Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Xbox Live Fraud Probed By Microsoft

Zonk posted more than 7 years ago | from the keeping-things-on-the-up-and-up dept.

The Internet 21

Several outlets are reporting on Microsoft's investigations into the possibility of hacking and fraud on the Xbox live service. After customer service complaints, rumours of hacked accounts, and allegations of mis-used credit card information, C|Net reports that the Microsoft has opened an investigation. At the very least, this will reassure frustrated customers. Kevin Finisterre has kept a log of his discussion with the 1-800-MY-XBOX folks and the service's ongoing problems. "Security researcher Kevin Finisterre was playing Halo on a recent night with several friends when some of their opponents threatened to steal their accounts, he said. 'Literally the next day my girl's account was locked out,' Finisterre wrote in an e-mail Tuesday. 'I received a message on my Xbox that said: "We are sorry we must log you out of Xbox Live because someone else is using your Gamertag."' The account was banned."

Sorry! There are no comments related to the filter you selected.

Rules of thumb (4, Insightful)

Recovering Hater (833107) | more than 7 years ago | (#18434579)

Just like the adage: if you can see it or hear it you can copy it, If a network can be accessed a network can be hacked.

Come soon WGA XBOX LIVE (4, Funny)

Joe The Dragon (967727) | more than 7 years ago | (#18434599)

How many lock outs are from false positives?

Method? (5, Interesting)

nbannerman (974715) | more than 7 years ago | (#18434621)

After wandering around the links, I came across the following website; http://www.oinfam0uso.moonfruit.com/ [moonfruit.com]

And since they're charming people, I have no qualms about posting their method here;

Now you may be wondering HOW do we get your information? its easy, you call 18004myxbox pretend to be that person make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah you might get one little piece of information per call but then you keep calling and keep calling everytime getting a little bit more information every time. once you have enough information you can get the Pasword on the windows live ID Reset, they may tell you they cant but its bull shit. people at bungie CAN and WILL reset your password. believe me :)

So, sounds like a classic social engineering scheme, as opposed to 'hacking the system'. Even so, you have to wonder if phone reps really are giving out information, even if it is a small amount. Anyone tried getting information out of the phone reps yet?

Re:Method? (3, Interesting)

Astarica (986098) | more than 7 years ago | (#18435029)

I find that highly unlikely. Let's say the only thing you need to reset password is the name. How would you possibly ever get this information no matter how many times you called? Do you call them and say hi I'm the owner of this ID but I'm not sure what name I wrote down?

I have a hard time believing whoever at tech support would be so unprofessional that they'd give you identifying information needed to reset something when you cannot produce it. For example in EverQuest the tech support seems to use the first credit card used on the account to determine password resets for hacked accounts. I've never heard of anyone ever able to convince them to give the first credit card number used on the said account no matter how often you call. If you don't know the CC number, they simply won't reset it for you. Maybe you can find out some other interesting info about the account, but they should never give you the info that'd reset the account just because you pester them long enough.

Re:Method? (1)

nbannerman (974715) | more than 7 years ago | (#18435109)

I've heard of more likely things to be honest; but certainly combining a phish attempt with something like this isn't beyond the realms of impossibility. To offer my 2p, I called my bank once to change address and managed to guess my 'secret' password when the phone rep gave me a clue. To this day, I still don't remember what the secret originally was.

Re:Method? (1)

Astarica (986098) | more than 7 years ago | (#18435351)

If the question is 'what is your favorite color?' and you guessed 'blue' and it was right, that just meant someone picked a poor choice for a secret question. Doesn't sound like a security breach or any fancy social engineering is required. The quoted part made it sound like suppose we have the same question (what is your favorite color?), they'll eventually say something like 'sorry red was wrong because the answer is blue', and then you call next time and say it's blue. That to me sounds pretty improbable.

Re:Method? (0)

Anonymous Coward | more than 7 years ago | (#18439633)

It goes like this,

person: I lost my password to this Xbox by brother just gave me, What is it.
800live: I can't tell you that, do you know the name on the account,
person: no, he bought it from a yardsale for me.
800live: What is the ID on the Box, -- some codes are exchanged.
800live: this is owned by So-and-So you will have to get him/her to change the password,
Person: ok thnks, bye

Nextcaller: i'm So-and-So, i've lost my password.
800live: Ok, whats your secrete answer?
Nextcaller: huh? what are you talking about?
800live: the secrete question/answer you filled out when activating the account.
Nextcaller: wow that was so long ago. I don't remember anything about it,
800live: it was about a favorite color,
Nextcaller: Hmm.. I'm going to have to think about this. I usually answer questions like that with a lie so someone how knows me cannot guess it. Is it blue? no- how about red.

Then repeat this several time until successful.

A security breach is were your interactions can compromise security. there is a finite probablility of colors. It is just a matter of time before the right one is used. But it could be something other then color too. I just demonstrated how to get what the answer should look like from the operator.

Re:Method? (1)

CRiMSON (3495) | more than 7 years ago | (#18444885)

Ever better I found was the get very aggressive. Complain about how much money you've paid for the system and now your can't get back into your fucking live account and this is bullshit, yadda yadda yadda...

Keep doing it and eventually you'll get a customer service reps who just wants you to go away and will give you whatever you want.

Didn't you read the post? (3, Informative)

SuperKendall (25149) | more than 7 years ago | (#18436073)

I find that highly unlikely. Let's say the only thing you need to reset password is the name. How would you possibly ever get this information no matter how many times you called? Do you call them and say hi I'm the owner of this ID but I'm not sure what name I wrote down?

Read the very post you responded to. The caller is askign exactly that, with the excuse that a brother or kid created the account with false info... in that context it sounds reasonable to ask what name they put on the account. I can easily see this tactic working.

Re:Method? (4, Interesting)

Frogbert (589961) | more than 7 years ago | (#18436171)

If you truly believe any of that I suggest you have a read through this [zug.com]

Re:Method? (2, Informative)

j00r0m4nc3r (959816) | more than 7 years ago | (#18435359)

If this is real, what an incredibly stupid thing to do just to spite someone. It's completely traceable, and probably constitutes wire fraud [wikipedia.org] which can maybe get you 20 years in federal pound-me-in-the-ass prison.

Re:Method? (3, Insightful)

Fonce (635723) | more than 7 years ago | (#18436877)

My question is this: why aren't they already in jail? This is a very simple matter...if someone can be tracked down for sharing music, surely they can be tracked down for mass credit card fraud, among many other charges.
 
It's simple: find out who they are from the ISPs (all of them involved, ever), arrest them all, and charge them with everything you can. Surely they'll get off with a comparably light sentence, but hopefully they'll get sentenced strongly enough that this won't happen again.
 
Why is it the laws regarding computers and the internet only hurt the good guys?

Re:Method? (1)

Spudtrooper (1073512) | more than 7 years ago | (#18437583)

After wandering around the links, I came across the following website; http://www.oinfam0uso.moonfruit.com/ [moonfruit.com]

FTFS:

THIS SITE HAS BEEN TAKEN OVER
T3am Hazard, OWNS Infamous
all they do is steal accounts + fuck with peoples shit

T3am Hazard Will now Be Helping Bungie + Microsoft Help find ALL THOSE WHO STEAL ACCOUNTS ALL NAMES WILL BE ADDED WITH IPS SOON. -Jokerz

Uh, Slashdotted?

Please Sony ... Nintendo ... (1, Funny)

powerlord (28156) | more than 7 years ago | (#18434653)

... don't include this "feature" when you update your on-line to be more like XBox Live! :)

Same old story? (2, Interesting)

Xest (935314) | more than 7 years ago | (#18434683)

Accounts for all sorts from MMOs to bank accounts to ebay get hacked online, I'd argue however that MS has an even tougher job than usual here as console users are probably often even less security-literate than PC users.

I doubt this is much different from the trojans that target WoW accounts or the organised crime financed hackers that go for people's bank, paypal and ebay accounts.

Re:Same old story? (2)

fistfullast33l (819270) | more than 7 years ago | (#18434799)

I'd argue however that MS has an even tougher job than usual here as console users are probably often even less security-literate than PC users.

So your grandma is more computer literate than a gamer? Hmmm...I don't think so. Not to mention that while a PC is more of an open system (even MS Windows is more open than the console), the console is definitely a little harder to break into as it doesn't allow the user to have administrative rights as easily, especially for downloadable content from a store like Arcade, PSN, or whatever the Wii one is (can't remember).

Check the PCs (2, Informative)

ewhac (5844) | more than 7 years ago | (#18434723)

XBox Live can be accessed both from within the XBox (obviously), and also over the Web. You use the same password for both. It therefore seems most probable that they either obtained some malware that harvested their passwords, or that they got phished. Wipe and reinstall the PCs -- preferably with Linux -- and negotiate with Microsoft to have the passwords changed and reputation restored. After the machine is cleaned, change all passwords on all other sites as well.

It is highly improbable that Microsoft's servers were compromised. Administering their own network is one of the few things they do relatively well.

Schwab

Re:Check the PCs (1, Redundant)

stratjakt (596332) | more than 7 years ago | (#18434883)

No, just social engineering. Calling support, saying "I'm so and so and I forgot my password. I don't have the credit card my mom paid.. blah blah"

Re:Check the PCs (1)

Sibko (1036168) | more than 7 years ago | (#18435541)

You don't use the same password for both. To log onto xboxlive you have to enter a 4 digit code based off the buttons on your controller. Your live ID password is entered using a keyboard when you log into microsoft stuff online - hotmail, bungie.net, xbox.com, etc.

Re:Check the PCs (0)

Anonymous Coward | more than 7 years ago | (#18436161)

When you initially setup your live account you link it to the live password by entering it through the on-screen keyboard. Having a 4 digit code is optional and if you don't have one, you will just automatically be logged in.

Live website (1)

Salamande (461392) | more than 7 years ago | (#18435197)

As of this moment, live.xbox.com is having all sorts of problems. Wonder if it's related...

I just hope I'll be able to download Symphony of the Night when I get home.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?