100% protect you from this scenario (as long as your email is not a Hotmail email, which Live Password is the same as the Xbox Gamertag in the first place) is a two-step confirmation/authorization system. Which Microsoft doesn't have. That's the thing we all should be screaming and demanding from them.

https://account.live.com/Proofs/Manage

You can change your Live ID, or alternatively register an alternative email which password resets and verification links can be sent to.
You can add your phone number which they can send verification codes to.
And you can add a trusted computer, although that doesn't seem to be working as it should for me. As I understand it you're supposed to be able to just do whatever on that computer without having to actively verify anything, Microsoft Security Essentials doing that for you.

All of this stuff is in place, they're just not using it for what they should be using it for. And that fact is blowing my mind.

Many still don't. It's not so much embarrassing, it's more a lack of pre-emptiveness on their part, which is pretty odd considering their history and having to deal all manner of 'hacking' attempts throughout the years.

Straddling a fine line between negligence and lack of pre-emptiveness.

 

[Speedymanic]

I think when you lock an account and people can still use it, that's a problem.

Happened once, human error occurs everywhere, so it's not really embarrassing.

 

[Speedymanic]

After changing your password, they can still log in and use your account without knowing your new password.

That's where profile protection comes into play. Your account on their machine becomes useless if you use PP after changing your password.

 

[Zoe]

Happened once, human error occurs everywhere, so it's not really embarrassing.

How about when you change a password and someone can still use the account?

 

[Speedymanic]

How about when you change a password and someone can still use the account?

See my post above.

 

[Zoe]

See my post above.

If that would magically solve all of their problems, why haven't they set that feature to opt-out?

 

[Speedymanic]

If that would magically solve all of their problems, why haven't they set that feature to opt-out?

For the same reason 2 step isn't set to opt out, for the same reason steam guard isn't set to opt out.

User convenience.

 

[webrunner]

So, I wanted to check my stuff on this and set up new security stuff on my xbox account.


I got o the live account page and discover an Email address I haven't used in years is the one it's associated with

So.. time to update it, except:

- You can't remove your alternate email address without sending an email to that address. So if a hacker gets an email stuck there you're f'ed
- You can't ADD an alternate email address without sending an email to the existing address.

So I can't change my email at all. How quaint.

 

[Speedymanic]

So, I wanted to check my stuff on this and set up new security stuff on my xbox account.


I got o the live account page and discover an Email address I haven't used in years is the one it's associated with

So.. time to update it, except:

- You can't remove your alternate email address without sending an email to that address. So if a hacker gets an email stuck there you're f'ed
- You can't ADD an alternate email address without sending an email to the existing address.

So I can't change my email at all. How quaint.

Or you could call MS customer service and ask them to change your email address.

 

[Zoe]

For the same reason 2 step isn't set to opt out, for the same reason steam guard isn't set to opt out.

User convenience.

Sony reset everybody's passwords and cleared the credit cards.

Inconvenient, but it was for the better.

 

[cpp_is_king]

1) Many still don't have that 'basic' security measure in place.

2) They can still deny there's a problem on their end, because there isn't. Unless you have some new information that you'd like to share?

What you have is a possible explanation, nothing substantial to back it up so dial down the accusations until there's proof.

Their "problem" is that "turn profile protection on" is actually "turn goddamn stupid as fuck mode off"

 

[Speedymanic]

Sony reset everybody's passwords and cleared the credit cards.

Inconvenient, but it was for the better.

Not comparable in the slightest.

Their "problem" is that "turn profile protection on" is actually "turn goddamn stupid as fuck mode off"

Not really.

 

[Definity]

[snip]

4) Attacker sells "accounts" to buyers, but what he's really selling is the profile. If you don't have profile protection enabled, then this is as good as gold. You could have changed your password 1000 times since it got hacked, and it wouldn't matter.

Help me understand number 4 here because I'm curious. How could you change the password and still have the account work?

I know I'm totally missing something here but I like your theory but just can't grasp how if the password changes the attacker will still have access to the "account".

 

[Speedymanic]

Help me understand number 4 here because I'm curious. How could you change the password and still have the account work?

I know I'm totally missing something here but I like your theory but just can't grasp how if the password changes the attacker will still have access to the "account".

That's only possible if you're too lazy to go onto Xbox.com and use profile protection.

 

[cpp_is_king]

That's only possible if you're too lazy to go onto Xbox.com and use profile protection.

Or dont know about it, like probably over 90% of people

 

[Speedymanic]

Or dont know about it, like probably over 90% of people

MS should be doing more to promote the feature. No arguments there, but the feature is there, it works and anyone can find out about it after a quick google search.

 

[Definity]

Or dont know about it, like probably over 90% of people

Was curious so I did a bit of searching/reading. Place me in the 90% camp. I can see how your theory would play out now.

 

[drizzle]

Help me understand number 4 here because I'm curious. How could you change the password and still have the account work?

I know I'm totally missing something here but I like your theory but just can't grasp how if the password changes the attacker will still have access to the "account".

Let's say your password is "123dummy". Let's say you go to your friend's house (or you have Two xbox in your household). To use your gamertag this other XBox, if you didn't bring it on a Memory Card or USB stick, you need to download your profile. When you try to attach a new console to a gamertag, you're required to type in your password. In this case, "123dummy".

Now, we have two consoles that have access to your gamertag. Both consoles have the profile downloaded on their hard disks and both can access it.

Let's say you left your friend's house and forgot to delete your profile from this system. Your profile is active on his machine. He can use freely. You go and change your Live Profile password. All is fine and dandy? Not really. Your gamertag is already active on your friend's XBox. Your password won't ever be required again. That particular machine is still able to use your Gamertag, even though you changed the account password.

Now, with the newest update, you can mandate that your gamertag requires a password THE NEXT TIME it tries to log on in a machine. However, it's only the FIRST TIME, again. After you put in your password, the machine in which you logged will be able to use that gamertag without any password. Again.

This option was only presented recently, while this problem has been going since 2010.

 

[Curufinwe]

I just went and enabled Profile Protection and is it strange that I have all these consoles listed under Profile Protection when I've only ever used one Xbox 360?

Visited Consoles Last Visited
Most Recent Console 1/6/2012
Previous Console 12/31/2011
Previous Console 7/26/2011
Previous Console 7/23/2011
Previous Console 1/25/2011

 

[Princess Skittles]

Is it strange that I have all these consoles listed under Profile Protection when I've only ever used one Xbox 360?

Visited Consoles Last Visited
Most Recent Console 1/6/2012
Previous Console 12/31/2011
Previous Console 7/26/2011
Previous Console 7/23/2011
Previous Console 1/25/2011

Um, yeah. Probably. o_o;;;

 

[Shao Kahn Brewing a Stew]

I just went and enabled Profile Protection and is it strange that I have all these consoles listed under Profile Protection when I've only ever used one Xbox 360?

Visited Consoles Last Visited
Most Recent Console 1/6/2012
Previous Console 12/31/2011
Previous Console 7/26/2011
Previous Console 7/23/2011
Previous Console 1/25/2011

You're already hacked.