Support NeoGAF

[iNvid02]

Since reporting on the "FIFA hack" and related security concerns with Xbox Live and the Windows Live ID system, we've received stories, documentation and theories on how this is happening from dozens of victims. As we continue to follow up on several leads, Analoghype posits an interesting theory on how some of these breaches may be occurring.

AH suspects that the hackers grab gamertags from a game of Halo or Call of Duty, then Google the tags to find associated emails on social networking sites. They now have a potential list of Windows Live IDs. Going to Xbox.com, the hacker can now test if the email is a valid ID by attempting to sign in. An error message of "account is invalid" has them moving on to another email; "password is incorrect" means they've got a real account, but a bad password.

Now, according to the theory, the hackers start batch running potential passwords: "Xbox allows you to enter your password incorrectly 8 times on the website, then it asks for a CAPTCHA code. When hackers get to that CAPTCHA code, there is a link for "try with another Live ID." Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again. This process can easily be automated by a skilled hacker."

Of course, once they are in, the hacker has access to all your account details and associated credit cards, PayPal and Microsoft Points.

Mircrosoft told us recently that the Windows Live ID has not been compromised and the FIFA hack, along with other similar incidents, are cases of social engineering or phishing. We continue to recommend changing -- and not publicly posting -- account details.

article

i hate live ID, i have one with a gmail address (fuck the pos that is hotmail) and its so backwards, you can only
update the email linked to your account once every 9 months - if you make a mistake your fucked.

 

[Fersis]

Microsoft is well aware of this. Thats why lots of MSN accounts were locked (Like mine) due 'bad behavior' and had to reset the password.

 

[Struct09]

Hopefully, at the very least, they at least fix the "account is invalid" and "password is incorrect" messages. It doesn't take a genius web developer to tell you why displaying those two different messages is bad practice.

 

[Photolysis]

There are some silly security measures in there such as telling someone when they've found a valid username, and not having a limit on log on attempts, but those aren't exactly flaws, more like bad practices.

 

[MikeE21286]

well it's not phishing. I never click on any of that shit.

and it's not social engineering (at least from my side). Either way it's the fault of MS

 

[Htown]

Windows Live, the gift that keeps on giving.

 

[chixdiggit]

well it's not phishing. I never click on any of that shit.

and it's not social engineering (at least from my side). Either way it's the fault of MS

Agreed. My account was Fifa'd and it was not a cause of phishing or social engineering.

 

[Tranced Shadow]

Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again

Oh for fuck's sake.

 

[Dr. Zoidberg]

Isn't this particular mode of attack only a problem if the user has a shitty password?

 

[Zoe]

This has already been discussed in the latest hacking thread, and the consensus is it's very unlikely this is how the accounts are breached.

For this reason:

Isn't this particular mode of attack only a problem if the user has a shitty password?

 

[epmode]

I'm not sure how this is new news. I thought it was common knowledge that Xbox Live was linked with Windows Live.

 

[HamPster PamPster]

Analoghype posits an interesting theory on how some of these breaches may be occurring.

What the? Are they taking what the one reader sent Eurogamer and passing it off as their own theory?

 

[androvsky]

Isn't this particular mode of attack only a problem if the user has a shitty password?

Has to be both a shitty password, and in this case, a shitty server that doesn't notice brute-forcing attempts. Incredibly unlikely.

 

[Berordn]

I'm not sure how this is new news. I thought it was common knowledge that Xbox Live was linked with Windows Live.

The link isn't news, it's the fact that you can reset the captcha input from something as simple as a webpage to bruteforce your way in.

 

[freddy]

I'll just wait for Windows Update to fix it.

 

[Mudkips]

Isn't this particular mode of attack only a problem if the user has a shitty password?

Yes.

 

[Merovin]

well it's not phishing. I never click on any of that shit.

and it's not social engineering (at least from my side). Either way it's the fault of MS

Likewise, my account has been Fifa'd and I can definitely say it was no form of phishing or social engineering, and I don't have a shitty password!

 

[epmode]

The annoying thing is how easy it would be to fix the problem permanently.

Require credit card information to be resubmitted when a new console serial number requests a point increase.

or (even better,)

Two step verification when a Live profile is loaded onto a new console (or when a new email address is added), like Steam or Gmail



But it doesn't happen, presumably because Microsoft is keen on keeping the SPEND YOUR MONEY step as simple as possible.

 

[JaggedSac]

lol, oh wow. You never give different messages for login errors. Such a simple mistake.

 

[metareferential]

Too bad changing LIVE ID is nearly impossible at the moment without calling the awful Msft support.

A monster-password unique to the live ID should be enough.

 

[GreenBikerDude]

Windows Live, the gift that keeps on giving.

I hated when Microsoft merged all of it's accounts into Windows Live for this very reason.

 

[TangoAlphaLima]

Likewise, my account has been Fifa'd and I can definitely say it was no form of phishing or social engineering, and I don't have a shitty password!

Have you ruled out Inception?

 

[DR3AM]

So people with easy passwords get hacked the most, if not all.

 

[epmode]

So people with easy passwords get hacked the most, if not all.

People with unique, long, complex passwords have had their accounts stolen. I wouldn't be surprised if some accounts were compromised with a brute force attack but there's no way it's happening that way for everyone.

 

[Dreams-Visions]

People with unique, long, complex passwords have had their accounts stolen.

I'd like to see some examples of what these "long, complex passwords" look like. Sometimes, a password isn't as complex as people think they are.

and I don't have a shitty password!

100% sure? also, is it possible that the password was stolen from some other website that had its database compromised?

 

[GreenBikerDude]

People with unique, long, complex passwords have had their accounts stolen. I wouldn't be surprised if some accounts weren't compromised with a brute force attack but there's no way it's happening that way for everyone.

I bet a small number of these hackers are using the Gawker Media hack as a database for Xbox Live passwords.

100% sure? also, is it possible that the password was stolen from some other website that had its database compromised?

I'm sure this is the case.

 

[Vanillalite]

God why the funk does MS basically refuse to implement 2 step authentication?!?!?!?

 

[webrunner]

Has to be both a shitty password, and in this case, a shitty server that doesn't notice brute-forcing attempts. Incredibly unlikely.

That's what the Captcha is supposed to be there for.

And that's why it's happening because microsoft's captcha doesn't work and can be automated around

 

[epmode]

I'd like to see some examples of what these "long, complex passwords" look like. Sometimes, a password isn't as complex as people think they are.

If I'm ever hit, I'll be a good example:

I have a unique ~20 character password for every site I use. Uppercase, lowercase, symbols and numbers. And I don't have any of them memorized since I use KeePass. Not only that, KeePass has special protection against keyloggers even if they're already installed.

Other people have claimed that they use similar security measures. It's impossible to prove, of course, but this is too widespread to just be a brute force attack. Especially since there isn't a corresponding rise in PSN attacks.

 

[Kinky John]

God why the funk does MS basically refuse to implement 2 step authentication?!?!?!?

I asked the Hotmail team about 2-step verification today, and they said "looking into that, yes. Nothing to announce yet though."

 

[KevinRo]

Listen, you guys seriously underestimate how hard it is to brute force a password.

The captha code means nothing. I'm telling you this from experience. If someone is smart enough to code a program to brute force a program they most likely know socks connections and how to implement proxy connections. Also, here is some knowledge:

http://www.lockdown.co.uk/?pg=combi

It's not as easy as you guys think it is.

 

[plagiarize]

That's what the Captcha is supposed to be there for.

And that's why it's happening because microsoft's captcha doesn't work and can be automated around

there are other ways to detect brute force attempts. captcha isn't there to help them detect brute force attempts, but to discourage them in the first place.

the captcha being side stepped does not mean that microsoft cannot detect a brute force attempt on a username.

 

[Tomasooie]

well it's not phishing. I never click on any of that shit.

and it's not social engineering (at least from my side). Either way it's the fault of MS

I'm sure it wasn't phishing for these breaches.

And social engineering seems unlikely for something that's become so widespread.

That's what the Captcha is supposed to be there for.

And that's why it's happening because microsoft's captcha doesn't work and can be automated around

Exactly.



Holy shit, this is probably it.

 

[Somnid]

Windows Live, the gift that keeps on giving.

Not the same as Games for Windows Live. Windows Live is all MS cloud services and authentication.

 

[androvsky]

If I'm ever hit, I'll be a good example:

I have a unique ~20 character password for every site I use. Uppercase, lowercase, symbols and numbers. And I don't have any of them memorized since I use KeePass. Not only that, KeePass has special protection against keyloggers even if they're already installed.

Other people have claimed that they use similar security measures. It's impossible to prove, of course, but this is too widespread to just be a brute force attack. Especially since there isn't a corresponding rise in PSN attacks.

One KeePass user in a different thread was hacked. http://www.neogaf.com/forum/showpost.php?p=34045454&postcount=261

there are other ways to detect brute force attempts. captcha isn't there to help them detect brute force attempts, but to discourage them in the first place.

the captcha being side stepped does not mean that microsoft cannot detect a brute force attempt on a username.

That, or the very least, the server should notice if there's a few million login attempts per second without relying entirely on the captcha. I'd think the number of hits needed to brute force passwords would set off DDOS protections, if nothing else.

 

[WillyFive]

Isn't this particular mode of attack only a problem if the user has a shitty password?

Yes. Which means like 90% of the audience.

 

[RedSwirl]

I don't think I've ever used Windows Live. Does that activate automatically if you have any kind of Live account?

 

[erpg]

I don't think I've ever used Windows Live. Does that activate automatically if you have any kind of Live account?

Yes. It's a global Microsoft account.

 

[Freeza Under The Shower]

Yes. Which means like 90% of the audience.

That seems like an awfully low estimate.

 

[Hey You]

Luckily whenever someone googles my Gamertag they get Pink Floyd songs. If they google "Heyy Youu xbox" they get convos asking people what's their gamertags.

Also I never use my WLID email address or give it out and my password is pretty complex.

 

[SapientWolf]

Last time I checked, you are able to move an account around on a USB stick without messing around with passwords. So if they can spoof account credentials they don't even need the password.

 

[Slermy]

Now (with Metro?) you need to enter the password if you want to connect to Xbox Live.

Plus, adding a controller password helps.

 

[faulty_fork]

Sure that's a security hole that they should fix, but the method described in that article is way too time consuming for it to be the reason for all the stolen accounts.

 

[Hey You]

Now (with Metro?) you need to enter the password if you want to connect to Xbox Live.

Plus, adding a controller password helps.

Yeah if you choose so, otherwisw you can just click Remember Password.

 

[Speedymanic]

Sure that's a security hole that they should fix, but the method described in that article is way too time consuming for it to be the reason for all the stolen accounts.

Yep.

I doubt any accounts have been compromised using the method detailed in the OP, makes more sense for those who get the emails to call CS and attempt to find out the rest of the details for the account.

As a little test, here's my old GT - RestiveJoker. I'll give whoever finds the email associated with this GT 1600msp. To claim the points you'll need to show how you find the email address.

 

[AndyMoogle]

Now (with Metro?) you need to enter the password if you want to connect to Xbox Live.

Plus, adding a controller password helps.

The controller password will only help if someone steals your 360. The pass code is reset when you recover the gamertag on another console.

 

[Garcia el Gringo]

Well I'm glad people are still looking in to this. Even Jim Sterling of Destructoid has changed his tune.

From calling UA victims idiots responsible for their own robbery less than two months ago: The Sun warns world of 'Xbox Cyber Fraud'
To this today: Xbox Live hacking is a very real problem

That guy really annoyed me back when my account was still in limbo. I could have used more bloggers fighting for me back then.

 

[VibratingDonkey]

Now (with Metro?) you need to enter the password if you want to connect to Xbox Live.

Plus, adding a controller password helps.

I'm unclear on if this is only applied locally or not? I.e. if it's solely for situations where you don't want someone in your house accessing your account. If it's not I'll certainly bother turning that on.

The controller password will only help if someone steals your 360. The pass code is reset when you recover the gamertag on another console.

Oh ok so I'll continue not bothering then.

I don't know why Microsoft insists on implementing all these halfassed security measures that are not two step verification.

 

[Prophet Steve]

Nah, I also don't think this is it. Sure, this system is flawed, but it doesn't seem so bad and brute forcing it this way probably takes very long.

 

[Mr_Zombie]

Isn't this particular mode of attack only a problem if the user has a shitty password?

Most people do have shitty passwords, though. Passwords like "12345", "qwerty", "zaq12wsx" or something that's easily discoverable on social sites (birth date, kids names etc) are very common. You have no idea how many people simply don't care about proper passwords.

Hopefully, at the very least, they at least fix the "account is invalid" and "password is incorrect" messages. It doesn't take a genius web developer to tell you why displaying those two different messages is bad practice.

This isn't that simple in a big corporation. For security reasons yeah, keeping those two different messages is terrible and it's obvious for most people. But user usually wants to know why he is unable to login, he wants those two messages. So now try to explain to higher ups why do you think the UX guy is wrong.