Live accounts being "phished"?*

N

nintenho

Veteran
http://blogs.zdnet.com/security/?p=131
"I have been involved with Microsoft Support for days on this exact issue and have spent many hours on the phone trying to prove to them that, first, my Windows Live ID was stolen and, second, the ID and password associated with my ID were changed; two actions that Microsoft swears can NEVER happen; and third that the thief was able then use my credit card information associated with one of my Windows Live ID accounts to purchase over $800 of Microsoft products.

Thank goodness for other websites that still contained my old Windows Live ID information and also the fact that, in order to gain access to those other websites, you NEED a Windows Live ID. After spending over 20+ hours on the phone with support and finally getting them to realize that I did indeed have a Windows Live ID, after pointing them to the other websites, I was told by a supervisor that "Yes, in fact, we have heard of some instances where a user's Windows Live ID had been compromized!"

After finally getting this confirmation and having a case number assigned and forwarded to Microsoft Security Investigations, they, also, confirmed it as a breach, issued me another Windows Live ID and then reinitialized the stolen Microsoft Products that were associated with the old ID over to the new ID."
Click to expand...

Prepare to break something:
http://www.oinfam0uso.moonfruit.com/
We here at infamous steal atleast 10 accounts a day depending on there levels. If you talk shit we will mod on your account until it is banned. If the levels on it are good we will use the Credit Card on your account to then change the gamer tag. Once we are able to get onto your windows live id email, if it is not a @hotmail.com email address we will go to passport.net change the windows live id to anything we want it to be. using the "Change email " on that web site. We will then change Every piece of information on your account including the credit card information. Then we wil max out your Credit card with microsoft points. Then of course if its high enough in levels we boost off your levels.. i mean come on look at our accounts all 50's baby...

Now you may be wondering HOW do we get your information? its easy, you call 18004myxbox pretend to be that person make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah you might get one little piece of information per call but then you keep calling and keep calling everytime getting a little bit more information every time. once you have enough information you can get the Pasword on the windows live ID Reset, they may tell you they cant but its bull shit. people at bungie CAN and WILL reset your password. believe me :)
Click to expand...

http://live.xbox.com/en-US/profile/profile.aspx

Got to billing and contact to remove your CC info. You may have to call MS.
 
Most definitely ungood.

Bunc hof selfrighteous pricks in that second quote by the way. Throw 'em in the slammer. Toss away the key. See how they like it.

I bet this is exactly the reason Nintendo forces you to reenter CC info every time you make a purchase just to avoid this sort of thing.

Does MS take responsibility for such lapses in their security or are customers up shit creek without a paddle when haxors buy up their entire CCs with MS points?
Pecea.
 
Rainbow Man said:
Most definitely ungood.

Bunc hof selfrighteous pricks in that second quote by the way. Throw 'em in the slammer. Toss away the key. See how they like it.

I bet this is exactly the reason Nintendo forces you to reenter CC info every time you make a purchase just to avoid this sort of thing.

Does MS take responsibility for such lapses in their security or are customers up shit creek without a paddle when haxors buy up their entire CCs with MS points?
Pecea.
Click to expand...



Umm, legally in the United States you are not liable for more than $50 of fraudelent charges on a CC.

This is federal law, and it has nothing to do with microsoft or any other company.

If you're credit card info is stolen, whether on Live or at Wal Mart, you're out 50 bucks max period, even if they charge 50 grand to your CC. something to keep in mind here.
 
Yeah, the credit card issue really isn't that big (EDIT: i.e., hundreds/thousands of dollars big). If these guys are real, however, and are getting away with it, then that's a problem. If people are losing control of their gamertags so easily, through no fault of their own, then that's a huge problem. Sure, there's no monetary value in your achievements or gamerscore (for most -- insert those guys who play games for you here), but I'd be pretty ticked off if I ended up losing all that. I certainly wouldn't want to be paying $50 a year if that kind of stuff happens through MS's incompetence. But, eh...
 
I have been involved with Microsoft Support for days on this exact issue and have spent many hours on the phone trying to prove to them that, first, my Windows Live ID was stolen and, second, the ID and password associated with my ID were changed; two actions that Microsoft swears can NEVER happen; and third that the thief was able then use my credit card information associated with one of my Windows Live ID accounts to purchase over $800 of Microsoft products.
Click to expand...
They guy makes no sense. You can easily change your Windows Live ID. Just go to live.com, sign in, click on account.

What happened is that his password was probably the same as his gamertag which was the same as his hotmail or gmail or windows live id account. Once they log into your account, then they can change whatever they want. Then do an account recovery on another console, and there you go...
 
I don't know how long it takes to get your money back from a credit card company but 20 hours on customer service is...annoying. And I'm guessing they mostly want your credit card info.
 
http://www.majornelson.com/archive/2007/03/21/xbox-live-security-3-21.aspx

Despite some recent reports and speculation, I want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of the Xbox Live Network or Bungie.net. There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account. This is a good time to remind our members that they should never give out any of their personal information. Additionally it may be a good idea to download this free PDF file from Microsoft.com ' Help Protect Yourself Against Identity Theft’ that gives you some excellent information and tips on how to protect yourself.
 
Major Nelson's comments fly in the face of the first post though, where we're told

After finally getting this confirmation and having a case number assigned and forwarded to Microsoft Security Investigations, they, also, confirmed it as a breach, issued me another Windows Live ID and then reinitialized the stolen Microsoft Products that were associated with the old ID over to the new ID."

Apparently, Microsoft Security Investigations confirmed it as a breach of security...

Certainly not good news. I wonder if we'll ever get to hear how it's done, or if it'll get patched quietly? Was (is) it really clever hacking, or a really dumb mistake in the security?
 
Read what he wrote.

It's a phishing attack. People are getting their accounts stolen because they've revealled some piece of personal info online, which the hackers then use to call tech support and pretend to be the victim. This has nothing to do with the security of the system, and everything to do with social engineering and people being dumb.

Their basic tactic is to badger enough tech support people, until they manage to get a password change or something like that and from there they hijack your credit card. Classic social engineering attack.

Now you may be wondering HOW do we get your information? its easy, you call 18004myxbox pretend to be that person make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah you might get one little piece of information per call but then you keep calling and keep calling everytime getting a little bit more information every time. once you have enough information you can get the Pasword on the windows live ID Reset, they may tell you they cant but its bull shit. people at bungie CAN and WILL reset your password. believe me
Click to expand...
 
aaaaa00 said:
Read what he wrote.

It's a phishing attack. People are getting their accounts stolen because they've revealled some piece of personal info online, which the hackers then use to call tech support and pretend to be the victim.
Click to expand...
I think the actual allegation is rather that tech support alone reveals sufficient information to mount an attack.
 
Well, if that's the case, Nelson is right that the network is secure. The whole of the service isn't though, if people can trick MS support into giving away too much info. From an end user POV, the 'system' is hacked and insecure without knowing what the entry point is. If it's not the end users giving away their secret info, it's good as dammit a hacked system.
 
Microsoft admits social engineering worked on Xbox Live support staff:

http://www.majornelson.com/archive/2007/03/23/xbox-live-security-update.aspx

A security researcher, Kevin Finisterre, discovered not a hack, but the fact that some accounts may have been compromised as a result of 'social engineering', also known as ‘pre-texting’, through our support center. Kevin gave me a call directly and once I realized what he was talking about (he sent me some painful-to-listen-to audio files) I confirmed that the team is fully aware of this issue. They are examining the policies, and have already begun re-training the support staff and partners to help make sure we reduce this type of social engineering attack.
Click to expand...

Absolutely unacceptable.
 
Not much of a worry. What's really concerning is I know some 6 people who have had their credit cards cloned/hacked in that past couple of months. I'd be a hell of a lot more concerned about someone getting into my bank account than my gaming account, especially when the gaming problem can be 'fixed' quite readily. If Live is considered a bit vulnerable, cards are downright insecure!
 
This doesnt affect Live Silver accounts right? (because those dont have CC info?)

Then again, you can choose not to have CC embedded in your Gold account, so why the heck am I asking this :oops:
 
It can affect Silver accounts. According to the post, if the people decide to just mess you about, they will. It isn't all about getting money. Heck, they can't get money other than buying download content for your account. They're not getting CC data from the accounts.
 
You must log in or register to reply here.

Similar threads

S
Augmented Reality or Mixed Reality User Experience Survey
Replies
1
Views
289
Albuquerque
Albuquerque
iroboto
Square Enix Previous Director of Business Holdings at SE discusses the Games Industry
Replies
3
Views
752
eastmen
E
T
FuryGPU - A full capable GPU implemented on FPGA
Replies
0
Views
980
TopSpoiler
T
W
WORLD of JOYSTICKS DXVK Manager for Windows v1.4
Replies
1
Views
798
Davros
D
T
GPU Stability testing for Nvidia cards - PowerSweep
Replies
0
Views
453
T2098
T
Back
Top