Potential Xbox Live hacking related to FIFA 12

[NavNucST3]

Wow



I guess the complaints i read wasn´t off the mark

http://whatthegeek.net/2011/10/05/the-tale-of-a-hacked-xbox-live-account/

I'm surprised they said "up to" reading the GAF thread had me thinking that this was the minimum time it would take. Which seems about how long it took for MSFT to unfreeze my account some years ago simply because my card had expired (even though I was many months away from renewing Live AND there were other cards attached to the account...Not to mention when being billed from most of the MSFT services it normally takes a month before the charge actually hits my bank account meaning that even though I just renewed and got the email I had renewed I don't expect the money to come out of my account until early December...

I would say that MSFT has pretty shitty customer service in these regards. When you can get, eastmen, to think about canceling Live and selling the console you have seriously fucked up your social contract with your customers.

 

[-tkf-]

Maybe there is a reason why XBOX support is so slow?

http://www.thesun.co.uk/sol/homepage/news/3950691/Gamers-caught-in-Xbox-cyber-fraud.html

 

[Brad Grenz]

I wish the problem was getting more coverage in the mainstream press, but that article is mostly repeating Microsoft's blame the victim PR strategy.

 

[AlphaWolf]

its likely not getting press because it's just a case of coincidence.

 

[AlphaWolf]

Maybe there is a reason why XBOX support is so slow?

http://www.thesun.co.uk/sol/homepage/news/3950691/Gamers-caught-in-Xbox-cyber-fraud.html

So it's confirmed Live wasn't hacked then? Or is this something completely unrelated?

 

[patsu]

It cites a phishing case, but does not explicitly conclude that all the recent XBL hacks are due to phishing.

Ask eastmen if he was hit by phishing scam. ^_^
He is one of the victims.

Until someone can come up with a total $$$ loss, the press may go after other bigger news. The only reported figure is the average theft amount. Article says average is £100. People on GAF seem to lose about US$100+ per incident.

 

[Brad Grenz]

its likely not getting press because it's just a case of coincidence.

You do realize a coincidence, by definition, requires two or more things to coincide? :eyeroll:

My Live account was hacked. It followed the exact MO that is being so commonly reported. I can say with certainty I was not phished. I was not social'd.

 

[AlphaWolf]

How exactly do you know you weren't? They won't send a notice in your email. It could be someone you know.

 

[Brad Grenz]

How exactly do you know you weren't? They won't send a notice in your email. It could be someone you know.

1. Social attacks almost always involve getting the password reset. Usually they've also compromised the attached email account as well. That did not happen. I was able to regain control of my account with minimal damage because the password wasn't changed. But let's assume for a second I was social'd. Does that mean impostors can convince MS to give out passwords over the phone or in an email? That's even more disturbing than MS being hacked!

2. Someone I know? I don't know anyone in Eastern Europe who has tried to wheedle my password out of me (let alone succeeded).

3. Actually, phishing does usually involve an email. I don't follow links in emails to log in to services. I'm also not so foolish as to believe a suspicious offer of free MS points.

As far as I can tell, my account was compromised in one of four ways. My password was originally a shared, low security password used when I created for Games for Windows Live. I made the mistake of not upgrading it to a stronger, unique password when my MS Live account became associated with my gamertag and a credit card ended up attached to it. So it's possible the password was stolen from a third party and used to access my Live account. For the record, the password was not exposed in any of the recent high profile hacks, including PSN and Gawker.

Second, a virus or other piece of malware infected my computer and logged my credentials. If this was the case it has never been detected by AVG or Spybot and the information gathered has never been used to compromise any of my other accounts (paypal, amazon, google, my bank...).

Third, my password was short enough to have been brute forced. This would require a flaw in Microsoft's security apparatus that is supposed to detect and prevent such attacks. But the password, while alphanumeric and considered relatively secure when it was originally created, was only 8 characters long and should be breakable.

Fourth, there is an undisclosed or undiscovered flaw in Xbox Live's security that allows hackers to discover a password or hijack an account without needing one.

 

[AlphaWolf]

So you've confirmed that you don't know that it was actually Live that was hacked or not.

 

[Brad Grenz]

So you've confirmed that you don't know that it was actually Live that was hacked or not.

Which is convenient, in that I never made such a claim.

 

[AlphaWolf]

Which is convenient, in that I never made such a claim.

Are you for real? Read your last post.

 

[patsu]

The important question is does MS know or not ?

EDIT: Insisting that it's only due to phishing may not be convincing since we have tech savvy victims claiming that they were not phished.

 

[Brad Grenz]

Are you for real? Read your last post.

The one in which I enumerated a number or theoretical possibilities of how an account might be compromised, some of which involve a compromise on Microsoft's end, and some of which that don't? That post?

 

[egoless]

Delete

 

[Shifty Geezer]

So they are categorically claiming phishing, which would mean everyone compromised would have had to have given out their details. Short of a spoof Live website, I don't find that a very convincing argument. There should be another antispyware and internet feedback to prevent such a site operating for too long. If the 'hacks' are still ongoing, the site should be findable.

 

[AlphaWolf]

phishing doesn't just sit on one site, if it works they will keep moving it around and giving it a new look.

For example I get an average of 20 phishing attempts a month through email for my wow account (and I haven't even played in 18months). They use official looking blizzard account names that usually are one letter off and always trace back to china.

I've seen a lot of free MS point offers around, I don't know how many of them are real or just phishing, but I doubt you're just looking at one guy/site.

 

[Shifty Geezer]

But they should be easily identifiable. That is, unless everyone getting spoofed is naive and is giving out their details and hasn't got security, there should be plenty of people getting spoof emails or visiting spoof sites and being aware of it and able to report. I'd expect to hear comments like, "I've been taken to Live spoof websites a couple of times," or, "yeah, I had an email from 'MS Live' but it's link was some wonky website. There's definitely someone phishing.' Without the reports of phishing similar to your WOW example, there's a lack of evidence supporting that theory. I'm not saying it's untrue, but there should be more support for that theory than just 'phishing happens, and MS says so'. At the moment, all I'm seeing are assertions on both sides without any supporting evidence.

 

[mrcorbo]

1. Social attacks almost always involve getting the password reset. Usually they've also compromised the attached email account as well. That did not happen. I was able to regain control of my account with minimal damage because the password wasn't changed. But let's assume for a second I was social'd. Does that mean impostors can convince MS to give out passwords over the phone or in an email? That's even more disturbing than MS being hacked!

No it isn't. The scale of the problem would be completely different.

I don't believe that these compromised accounts are the result of a hack because if this were the case and MS didn't inform all of the affected users (some of whom may still not be aware that their information is vulnerable), would they not be indemnifying themselves for the resulting damages and then some as well as setting themselves up for even worse damage to consumer's confidence in them than if they just came out and admitted there was an issue?

That being said, they are doing a poor job of convincing the public that they are on top of the issue. The continued uncertainty over they nature of the issue they are having is completely their fault. As I've said before, they need to make someone available for an interview or to otherwise answer questions as to why they believe that the issue is caused by phishing attacks and why it can not have been the result of a hack.

 

[egoless]

Delete