[Shifty Geezer]

Quote:

Originally Posted by Prophecy2k

So it's possible there's a security hole on MS' end then?

It's curious to me as if it were on EA's end then we should be hearing of similar things coming from the PS3 version of FIFA wouldn't we?

Not if it's to do with how EA interface with Live or something. We haven't any particulars. We don't know if Live! accounts have always been hackable due to a vulnerability but no-one bothered until now, or if it's only EA's vulnerability hence the appearance only on an EA title.

Regards the selling on of DLC, wouldn't that need the content bought on other people's accounts to be transfered to a 3rd party for them to sell on? Without that, it's useless. What's the point in making 5 Live gamers buys FIFA content on their accounts if the hacker can't take that content and sell it on? So either there's a paper trail, or that premise of premium content having worth doesn't hold up.

[Brad Grenz]

Quote:

Originally Posted by Shifty Geezer

Regards the selling on of DLC, wouldn't that need the content bought on other people's accounts to be transfered to a 3rd party for them to sell on? Without that, it's useless. What's the point in making 5 Live gamers buys FIFA content on their accounts if the hacker can't take that content and sell it on? So either there's a paper trail, or that premise of premium content having worth doesn't hold up.

But the content they are buying is intended to be tradeable. They probably change hands a bunch of times (in various hacked and/or "burner" accounts) and since the payment occurs via a third party there is plausible deniability by the time it's to the buyer: "How was I to know they were stolen? I just bumped in to that guy in a match or on a forum and he offered to send the cards my way!"

[Shifty Geezer]

There should be a paper trail though. It'd have to pass through the ahckers account/accounts. Out of...10,000 hacks, say, all 10,000 would have had to have passed through the same user account(s), and unless that person has 10,000 unique accounts, costing way more than the content is worth, they'll appear in each transfer chain. So find the common accounts present in every hacking case where content is transfered and you find the culprit. Assuming transfers are fully catalogued!

[AlphaWolf]

Right. If someone is funneling money somewhere then it shouldn't be hard to catch them.

[patsu]

In the first place, do we know the total damage $$$ so far ? EA says it's the same rate as FIFA 11. MS says there's no problem.

[dobwal]

Quote:

Originally Posted by Shifty Geezer

There should be a paper trail though. It'd have to pass through the ahckers account/accounts. Out of...10,000 hacks, say, all 10,000 would have had to have passed through the same user account(s), and unless that person has 10,000 unique accounts, costing way more than the content is worth, they'll appear in each transfer chain. So find the common accounts present in every hacking case where content is transfered and you find the culprit. Assuming transfers are fully catalogued!

I don't think thats true. I don't think you actually need to have your own account to pull this off. If you have access to hacked accounts, all the in game transactions can be handled by those accounts.

[Shifty Geezer]

Quote:

Originally Posted by dobwal

I don't think thats true. I don't think you actually need to have your own account to pull this off. If you have access to hacked accounts, all the in game transactions can be handled by those accounts.

How do you get hold of your money if all the transactions are in other people's name?*If* someone is profiting from this, there'll be a trail back to them where they are collecting their ill-gotten gains.

[patsu]

There are probably creative ways. e.g., If they hacked EA or/and XBL, they can continue to hack other stuff like people's bank accounts and stole their identities. But what's the damage so far ? We only hear complains here and there but no overall picture yet ?

[AzBat]

Quote:

Originally Posted by joker454

Ugh, all the more reason why allowing EA to party their own way on XBLive was a mistake. Yeah Microsoft had no choice way back when, EA muscled their way onto Live by demanding that concession and Microsoft had no leverage then to say no. But now they are paying for that decision. Hopefully they don't allow this EA garbage on their Win8 app store.

+1

Tommy McClain

[Shifty Geezer]

Quote:

Originally Posted by patsu

There are probably creative ways. e.g., If they hacked EA or/and XBL, they can continue to hack other stuff like people's bank accounts and stole their identities. But what's the damage so far ?

People have had their account breached and FIFA stuff bought on their accounts. Only FIFA stuff. If the objective is to gain access to people's bank accounts, credt cards, or steal identities, why are the crims buying FIFA stuff and making their presence known?

[Brad Grenz]

Quote:

Originally Posted by Shifty Geezer

How do you get hold of your money if all the transactions are in other people's name?*If* someone is profiting from this, there'll be a trail back to them where they are collecting their ill-gotten gains.

The money is changing hands outside of the Live system via third party services. There is no way for MS to track it if it's happening via ebay, paypal or craigslist. The hackers use an account with no real life connection to them to trade the virtual goods to the buyer, but the buyer could have literally handed them cash after responding to an ad on craigslist and meeting in real life, or sent the hacker bitcoins, or bought via paypal in a transaction MS has no knowledge of.

[Shifty Geezer]

So the trade in gaming goods not via EA then? I misunderstood, thinking it was an in-game feature. If it's content being sold for cash outside of the system then you're right. That could mean the weak link is either EA or MS - prior to this there'd be no point to hacking Live! as there'd be no way to convert purchased items to cash.

The lack of either party to actually address this, maybe putting a stop on trading content until this is worked out, is a bit disconcerting then.

[dobwal]

Quote:

Originally Posted by Shifty Geezer

How do you get hold of your money if all the transactions are in other people's name?*If* someone is profiting from this, there'll be a trail back to them where they are collecting their ill-gotten gains.

Use a third party payment system. It then becomes a question on how well a hacker can cover their tracks using an outside system. It also forces EA to go through legal means to uncover the identity linked to the third party user account.

[mrcorbo]

So, once the criminal has access to the account they have from the moment that they purchase the content until the victim becomes aware that their account is compromised and contacts MS to freeze the account to complete the sale and transfer the content to the buyer. The criminals probably take into account the time zone the victim is in and make the purchase while they are likely to be sleeping to maximize the amount of time that they have.

[-tkf-]

Quote:

Originally Posted by mrcorbo

and contacts MS to freeze the account

Wow

Quote:

he told me that my account would be locked for “up to 25 days” while the issue was investigated

I guess the complaints i read wasn´t off the mark

http://whatthegeek.net/2011/10/05/th...-live-account/

[NavNucST3]

Quote:

Originally Posted by -tkf-

Wow



I guess the complaints i read wasn´t off the mark

http://whatthegeek.net/2011/10/05/th...-live-account/

I'm surprised they said "up to" reading the GAF thread had me thinking that this was the minimum time it would take. Which seems about how long it took for MSFT to unfreeze my account some years ago simply because my card had expired (even though I was many months away from renewing Live AND there were other cards attached to the account...Not to mention when being billed from most of the MSFT services it normally takes a month before the charge actually hits my bank account meaning that even though I just renewed and got the email I had renewed I don't expect the money to come out of my account until early December...

I would say that MSFT has pretty shitty customer service in these regards. When you can get, eastmen, to think about canceling Live and selling the console you have seriously fucked up your social contract with your customers.

[-tkf-]

Maybe there is a reason why XBOX support is so slow?

http://www.thesun.co.uk/sol/homepage...ber-fraud.html

[Brad Grenz]

I wish the problem was getting more coverage in the mainstream press, but that article is mostly repeating Microsoft's blame the victim PR strategy.

[AlphaWolf]

its likely not getting press because it's just a case of coincidence.

[AlphaWolf]

Quote:

Originally Posted by -tkf-

Maybe there is a reason why XBOX support is so slow?

http://www.thesun.co.uk/sol/homepage...ber-fraud.html

So it's confirmed Live wasn't hacked then? Or is this something completely unrelated?

[patsu]

It cites a phishing case, but does not explicitly conclude that all the recent XBL hacks are due to phishing.

Ask eastmen if he was hit by phishing scam. ^_^
He is one of the victims.

Until someone can come up with a total $$$ loss, the press may go after other bigger news. The only reported figure is the average theft amount. Article says average is £100. People on GAF seem to lose about US$100+ per incident.

[Brad Grenz]

Quote:

Originally Posted by AlphaWolf

its likely not getting press because it's just a case of coincidence.

You do realize a coincidence, by definition, requires two or more things to coincide? :eyeroll:

My Live account was hacked. It followed the exact MO that is being so commonly reported. I can say with certainty I was not phished. I was not social'd.

[AlphaWolf]

How exactly do you know you weren't? They won't send a notice in your email. It could be someone you know.

[Brad Grenz]

Quote:

Originally Posted by AlphaWolf

How exactly do you know you weren't? They won't send a notice in your email. It could be someone you know.

1. Social attacks almost always involve getting the password reset. Usually they've also compromised the attached email account as well. That did not happen. I was able to regain control of my account with minimal damage because the password wasn't changed. But let's assume for a second I was social'd. Does that mean impostors can convince MS to give out passwords over the phone or in an email? That's even more disturbing than MS being hacked!

2. Someone I know? I don't know anyone in Eastern Europe who has tried to wheedle my password out of me (let alone succeeded).

3. Actually, phishing does usually involve an email. I don't follow links in emails to log in to services. I'm also not so foolish as to believe a suspicious offer of free MS points.

As far as I can tell, my account was compromised in one of four ways. My password was originally a shared, low security password used when I created for Games for Windows Live. I made the mistake of not upgrading it to a stronger, unique password when my MS Live account became associated with my gamertag and a credit card ended up attached to it. So it's possible the password was stolen from a third party and used to access my Live account. For the record, the password was not exposed in any of the recent high profile hacks, including PSN and Gawker.

Second, a virus or other piece of malware infected my computer and logged my credentials. If this was the case it has never been detected by AVG or Spybot and the information gathered has never been used to compromise any of my other accounts (paypal, amazon, google, my bank...).

Third, my password was short enough to have been brute forced. This would require a flaw in Microsoft's security apparatus that is supposed to detect and prevent such attacks. But the password, while alphanumeric and considered relatively secure when it was originally created, was only 8 characters long and should be breakable.

Fourth, there is an undisclosed or undiscovered flaw in Xbox Live's security that allows hackers to discover a password or hijack an account without needing one.

[AlphaWolf]

So you've confirmed that you don't know that it was actually Live that was hacked or not.