No major network is running any story, no apology or explanation is going to stop the bulk of bloggers and forum pundits from claiming the sky is falling. MS doing the right things behind the scenes has always been their best course of action, alas that means we don't get to know what they are doing, but that is the right way to go about it.
Potential Xbox Live hacking related to FIFA 12
- Thread starter Scott_Arm
- Start date
No major network is running any story, no apology or explanation is going to stop the bulk of bloggers and forum pundits from claiming the sky is falling. MS doing the right things behind the scenes has always been their best course of action, alas that means we don't get to know what they are doing, but that is the right way to go about it.
Yep, that's me. And it's still not going to help you because that's not my Live ID. My Live ID is an account I don't use for anything else.
Even given the ID, it would take far too long to crack my password, because it's not based on any dictionary word in any language. Not even Khoisan, where the South African motto is written (I'm not making this up) "!ke e: /xarra //ke"
Yep, if you have a bad password, even limiting login attempts to 20 per session is not going to help significantly.
If I recall correctly, MajorNelson has his ISP account hacked, and they used that to get his live password reset. Stepto's "hacker" socialed Network Solutions into transferring stepto.com to him, set up a mail server, and reset the live password using that.
These guys are prime targets, if only for bragging rights.
It is getting so-called continuing press coverage only because victims wrote their own blogs, tweets and posts to express their frustrations. MS's PR team should already have the press covered (with formal explanations).
The users encountered real problems that don't fit MS's blanket explanation. Besides finding and fixing new hacks, MS should also prevent repeated offenses. From these user feedback, it doesn't sound like one single point of entry. When the users are handled properly, and not treated like phishing scam victims who don't know what they are doing, then they will likely complain less. Special treatments are unlikely to silence them.
You should heed TapIn's posts and get to his suggested measures quickly. If the hackers get to them before you do, the measures will be used against you. MS may need to mandate those measures into their sign up process too.
If I don't know what they are doing, how do I know that they are doing the right things? Faith?
You don't. Who says you should? Is any other company giving you a detailed breakdown of their security procedures. I expect if more people took better care with passwords it would be a non issue. (I'm not at all concerned someone might figure out my mail account from my completely different gamertag and then brute force my 12 digit password that I change regularily)
I'm not saying MS couldn't be doing better things, I just don't think communication is a big issue as they really shouldn't be telling people exactly what they are doing because that's counter productive, so in terms of communication all you should really expect is a statement out of PR.
I'm not saying MS couldn't be doing better things, I just don't think communication is a big issue as they really shouldn't be telling people exactly what they are doing because that's counter productive, so in terms of communication all you should really expect is a statement out of PR.
Then we don't disagree.
I don't think they should tell everything, just that they should tell more. It would be especially helpful if they would acknowledge some of the other possibilities and specifically say that they have been thoroughly investigated and ruled out. I don't see the harm in that. Unless other possibilities haven't been investigated and ruled out that is, in which case the people with the torches and pitchforks probably have some justification for their attitude.
We need a detailed breakdown..
Microsoft told The Sun that they hadn't been hacked, and they would offer refunds to consumers, if they could proove they hadn't revealed passwords, back in November.
So clearly it's important to get a detailed breakdown people how you can hack yourself into xbox accounts, so the victims can proove that they havn't revealed their password..
Just kidding offcourse, but it's infuriating to read responses like that, it's very hard to prove that you didn't reveal anything.
Not that people should trust the sun tough, except for what is on page 3.
Microsoft told The Sun that they hadn't been hacked, and they would offer refunds to consumers, if they could proove they hadn't revealed passwords, back in November.
So clearly it's important to get a detailed breakdown people how you can hack yourself into xbox accounts, so the victims can proove that they havn't revealed their password..
Just kidding offcourse, but it's infuriating to read responses like that, it's very hard to prove that you didn't reveal anything.
Not that people should trust the sun tough, except for what is on page 3.
Last edited by a moderator:
Not thinking a way to stop hacker, but from exp is the easy way to hack an account, 30% to found the respond on social network.
Silent_Buddha
Legend
Online security is a tough nut. It's easy to reveal too much info without thinking you are revealing too much info. Just saying something like, "we're aware of a security hole and are working diligently on a fix." immediately lets Hackers know there IS a hole and would likely induce an additional flurry of attempts to figure it out. Granted that's not likely to be much more damaging than not saying anything at all, but it's just an example.
How many hints would you want to give that might or might not lead an enterprising hacker onto the right track.
As well, there's always the possibility that there isn't a security hole on Microsofts end. There's no way to for us to know if EA is or isn't doing something wonky. And again, no way to know if there's any social engineering/phishing going on.
Or, hell, other unrelated sites being hacked, passwords accessed, and then e-mails cross-referenced with Xbox Live e-mails and access being gained that way if people are using same or similar passwords across a range of sites.
Or heck, people who think they are secure (like someone I won't mention on this forum who relies only on his firewall + his own due diligence to protect his computer) and end up getting infected with a keylogger and unwittingly giving away their password.
And if any of those people use any pirated software, their chances of getting a keylogger installed grow exponentially.
Basically, all I'm saying here is, that there really is no right answer. There's nothing that can ever be said that will ever appease the people crying out for transparency. Either because there is nothing to reveal (and hence those people think the company is lying) or revealing information on a security hole before a fix can be put in place can be more damaging for your customers than just keeping quiet.
Regards,
SB
Well, offcourse there is some phishing..
There is link to a phishing-site on the playstation-comunity-forums, being reported, if it hasn't been removed yet.
If it where phishing, wich caused all this, I think we would have seen it more evenly distributed on the other platforms aswell, it's not like a 360-user is more gullible than a PS3-user, except for insisting how great it is to be paying for online play, instead of complaining, and getting it fixed.
There is link to a phishing-site on the playstation-comunity-forums, being reported, if it hasn't been removed yet.
If it where phishing, wich caused all this, I think we would have seen it more evenly distributed on the other platforms aswell, it's not like a 360-user is more gullible than a PS3-user, except for insisting how great it is to be paying for online play, instead of complaining, and getting it fixed.
Whether it has been "psn compromised" is hardly the point. No one has suggested it was, but that doesn't matter as long as their are flaws for hackers to exploit, and payment processing lacks the additional layers of protection needed. It's nice that they finally seem to be addressing the customer service shortcomings, but that's still about 9 months past due.
What utter nonsense. Simply stating that what has been happening on Xbox Live does not technically resemble the PSN hack in no way absolve Microsoft of responsibility. And clearly the goal of going on podcasts and releasing repeated statements to every blog, website, TV station to say the same thing is to deflect attention from the actual measures Microsoft could have taken to prevent the rampant fraud. Granted, it is of course a very different situations from the PSN hack, but "fractions of fractions" could still be hundreds of thousands of impacted customers, if not millions. We'll never have a real accounting because it doesn't benefit MS to give one, but what is very clear is far more people have suffered actual material losses due to Live account take-overs than from anything that has happened to PSN. This is not fud. These account takeovers were actually happening and Microsoft could have taken innumerable step to help stop the tide of fraud, but chose to pretend nothing was wrong and blame the users for a year. This isn't some fanboy, console war bullshit and to try and paint it in those terms is either monstrously ignorant or cowardly, and in either case incredibly offensive. These were real crimes being committed against paying customers.
Yeah, it's not as if MS wasn't paying back the customer's losses or anything,,, oh... wait... they are.
For the customer, this is an annoyance, they have to lodge a claim, be put out a bit by not having access to their account, and not have access to some funds for a while, until they get refunded.
For microsoft, this is a very real loss, of money, resources, and goodwill. Do you really think that if there was an easy solution, they wouldn't be looking into it?
For people who notice and report it, you're right, it's just weeks of inconvenience. But solutions don't have to be "easy" to be worthwhile.
The same ones I've advocated in this thread repeatedly? Add a requirement to reauthorize the form of payment before allowing purchases from a new system, like PSN does, AND/OR require activation via the original email address before an account can be used on a new system, like Steam. In either case the profit motive disappears for hackers and 99% of the hacks would go away.
Additionally, they could have been proactive about warning the userbase accounts were being targeted for fraud. Spending so long blaming "phishing scams" just gave everyone who knew enough not to fall for a phishing scam a false sense of security. They could have said 6 months ago, "We are tracking a concerning amount of hacking attempts on our valuable customers. For your protections and convenience we recommend all users change their passwords to comply with our new (XKCD comic style) standards. Please report any suspicious transactions at once so our crack security team can hunt down those responsible." That would have come across far better than pretending nothing was wrong and promoting their security checklist which just implied all the victims must have been stupid.
Silent_Buddha
Legend
That doesn't help if the hackers also have access to their e-mail, which isn't as unlikely as you may think. Requiring entering an authorization code from a SMS text message to a mobile phone would certainly be a lot more secure but not everyone has access to a mobile phone, although most users probably do. I only got a mobile phone in the past year because service was cheaper than a landline.
With absolutely zero insight into what is really happening you cannot discount phishing. Perhaps in the vast majority of cases where MS is investigating it, they are finding evidence of phishing.
But no, MS must be evil and must be deliberately misleading people. Perhaps they are, perhaps they aren't. It's always easy to lay on the accusations when you aren't dealing with it and know virtually no details about it except the random posts of a vocal minority on the internet who may or may not be telling the truth.
I had a customer of mine who got hacked absolutely refuse to acknowledge he had been taken in by a phishing scheme for the longest time because he didn't want someone to think he was stupid or gullible. He finally admitted to it when I was about to pull all my hair out of frustration trying to figure out how he got hacked.
But here's the thing. Just because someone got taken in by a phishing scheme does not mean they are stupid or gullible (thank you Internet "meme"s for making people feel that way, grrrr.). Some of them can be quite sophisticated.
Regards,
SB
If they have access to someone's primary email account they can profit a lot more directly by screwing with their Amazon, PayPal and/or banking accounts. In that case the circuitous path of buying FIFA DLC for resale probably isn't worth the time or the risk of detection.
Amazon requires you to re-enter credit card info if you change the delivery address. Paypal has ridiculously sensitive fraud detection (I know, mine has been hacked before, and they caught it in a single transaction - also would not accept email as a method of auth at that point) and most banking accounts have two factor auth, with the second factor being either unknown general knowledge, text message to a celphone, or single use code generator.
I agree with you that there are things MS can do to make security better, especially something like requiring a second factor when logging in from somewhere new. I'm absolutely certain the team is working on it, especially since Live ID is used by numerous MS services, and strengthening it is in everyone's interest.
But blaming MS for your being compromised is disingenuous, it's like blaming the car company for your injury because they didn't use full racing style seatbelts, when you weren't wearing a seatbelt at all at the time. If a user adheres to all the suggestions in the security page, they most likely wouldn't need all the extra factors, those really only help if the user has already failed at keeping their password secure.
Similar threads
