Forgot your password?
typodupeerror
The Internet Microsoft XBox (Games)

Xbox Live Fraud Probed By Microsoft 21

Posted by Zonk
from the keeping-things-on-the-up-and-up dept.
Several outlets are reporting on Microsoft's investigations into the possibility of hacking and fraud on the Xbox live service. After customer service complaints, rumours of hacked accounts, and allegations of mis-used credit card information, C|Net reports that the Microsoft has opened an investigation. At the very least, this will reassure frustrated customers. Kevin Finisterre has kept a log of his discussion with the 1-800-MY-XBOX folks and the service's ongoing problems. "Security researcher Kevin Finisterre was playing Halo on a recent night with several friends when some of their opponents threatened to steal their accounts, he said. 'Literally the next day my girl's account was locked out,' Finisterre wrote in an e-mail Tuesday. 'I received a message on my Xbox that said: "We are sorry we must log you out of Xbox Live because someone else is using your Gamertag."' The account was banned."
This discussion has been archived. No new comments can be posted.

Xbox Live Fraud Probed By Microsoft

Comments Filter:
  • Rules of thumb (Score:5, Insightful)

    by Recovering Hater (833107) on Wednesday March 21, 2007 @05:03PM (#18434579)
    Just like the adage: if you can see it or hear it you can copy it, If a network can be accessed a network can be hacked.
  • by Joe The Dragon (967727) on Wednesday March 21, 2007 @05:04PM (#18434599)
    How many lock outs are from false positives?
  • Method? (Score:5, Interesting)

    by nbannerman (974715) on Wednesday March 21, 2007 @05:05PM (#18434621)
    After wandering around the links, I came across the following website; http://www.oinfam0uso.moonfruit.com/ [moonfruit.com]

    And since they're charming people, I have no qualms about posting their method here;

    Now you may be wondering HOW do we get your information? its easy, you call 18004myxbox pretend to be that person make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah you might get one little piece of information per call but then you keep calling and keep calling everytime getting a little bit more information every time. once you have enough information you can get the Pasword on the windows live ID Reset, they may tell you they cant but its bull shit. people at bungie CAN and WILL reset your password. believe me :)

    So, sounds like a classic social engineering scheme, as opposed to 'hacking the system'. Even so, you have to wonder if phone reps really are giving out information, even if it is a small amount. Anyone tried getting information out of the phone reps yet?
    • Re:Method? (Score:4, Interesting)

      by Astarica (986098) on Wednesday March 21, 2007 @05:33PM (#18435029)
      I find that highly unlikely. Let's say the only thing you need to reset password is the name. How would you possibly ever get this information no matter how many times you called? Do you call them and say hi I'm the owner of this ID but I'm not sure what name I wrote down?

      I have a hard time believing whoever at tech support would be so unprofessional that they'd give you identifying information needed to reset something when you cannot produce it. For example in EverQuest the tech support seems to use the first credit card used on the account to determine password resets for hacked accounts. I've never heard of anyone ever able to convince them to give the first credit card number used on the said account no matter how often you call. If you don't know the CC number, they simply won't reset it for you. Maybe you can find out some other interesting info about the account, but they should never give you the info that'd reset the account just because you pester them long enough.
      • I've heard of more likely things to be honest; but certainly combining a phish attempt with something like this isn't beyond the realms of impossibility. To offer my 2p, I called my bank once to change address and managed to guess my 'secret' password when the phone rep gave me a clue. To this day, I still don't remember what the secret originally was.
        • by Astarica (986098)
          If the question is 'what is your favorite color?' and you guessed 'blue' and it was right, that just meant someone picked a poor choice for a secret question. Doesn't sound like a security breach or any fancy social engineering is required. The quoted part made it sound like suppose we have the same question (what is your favorite color?), they'll eventually say something like 'sorry red was wrong because the answer is blue', and then you call next time and say it's blue. That to me sounds pretty improba
      • by SuperKendall (25149) on Wednesday March 21, 2007 @06:47PM (#18436073)
        I find that highly unlikely. Let's say the only thing you need to reset password is the name. How would you possibly ever get this information no matter how many times you called? Do you call them and say hi I'm the owner of this ID but I'm not sure what name I wrote down?

        Read the very post you responded to. The caller is askign exactly that, with the excuse that a brother or kid created the account with false info... in that context it sounds reasonable to ask what name they put on the account. I can easily see this tactic working.

      • Re:Method? (Score:5, Interesting)

        by Frogbert (589961) <frogbert@@@gmail...com> on Wednesday March 21, 2007 @06:56PM (#18436171)
        If you truly believe any of that I suggest you have a read through this [zug.com]
    • Re: (Score:3, Informative)

      by j00r0m4nc3r (959816)
      If this is real, what an incredibly stupid thing to do just to spite someone. It's completely traceable, and probably constitutes wire fraud [wikipedia.org] which can maybe get you 20 years in federal pound-me-in-the-ass prison.
    • Re: (Score:3, Insightful)

      by Fonce (635723)
      My question is this: why aren't they already in jail? This is a very simple matter...if someone can be tracked down for sharing music, surely they can be tracked down for mass credit card fraud, among many other charges.

      It's simple: find out who they are from the ISPs (all of them involved, ever), arrest them all, and charge them with everything you can. Surely they'll get off with a comparably light sentence, but hopefully they'll get sentenced strongly enough that this won't happen again.
    • After wandering around the links, I came across the following website; http://www.oinfam0uso.moonfruit.com/ [moonfruit.com]

      FTFS:

      THIS SITE HAS BEEN TAKEN OVER
      T3am Hazard, OWNS Infamous
      all they do is steal accounts + fuck with peoples shit

      T3am Hazard Will now Be Helping Bungie + Microsoft Help find ALL THOSE WHO STEAL ACCOUNTS ALL NAMES WILL BE ADDED WITH IPS SOON. -Jokerz

      Uh, Slashdotted?

  • ... don't include this "feature" when you update your on-line to be more like XBox Live! :)
  • Same old story? (Score:3, Interesting)

    by Xest (935314) * on Wednesday March 21, 2007 @05:09PM (#18434683)
    Accounts for all sorts from MMOs to bank accounts to ebay get hacked online, I'd argue however that MS has an even tougher job than usual here as console users are probably often even less security-literate than PC users.

    I doubt this is much different from the trojans that target WoW accounts or the organised crime financed hackers that go for people's bank, paypal and ebay accounts.
    • I'd argue however that MS has an even tougher job than usual here as console users are probably often even less security-literate than PC users.

      So your grandma is more computer literate than a gamer? Hmmm...I don't think so. Not to mention that while a PC is more of an open system (even MS Windows is more open than the console), the console is definitely a little harder to break into as it doesn't allow the user to have administrative rights as easily, especially for downloadable content from a store like
  • Check the PCs (Score:3, Informative)

    by ewhac (5844) on Wednesday March 21, 2007 @05:11PM (#18434723) Homepage Journal
    XBox Live can be accessed both from within the XBox (obviously), and also over the Web. You use the same password for both. It therefore seems most probable that they either obtained some malware that harvested their passwords, or that they got phished. Wipe and reinstall the PCs -- preferably with Linux -- and negotiate with Microsoft to have the passwords changed and reputation restored. After the machine is cleaned, change all passwords on all other sites as well.

    It is highly improbable that Microsoft's servers were compromised. Administering their own network is one of the few things they do relatively well.

    Schwab

    • Re: (Score:1, Redundant)

      by stratjakt (596332)
      No, just social engineering. Calling support, saying "I'm so and so and I forgot my password. I don't have the credit card my mom paid.. blah blah"

    • by Sibko (1036168)
      You don't use the same password for both. To log onto xboxlive you have to enter a 4 digit code based off the buttons on your controller. Your live ID password is entered using a keyboard when you log into microsoft stuff online - hotmail, bungie.net, xbox.com, etc.
  • As of this moment, live.xbox.com is having all sorts of problems. Wonder if it's related...

    I just hope I'll be able to download Symphony of the Night when I get home.

New systems generate new problems.

Working...