Potential Xbox Live hacking related to FIFA 12
- Thread starter Scott_Arm
- Start date
That's a good thought, and something that could be checked. Are these Live! hacks on people accessing their Live account on PC?
How does this work? Can a banner ad appearing on the log-in page result in capturing the auto log on password? If so, apart from being shocking, wouldn't safety software catch that? I'm thinking of these people who are hacked or run anti-virus and anti-malware, rather than just the more ignorant internet users.
Yeah, but bkilian is reporting it, so it must be known. So why uncheck the 'remember me' options etc. if anti-malware can stop it? 
That's not a specific exploit he's protecting against. Basically if you allow any scripts to run on your PC you're at risk, anti-malware and antivirus protects you against known forms, but anything new you're going to be at risk against. Something like NoScript is probably better protection (I run antivirus and noscript), but it comes at the expense of convenience as you'll wind up needing to allow trusted sites access and even allowing trusted sites is a risk as they can be hacked. The only way to be 100% safe, is to throw out your PC.
They don't even need to be hacked. All they need is for their banner ad provider to get a trojan ad. There were cases where the New York Times website was distributing malware because of a third party banner ad.
The tools I mentioned run on the local PC, so any exploit that allows local code execution even without privilege escalation would allow them to steal your live id and password. And they only need to do it once, at that point they bundle your info with thousands of others they've caught and sell it on places like the now defunct carders market.
In that way there could be months or even years between someone stealing your info and someone else using it. Unfortunately this works because a lot of us don't change our passwords very often.
I'm not trying to shift the blame to the users here. I think this is still a Microsoft problem. I'm just explaining how this could happen without a larger "Xbox Live has been hacked" issue, and without the user even being aware their info was stolen.
The tools I mentioned run on the local PC, so any exploit that allows local code execution even without privilege escalation would allow them to steal your live id and password. And they only need to do it once, at that point they bundle your info with thousands of others they've caught and sell it on places like the now defunct carders market.
In that way there could be months or even years between someone stealing your info and someone else using it. Unfortunately this works because a lot of us don't change our passwords very often.
The banner ad wouldn't need to be on any login page. It could grab the password from the store on your PC where apps like Messenger or Live mesh put it.
I'm not trying to shift the blame to the users here. I think this is still a Microsoft problem. I'm just explaining how this could happen without a larger "Xbox Live has been hacked" issue, and without the user even being aware their info was stolen.
Silent_Buddha
Legend
It's all sort of like using a condom. When perfectly used there's only a 2% per year rate of pregnancy. When typically used that shots up to a 15% per year rate of pregnancy.
Analogous to perfectly executiing your online safety precautions and procedures will never make you full 100% immune to some exploit, hack, virus, trojan, phisihing scheme, etc. as not all of them rely on user error although many do. And if you just go along with vanilla anti-virus, anti-malware, well your risk shoots up although it's still better than not being protected at all.
Being online is all about risk management and how much risk you are willing to take for convenience. And no matter how good your precautions. Always be ready to call in unauthrorized charges on your CC. Because there is no such thing as 100% safety. And anyone who believes they are 100% safe is a victim waiting to get hit.
Regards,
SB
Analogous to perfectly executiing your online safety precautions and procedures will never make you full 100% immune to some exploit, hack, virus, trojan, phisihing scheme, etc. as not all of them rely on user error although many do. And if you just go along with vanilla anti-virus, anti-malware, well your risk shoots up although it's still better than not being protected at all.
Being online is all about risk management and how much risk you are willing to take for convenience. And no matter how good your precautions. Always be ready to call in unauthrorized charges on your CC. Because there is no such thing as 100% safety. And anyone who believes they are 100% safe is a victim waiting to get hit.
Regards,
SB
CC cards have an additional security code for verification. But the points in the system have no second factor to authenticate against. So the users will be "forced" to keep minimal points and redeem the point codes on demand.
They can also consider a second factor for regular sign-in for additional measure. e.g., Home consoles typically sign in from the same IP range, so if they notice an IP from another country, they may want to kick in fraud check. I suspect this is how Sony caught the last wave of dubious PSN sign in attempts.
I'm still curious what goes into that downloadable profile that require no password to use, and why it is needed.
so... am I at risk because I use Live Mesh fr syncing folders and or remote connection to other PCs?
alos what about changing your xbox linked Live ID, would that protect you from any previous compromise?
thx
Especially when you log in from a new system in a new region! Closer to criminal negligence.
Having different Live IDs for your PC stuff and your XBox stuff would help, but kinda destroys half the value of the Live ID.
I suspect the best thing you can do is change your password regularly (I know, it's a pain - I feel it, we have to change ours here at work every 6-12 weeks - and it remembers the last 24 passwords you used and won't let you reuse.)
At some point MS will have to introduce some sort of two factor authentication, like Google allows you to do. (Every time I log in from a different computer or after 30 days, it texts me a code I have to enter to allow access). All the banks in South Africa now do this, every login they text you a one time code.
Depends. I logged in from a new system in a new region just last month, perfectly legitimately. Although I would have liked to see them lock my points / credit card until I had re-entered the info at that point.
It's easy for us to discuss this here as if we think the Live folks are being idiots, but trust me, they like this even less than you guys do. I'm sure they're working on it, but there's a lot of legacy infrastructure they have to work with.
When you're only credit card is your bank card, then you worry. I'm not gambling with my money, you can if you want.
Tommy McClain
Ok, put $50 on 7 for me.
Sure, perfectly legitimate, and perfectly prudent for MS to do what Sony and Valve do in that situation, ask you to verify some payment information before allowing new charges. After 9 months and a complete redesign of the entire interface, "legacy infrastructure" is no longer and acceptable excuse for continuing to allow customers to be stolen from with impunity.
I don't think you understand. It has nothing to do with the console interface. The infrastructure driving Live ID dates back to the original Passport service, which launched in 1999. There are literally hundreds of millions of customers who would be impacted if any change broke something. Xbox Live is merely a customer of the Live ID service. Other customers are third party websites, Messenger, Mesh, Bing, Hotmail, Windows Phone, etc. If they simply implemented what you suggest, then buying a windows phone and signing in would disable functionality on your XBox and vice versa. Cookies expire on your hotmail login? That's a crippled Xbox. New IP from your cable provider? Thats your phone no longer letting you buy games. Add in that all these clients would have to implement ways to notify the user when this happens, and you quickly get into a bad place.
Sony and Valve do not have these issues because their sign in is limited to a small number of products that they control.
It can always be special case'd or opt-in.
Not quite true. All third party apps on PSN use Sony's single sign-on service. Users always sign-in to PSN first. The check can be done there.
That doesn't help. To allow the opt in, you have to modify the backend infrastructure, which increases the odds of a breaking change.
Exactly my point. The users sign into PSN first. That's not the case with Live ID. Each App implements it's own access to the service. To the app, Live ID is just a protocol that takes a username and password, and returns a cookie of some sort. Every app is free to implement how they access that API. Making the distinction of what is a fraudulent login is not an easy one. Currently, Live ID is essentially read-only to most applications. To implement what might be necessary, they'd have to add a way for the xbox to tell Live ID that they suspect foul play and to suspend some features. Now all you need is an attacker to have a proxy that allows the Live ID login, but blocks the "this is fraudulent" call, and they're good to go again. Or they don't even bother with the xbox, they login using the website and a US proxy, They can do all the same things on the website like buy premium content, and with a proxy in place, the region issue is gone too.
I'm not saying I think they shouldn't fix it. They should. I'm just pointing out that arguments of developer laziness (which are a perennial favourite around here
) are not necessarily accurate.
Doesn't legacy just suck?
It´s a pain, when i cancelled my CC because of the PSN failure i had to update the info on so many places and sometimes it was at the "wrong time" because i didn´t have the CC on me or i was in a hurry.
Similar threads
