Xbox Live security concerns continue to grow
Our investigation into the Xbox Live hacks continues. Today, we look at the Windows Live ID and ask Microsoft whether or not it has been compromised.
Multiple charges appeared on my own account, following a FIFA 12-related hack.
-
Shacknews
replyXav de Matos posted a new article, Xbox Live security concerns continue to grow.
Our investigation into the Xbox Live hacks continues. Today, we look at the Windows Live ID and ask Microsoft whether or not it has been compromised.-
-
So, just wondering aloud...Could this "rash" of XBox Live issues be related to the PSN problem? Think about it, how many of those PSN users used the exact same ID/email/password on XBox Live? This potentially could just be some bad guys going through that massive list of PSN stuff and trying to login to XBox Live.
-
I think this is worth looking into.
-
We already are... along with SOE logins, Valve, and more.
-
-
The story is ongoing.
I don't think, if you read the second part of this story which is linked to this, we're doing anything to feed conspiracies... in fact I mention that I'm disappointed people are forgetting about the real jerks -- the hackers.-
That's great and all but the responsibility for security still lies with Sony and Microsoft.
-
^ Seconded
-
-
My Live account was hacked back in August. I did not have a PSN account at the time of that hack. I know for a fact my information was not in the gawker hack. My compromise predates the Valve hack. If hackers are really using login credentials from third party hacks it's likely that they are compiling information from many sources, not necessarily ones that were well reported.
-
-
-
I think this is how most accounts are compromised at this point.
-
A fair number of them have that problem, I'm sure. However, some of the problems appear to be related to bizarre Microsoft policies and practices.
Account Thief: "Hi, I want to move my XBox Live region to Russia!"
Live Support: "Sure, no problem....aaaaand, done!"
The next day
Real Account Owner: "WTF, my account was hijacked and you let them move it to Russia? Move it back!"
Live Support: "Sorry, we're going to need a form submitted in triplicate, copies of three forms of ID, a blood sample, a semen sample, and proof that you possess an immortal soul. Also, it will take three to seven months."-
I was told Friday that they had to let the charges to my card go through. They were still pending and could have been killed on their end. Yet to add a new email address to my stupid Live ID that isn't used for anything Xbox Live I was never contacted on the original email account. They're doing some dumb stuff.
-
-
-
While this is concerning, the thing that gets me with all of these stories on the various gaming blogs is there's always an implied security breach that might be happening, but nobody can truly point to evidence of how it's going down.
On another gaming site I frequent, several people have been affected in the forum, however, about half of them have found trojans or other malware on systems they've used to access Live or their MSN/Hotmail accounts.
Add in the fact that way too many people use the same passwords over and over again on sites, and you wonder if at least another part of the problem is bleed over from the PSN and other database hacks of 2011.
I just think this is a lot of anecdotal stuff that at this point has no cohesive evidence that's been dug up that this is some kind of vulnerability in MS's systems that being exploited.
I think the shameful thing here is the horribly slow recovery process that at least some users are having getting control of their IDs back. I know these things can be complicated, but MS needs to either develop better resolution tools, up staff to handle the volumes, or somehow improve the process.-
I'm almost sure there is a security flaw in the account recovery process. The theory I like best is that Live is relying on the Xbox console to validate the user is legit without needing to transfer the password to live. I believe this hole was introduced once you could transfer your id to any usb key. All they really need is your live id. Initially I thought modded 360s were being used but now I think it is a emulator program that fools Microsoft's servers into thinking it's a 360 console with a "confirmed" user is legit and allowing them to take control.
-
-
This is quite the situation and I don't personally think its given enough attention from big news sources. There is a new thread every few hours on the xbox.com forums with peoples accounts suffering the same fate. One user says he uses different passwords for everything 12 characters long with symbols and caps and numbers....like fuck someone is going to socially engineer that.
-
Sounds like they may have a serious problem on their hands.
-
What normally happens with the social engineering, is they call support to get a little piece of personal information by impersonating the person owning the account. They hang up, rinse, repeat. Eventually they get enough information to either do the password reset question, which is vastly weaker than the password most of the time.
-
I wish that "security questions" on accounts didn't exist; they only really serve to take the majority of password reset burden off of a support department, but are a gaping security hole. The most secure way to deal with it is to fill it in with another password, or with garbage random data that is forgotten, and just forgo the "security question" step (though some services may not like that).
-
-
-
Has Microsoft said anything about what auditing certifications its Windows Live ID service has undergone in the past 3 years? If they process credit card transactions internally, they should be undergoing a PCI merchant audit yearly.
-
-
Same here. I don't even like soccer. >:(
-
-
WTF? The CC I have in my account can't be removed because it's associated with my Xbox LIVE Gold: Prepaid 12+2M Xbox LIVE Gold?
-
I had the same issue, I had to contact Microsoft and the only way they could remove it was to cancel my Gold subscription then reissue me a code for the remaining time. It got removed but the whole ordeal was laughable.
-
Because I cant seem to get any where using xbox.com. I will try to shed a little light on my situation in case yours is comparialbe. i have been with the xbox live serivce since beta. my tag was RANGER, my windows live ID (WILD) was hacked around the beginning of december around the same time i started to use the new iphone app microsoft published. my tag was stolen and luckly my visa card had yet to have any purchases, as i notified with in 24 hours. i have received a email from Microsoft investigation team, and i was unable to grab my tag back. i called 1-800-microsoft help me, i was pushed back up the chain and waiting. i never have played or used FIFA and i wasn't attacked by a phishing scam. the individual got into my account for the tag, which is why i feel i was targeted, i think there is a hole in Microsoft security.
-
-
I finally was refunded my points just two days ago now. My initial call to Xbox Support was made on September 18th.
A follow up was made about October 15th and I was informed I would be receiving an email "any day now." Nothing, nothing, nothing.
I made a follow-up on December 15th in which they informed me they already emailed me. I did not receive said email on the date they mentioned, not even in my Spam folders after a lengthy search.
As such, they had to make a NEW claim and it would take another period of ~25 days to sort out. Afterwards, I had been given a free month of Xbox Live from their rewards program.
I redeemed it and used it for a few days while I waited for their email about my points being refunded after the hijacking from back in August.
They suspended my account. I couldn't log into it and that free month of Gold was killed off.
Finally, two days ago I received the email. Went through the steps. My points were refunded and they gave me one month of Gold for free.
So, about 3-3.5 months of waiting to finally get it all resolved, points refunded, etc. I also lost all progress in Halo CEA I made during the past couple of weeks and my achievements aren't recording properly in it but... whatever. I just feel so defeated after this whole ordeal. -
-
OMFG just hook it up and don't use a generic password (or one you use elsewhere), also if you are super worried don't register a credit card. Enjoy your Xbox.
-
-
Great articles so far Xav. I'm glad that this issue is coming to light, but I think it is really sad that a gaming journalist had to have their account hacked before people really started to throw hard questions at Microsoft, Windows ID, and EA.
I work for a large internet company, and have done account security work for them in the past, and of course the standard answer when someone asks about why an account was compromised is social engineering, phishing, or malware. But based on some of the fires that I have heard about and helped put out in my experiences at work, I can guarantee that there is more going on that the big guys won't talk about, even to you Xav.
The biggest frustration to me is how quickly we can detect and proactively stop damage to a compromised account, and how quickly any changes can be reversed. We also have a much better and faster reactive process when something does slip through and a customer brings it to our attention. When my XBL account was hacked, I was floored when I was told it would take 28 days to have everything fixed. I was expecting to hear 28 minutes at the most!
Every Xbox has its own unique ID number, so it should be very easy for MS to notice that a different Xbox is using my account, which has only ever been on 2 different consoles, and has only every been used in one state. The tools are there for MS to make this a better process for everyone, but they don't seem to be using them very well. Hacking is going to happen, that is inevitable, even if more authentication is added or anything else to try to prevent it. What needs to be improved is how quickly it can be detected, and how quickly it can be fixed. -
I got $100 unrecognised charged on my one of the credit cards which is linked to my xbox account.
I havent used my this account for many months now. From where did this happen?
I did notified my bank of the disputed transaction and reported the transaction on
http://www.vcharges.com/msft-xbox-live-7c
Lets see how things turn out to be.
