It's not just Sony and MS as I understand it. Isn't this a sea-change for the US legal system to move disputes away from legal battles and into arbitration?
Potential Xbox Live hacking related to FIFA 12
- Thread starter Scott_Arm
- Start date
Yeah, all large corporations are reacting to the same Supreme Court ruling, although that case was about employees trying to sue their employer in a class action. Trying to apply that to end users still hasn't been tested in court, but all the corporate lawyers are just trying to hedge their bets by getting the "binding arbitration" language everywhere they can.
Look.. information!
http://www.shacknews.com/article/71700/editorial-fifa-12-xbox-live-money-laundering
In some ways the comments as usual has more interesting stuff:
http://www.shacknews.com/article/71...ve-money-laundering?id=27358913#item_27358913
With repeats of complaints about the support and in many cases very long wait for getting the XBOX account back. Since it´s tied into many of microsofts services i guess it can be a really big problem?
Part 2 with a few words from EA and a story about scott that had to wait for 109 days to get his account back.
http://www.shacknews.com/article/71764/editorial-eas-response-to-fifa-12-money-laundering-on-xbox
http://www.shacknews.com/article/71700/editorial-fifa-12-xbox-live-money-laundering
In some ways the comments as usual has more interesting stuff:
http://www.shacknews.com/article/71...ve-money-laundering?id=27358913#item_27358913
With repeats of complaints about the support and in many cases very long wait for getting the XBOX account back. Since it´s tied into many of microsofts services i guess it can be a really big problem?
Part 2 with a few words from EA and a story about scott that had to wait for 109 days to get his account back.
http://www.shacknews.com/article/71764/editorial-eas-response-to-fifa-12-money-laundering-on-xbox
I just got hit with this on the 25th. My points balance was drained dry on FIFA 12 Ultimate Team purchases and I have 3 FIFA 12 achievements. It also looks like the hackers tried to purchase a 6000 MS Points bundle using an expired credit card associated with the account. Fortunately, I had cancelled that card some years ago after a previous XBL fraud incident and moved entirely to prepaid for both XBL and PSN. Until recently, however, it was not possible to remove a payment type from your account.
My password was not changed and there were no other alterations to the account. I don't buy Microsoft's claims of phishing and social engineering. I suspect there is an API breach permitting Gamer profiles to be downloaded in an unauthenticated fashion. After I discovered the fraud, I took a look at http://www.xbox.com/security and found that, by default, profile logins from other consoles are not authenticated by password. This means that, should a hacker find a way to download your profile, he has full access to it without knowing your password.
Aside from changing my password, I also set my profile to require password authentication on login for all consoles except my own. I set a four button XBL passcode to be required for every login attempt, including on my own console. Then I signed out of XBL and redownloaded my profile, in order to invaliate all other copies. I secured the Windows Live account by adding mobile/SMS proof for password reset/recovery. I removed the expired credit card (it now seems to be possible to do this from Microsoft's Billing site).
At this point, I decided to contact Microsoft customer support. I explained the situation, with which they are all too familiar. Importantly, I mentioned the account hardening steps I had taken, so CS did not have to lock the account for 25 days. The account balance is frozen, but I can continue to play online as normal.
I'm going to do some more research on this and I'll update as the situation progresses. Interestingly, I can see the hacker's Console ID under my account billing history. I suppose Microsoft can ban this console, but it may just be a mule hackers use to acquire FIFA content before trading it away to another account.
If you haven't been hacked yet, I strongly recommend you follow the procedures recommended on the Xbox Security site. Honestly, I think Microsoft needs to enforce these measures universally through a system update.
My password was not changed and there were no other alterations to the account. I don't buy Microsoft's claims of phishing and social engineering. I suspect there is an API breach permitting Gamer profiles to be downloaded in an unauthenticated fashion. After I discovered the fraud, I took a look at http://www.xbox.com/security and found that, by default, profile logins from other consoles are not authenticated by password. This means that, should a hacker find a way to download your profile, he has full access to it without knowing your password.
Aside from changing my password, I also set my profile to require password authentication on login for all consoles except my own. I set a four button XBL passcode to be required for every login attempt, including on my own console. Then I signed out of XBL and redownloaded my profile, in order to invaliate all other copies. I secured the Windows Live account by adding mobile/SMS proof for password reset/recovery. I removed the expired credit card (it now seems to be possible to do this from Microsoft's Billing site).
At this point, I decided to contact Microsoft customer support. I explained the situation, with which they are all too familiar. Importantly, I mentioned the account hardening steps I had taken, so CS did not have to lock the account for 25 days. The account balance is frozen, but I can continue to play online as normal.
I'm going to do some more research on this and I'll update as the situation progresses. Interestingly, I can see the hacker's Console ID under my account billing history. I suppose Microsoft can ban this console, but it may just be a mule hackers use to acquire FIFA content before trading it away to another account.
If you haven't been hacked yet, I strongly recommend you follow the procedures recommended on the Xbox Security site. Honestly, I think Microsoft needs to enforce these measures universally through a system update.
Last edited by a moderator:
Interesting. What is the use case for such a "powerful" profile ? Usually an offline token requires some sort of shared secret or private key to use/activate. Once you download your profile on another console, don't you need to login at least once to validate that you are the rightful owner of that profile (even if you turn off password authentication for that profile) ?
Yeah, I noticed that today. Of course, my account has also been suspended now pending the outcome of the investigation.
ban25 sorry for all your problems but I wanted to thank you so much for posting about it. It got me really concerned about my Xbox security for the first time. Enough that I wanted to remove my credit card from my account since it's actually my bank card & I don't own a credit card. So I called Microsoft's support & what I found out was since I own a Gold Family Pack I can't remove it without cancelling the subscription. The credit card requirement is to keep minors from being able to purchase one. That means you can't even purchase one using MS Points or a prepaid code. I can understand their reasoning, but I don't think it keeps kids from doing it anyway. Since I didn't want to cancel my subscription I decided to take some of the agent's suggestions and make number of changes to my account. The biggest one was blocking all purchases without me authorizing them. I believe this & a few others should keep me safe. Also, when it does come time to renew my subscription I'm going to purchase a disposable pre-paid VISA or Mastercard with just enough money on it to buy the Family Gold Pack. With no other money on it I won't have to worry if a hacker gets access to it.
BTW, one bad thing though I reset all the consoles that had the password saved for my account. Then when I went to redownload my account it would get stuck trying to "downloading your game info". Still haven't been able to get it download after a couple hours. Makes me wonder if I went too far trying to safeguard my account. LOL
Tommy McClain
BTW, one bad thing though I reset all the consoles that had the password saved for my account. Then when I went to redownload my account it would get stuck trying to "downloading your game info". Still haven't been able to get it download after a couple hours. Makes me wonder if I went too far trying to safeguard my account. LOL
Tommy McClain
The prepaid VISA card sounds like the way to go. It's also a good idea not to hold a MS Points balance on the account, even though it is annoying. I had bought a 4000 point code from Amazon to take advantage of some of the XBL holiday sales. But I've learned my lesson. 
Still no word on the account. Hopefully I'll have it back by the end of the month.
Still no word on the account. Hopefully I'll have it back by the end of the month.
If you don't keep points in account, and you don't use a card, how do you buy items? You can't get 400 point cards and the like for a single purchase. The point system is set up to leave fragments of purchases and require an amount of points to be lingering in the account, so it seems inevitable.
I don't have a problem with points/credits myself. If you have a mobile phone account with credits, or a reloadable Visa card, or a PayPal account, it's effectively the same. As long as either you don't get phished, or MS actually finds the leak and plugs it, then there shouoldn't be a problem. The real issue here is how the hell people are getting their accounts ripped and their points spent. If it's phishing, the users can avoid that. If it's a security fault then all these safety precautions shouldn't be necessary. I haven't heard of PSN credit going missing or getting spent, nor PayPal cash, so there's clearly something at fault with MS's system if they enable non-account holders to access accounts. Especially when you read that people are selling stolen accounts!
I don't have a problem with points/credits myself. If you have a mobile phone account with credits, or a reloadable Visa card, or a PayPal account, it's effectively the same. As long as either you don't get phished, or MS actually finds the leak and plugs it, then there shouoldn't be a problem. The real issue here is how the hell people are getting their accounts ripped and their points spent. If it's phishing, the users can avoid that. If it's a security fault then all these safety precautions shouldn't be necessary. I haven't heard of PSN credit going missing or getting spent, nor PayPal cash, so there's clearly something at fault with MS's system if they enable non-account holders to access accounts. Especially when you read that people are selling stolen accounts!
Shifty there are few ways to add points. You can add a minimum of 400 points to your account whenever you want to purchase content. You could either add enough money to the attached pre-paid Visa/Mastercard or you could add your PayPal account temporarily. Adding another credit card/debit card to the account isn't something you want since once you remove it I don't believe you can add it back. So most likely you'll need to either put more money on the reloadable pre-paid Visa/Mastercard or just keep adding & removing your PayPal account. Though I'm not totally sure re-adding a PayPal will work since I haven't done it.
BTW, I spent about 1.5 hours with Xbox support trying to get my account to re-download onto my Xbox. Spent over an hour with one tech trying all kinds of things. Determined it wasn't my network/Internet connection or my hard drive. Also determined I could download it on another console just fine. Then I found out that any Xbox Live account couldn't be re-downloaded on that one machine. So the tech sent me to a guy in Hardware support since he thought my box was the problem. After telling him I couldn't re-download any Xbox Live account he went & talked to his superiors & they decided to "reset my Xbox Live account" or whatever that means. Then it started working again. Man, that was the biggest headache I've ever had with my Xbox. Just glad it's fixed. I would be very careful when using the "Xbox 360 Profile Protection" page. I would make sure to be not logged into your console when you do it. I think that's why I had the problem.
Tommy McClain
BTW, I spent about 1.5 hours with Xbox support trying to get my account to re-download onto my Xbox. Spent over an hour with one tech trying all kinds of things. Determined it wasn't my network/Internet connection or my hard drive. Also determined I could download it on another console just fine. Then I found out that any Xbox Live account couldn't be re-downloaded on that one machine. So the tech sent me to a guy in Hardware support since he thought my box was the problem. After telling him I couldn't re-download any Xbox Live account he went & talked to his superiors & they decided to "reset my Xbox Live account" or whatever that means. Then it started working again. Man, that was the biggest headache I've ever had with my Xbox. Just glad it's fixed. I would be very careful when using the "Xbox 360 Profile Protection" page. I would make sure to be not logged into your console when you do it. I think that's why I had the problem.
Tommy McClain
By the way,
There are two threads running over on GAF about this:
http://www.neogaf.com/forum/showthread.php?p=34083358#post34083358
http://www.neogaf.com/forum/showthread.php?t=457942&page=11
There are two threads running over on GAF about this:
http://www.neogaf.com/forum/showthread.php?p=34083358#post34083358
http://www.neogaf.com/forum/showthread.php?t=457942&page=11
this thread made me remove my CC from my account which sucks becasue I buy a lot of points and I have a Windows Phone and it's all connected so I can purchase apps with that card too. Oh well Phone does carrier billing and I guess I can buy points cards.
At least until they get the leak plugged
At least until they get the leak plugged
Silent_Buddha
Legend
Actually you can add a minimum of 100 points at a time. But that's limited to the free 100 points you can buy with 125 bing credits (currently, the value in credits fluctuates) with the MS Bing promotion. I've gotten over 2000 MS points for free that way.
Regards,
SB
Really? Do you know how much trouble it is to have to cancel your card and change a dozen different auto-payment services? I'd rather have secure online service that doesn't have this problem.
If it takes you more than 30 minutes, you're doing it wrong.
Sure, tell me when one exists.
Well, I've been without XBL service for a week already. But hey, maybe you'll be next!
What does that have to do with changing CC info on auto pay services?
I realize you've been scammed, hacked, phished, wronged or whatever but your CC info is probably the least of your problems as CC customer service just about (do they ever not?) always errs on the side of the card holder with 0 indemnity. One 5 minute call will probably get your a new card mailed within 48 hours. Changing auto pay information shouldn't take more than a couple of minutes for each payee, if you handle a lot of it through a service, much less than that.
I agree XBL should be able to handle account recoveries much faster than they do and I really don't understand why they can't give you a limited access (no purchases) account in the interim to at least use the services you already own. Obviously this is an evolving issue and it was certainly a mistake to allow trade of points purchase items, but hopefully they are learning from it and the service will be stronger in the future.
There doesn't appear to be a leak. So far, from what I've seen of the responses from Stepto, the attackers come in _already knowing the password_. This means that it cannot be a Live hack at fault, since Live does not know your password. They know a non-reversable hash of your password and cannot retrieve the original, ever. (The only way to get that would be to steal the password DB and brute force it, but I doubt that has happened)
On the other hand, if an attacker can run any code as you on your PC (outside of the sandbox, and maybe even inside it), they can probably retrieve your live password without you ever even knowing it. There are tools that appear to decrypt the password store that Messenger/Hotmail/Live ID/Mesh uses when you check the "Remember me/Sign me in automatically" box. (I can't believe they would store the actual password instead of a cryptographic token, but as far as I can tell, the tools work. Hopefully that gets fixed)
All you would have to do is visit a website that served a compromised banner ad. As we've seen from Pwn to Own, no browser is completely safe.
*goes off to uncheck his "Remember Me" and "Automatically Log In" settings* *sigh* Damn criminals, messing it up for the rest of us.
Similar threads
