Hackers Targeting Xbox Live 136
darthcamaro writes "Windows isn't the only piece of Microsoft technology that hackers are attacking anymore. During a presentation at the SecTor security conference in Toronto, a Facetime security researcher revealed numerous methods by which Xbox users are being hacked today. 'Though the Xbox doesn't have the number one market share, it is the top target for hackers,' Boyd said. 'Xbox Live has 17 million plus subscribers, and that service requires payment.'"
Same old MS (Score:4, Informative)
According to Boyd, the friend request DoS has been minimized in recent months as a result of Microsoft actions. Microsoft has now limited the number of friend requests a user can send, so there is now a time delay that mitigates the DoS risk.
Not if the attacker is using a botnet, unless TFA means the number of friend requests a user can receive.
One way that attackers enumerate their targets is by way of information that is easily publicly accessible. Xbox users gain points during gameplay, which leads to a gamerscore metric. The higher the gamerscore, the more valuable the gamer account. Boyd noted there is no easy way to keep a gamerscore private.
"If you go into the Xbox privacy settings, you can't block the gamerscore," Boyd said. "All you can do is hide your list of most recently played games."
Boyd added that sites like Mygamercard.net promote users' gamerscores, in effect painting a big target for attackers.
Typical, and depressing.
Phishing, not Hacking (Score:5, Informative)
Don't be confused. They're not hacking your hardware or the Xbox Live servers. They're using social engineering and any publicly available information (courtesy of things users choose to divulge in their profiles) to attempt to get passwords.
Big difference between hacking & phishing. Moreover, there's nothing particularly unique to the XBox Live service & this phishing, either.
Re:Top target? (Score:2, Informative)
Microsoft bashing is all fun and good, but at least think a little bit about what you've written before posting.
Happened to me (Score:5, Informative)
My account was stolen. It sucked. It took me months and way, way too many phone calls to get it back. The asshole who hacked it had changed so much information, including the gamertag, that they didn't even want to talk to me on the phone at first. Xbox customer support is absolute shit. Their reps are totally unhelpful, refusing to deviate from the script despite the fact that "account stolen" is apparently not in the script. There was not one that I called that was comprehensible in English.
Oh and this whole thing started because I found over $100 worth of Xbox points charged to my credit card. To this day I have no idea whether that person actually got my CC number or figured out how to charge without it. I executed a chargeback on that $100, and have yet to see another fraudulent charge.
Re:Top target? (Score:2, Informative)
Not really right, no.
Xbox does have the number one market share in active online players (excluding the PC "open market"). Especially notable considering the annual fee.
Nintendo has the number one share in consoles currently sold. Online support on the Wii is basically neutered by the friend code system. Many games don't even try to do online multiplayer, and no financial information is stored on the system or your "profile" which really isn't a profile in the same sense.
TFA is pretty vanilla on the details and doesn't offer much new information to anyone actually familiar with XBL. DoS attacks are hardly a surprise for Microsoft, and mainly it's social engineering. That's so old news the Major Nelson podcast practically includes a weekly disclaimer now, that giving out your password is always a scam. But a kid looking for $50 of free purchasing points may be willing to take the chance.
Re:Top target? (Score:2, Informative)
Re:Everything is said. (Score:4, Informative)
I would like it to be true that it's not driven by weaknesses and vulnerabilities in Microsoft's Windows driven network.
According to TFA, most attacks are from phishing, but Microsoft makes the phishing easy by putting your CC info where everyone can see it. They say you should lie on your user page.
Re:SOCIAL ENGINEERING IS NOT HACKING (Score:3, Informative)
Cheating is rampent on Xbox live. So is the ban hammer.
As an ultimate punishment, MS can disable one's entire Xbox live account. Worst case, that costs the cheater $$. Or of course they have a huge supply of 48 hour free trial gold cards, but then they have to spend their free time hunting additional 48 hour free trial gold cards. :P
Most cheats for Xbox live games are fairly low tech. Purposefully inducing lag spikes, crap like that.
Re:Top target? (Score:3, Informative)
It's possible to only buy Nintendo Points cards, too
This is true of Xbox Live as well. You can subscribe and have your credit card charged automatically, but you can also survive on membership/points cards that you buy at the corner store instead.
Re:Same old MS (Score:4, Informative)
As the owner/founder of MyGamerCard [mygamercard.net], I hope that you're not claiming it's typical or depressing that I run a service that organizes gamers by their GamerScore?
MGC exists primarily to allow people to share their GamerCard (i.e. their gaming history) with friends. In addition, the stats I collect are used to foster competition and for personal tracking. The Leaderboards (which organize gamers by their score) are to incite people to play more and induce curiosity; I do not promote or condone any illegal activity.
Apologies if I'm being overly defensive or reading too much into your quote.. just seems that every six months or so, something comes around about GamerScore, and MGC gets thrown in the middle like it's intentionally trying to cater to idiots.