Slashdot Mirror

← Back to Stories (view on slashdot.org)

Xbox Live Fraud Probed By Microsoft

Posted by Zonk on from the keeping-things-on-the-up-and-up dept.

Several outlets are reporting on Microsoft's investigations into the possibility of hacking and fraud on the Xbox live service. After customer service complaints, rumours of hacked accounts, and allegations of mis-used credit card information, C|Net reports that the Microsoft has opened an investigation. At the very least, this will reassure frustrated customers. Kevin Finisterre has kept a log of his discussion with the 1-800-MY-XBOX folks and the service's ongoing problems. "Security researcher Kevin Finisterre was playing Halo on a recent night with several friends when some of their opponents threatened to steal their accounts, he said. 'Literally the next day my girl's account was locked out,' Finisterre wrote in an e-mail Tuesday. 'I received a message on my Xbox that said: "We are sorry we must log you out of Xbox Live because someone else is using your Gamertag."' The account was banned."

21 comments

  1. Rules of thumb by Recovering+Hater · · Score: 4, Insightful

    Just like the adage: if you can see it or hear it you can copy it, If a network can be accessed a network can be hacked.

    --
    My humor is probably your flamebait
  2. Come soon WGA XBOX LIVE by Joe+The+Dragon · · Score: 4, Funny

    How many lock outs are from false positives?

  3. Method? by nbannerman · · Score: 5, Interesting

    After wandering around the links, I came across the following website; http://www.oinfam0uso.moonfruit.com/

    And since they're charming people, I have no qualms about posting their method here;

    Now you may be wondering HOW do we get your information? its easy, you call 18004myxbox pretend to be that person make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah you might get one little piece of information per call but then you keep calling and keep calling everytime getting a little bit more information every time. once you have enough information you can get the Pasword on the windows live ID Reset, they may tell you they cant but its bull shit. people at bungie CAN and WILL reset your password. believe me :)

    So, sounds like a classic social engineering scheme, as opposed to 'hacking the system'. Even so, you have to wonder if phone reps really are giving out information, even if it is a small amount. Anyone tried getting information out of the phone reps yet?

    1. Re:Method? by Astarica · · Score: 3, Interesting

      I find that highly unlikely. Let's say the only thing you need to reset password is the name. How would you possibly ever get this information no matter how many times you called? Do you call them and say hi I'm the owner of this ID but I'm not sure what name I wrote down?

      I have a hard time believing whoever at tech support would be so unprofessional that they'd give you identifying information needed to reset something when you cannot produce it. For example in EverQuest the tech support seems to use the first credit card used on the account to determine password resets for hacked accounts. I've never heard of anyone ever able to convince them to give the first credit card number used on the said account no matter how often you call. If you don't know the CC number, they simply won't reset it for you. Maybe you can find out some other interesting info about the account, but they should never give you the info that'd reset the account just because you pester them long enough.

    2. Re:Method? by nbannerman · · Score: 1

      I've heard of more likely things to be honest; but certainly combining a phish attempt with something like this isn't beyond the realms of impossibility. To offer my 2p, I called my bank once to change address and managed to guess my 'secret' password when the phone rep gave me a clue. To this day, I still don't remember what the secret originally was.

    3. Re:Method? by Astarica · · Score: 1

      If the question is 'what is your favorite color?' and you guessed 'blue' and it was right, that just meant someone picked a poor choice for a secret question. Doesn't sound like a security breach or any fancy social engineering is required. The quoted part made it sound like suppose we have the same question (what is your favorite color?), they'll eventually say something like 'sorry red was wrong because the answer is blue', and then you call next time and say it's blue. That to me sounds pretty improbable.

    4. Re:Method? by j00r0m4nc3r · · Score: 2, Informative

      If this is real, what an incredibly stupid thing to do just to spite someone. It's completely traceable, and probably constitutes wire fraud which can maybe get you 20 years in federal pound-me-in-the-ass prison.

    5. Re:Method? by Frogbert · · Score: 4, Interesting

      If you truly believe any of that I suggest you have a read through this

    6. Re:Method? by Fonce · · Score: 3, Insightful

      My question is this: why aren't they already in jail? This is a very simple matter...if someone can be tracked down for sharing music, surely they can be tracked down for mass credit card fraud, among many other charges.
       
      It's simple: find out who they are from the ISPs (all of them involved, ever), arrest them all, and charge them with everything you can. Surely they'll get off with a comparably light sentence, but hopefully they'll get sentenced strongly enough that this won't happen again.
       
      Why is it the laws regarding computers and the internet only hurt the good guys?

      --
      If all my base are belong to you and I attempt to retrieve my base, does that mean I'm freebasing?
    7. Re:Method? by Spudtrooper · · Score: 1

      After wandering around the links, I came across the following website; http://www.oinfam0uso.moonfruit.com/

      FTFS:

      THIS SITE HAS BEEN TAKEN OVER
      T3am Hazard, OWNS Infamous
      all they do is steal accounts + fuck with peoples shit

      T3am Hazard Will now Be Helping Bungie + Microsoft Help find ALL THOSE WHO STEAL ACCOUNTS ALL NAMES WILL BE ADDED WITH IPS SOON. -Jokerz

      Uh, Slashdotted?
    8. Re:Method? by Anonymous Coward · · Score: 0

      It goes like this,

      person: I lost my password to this Xbox by brother just gave me, What is it.
      800live: I can't tell you that, do you know the name on the account,
      person: no, he bought it from a yardsale for me.
      800live: What is the ID on the Box, -- some codes are exchanged.
      800live: this is owned by So-and-So you will have to get him/her to change the password,
      Person: ok thnks, bye

      Nextcaller: i'm So-and-So, i've lost my password.
      800live: Ok, whats your secrete answer?
      Nextcaller: huh? what are you talking about?
      800live: the secrete question/answer you filled out when activating the account.
      Nextcaller: wow that was so long ago. I don't remember anything about it,
      800live: it was about a favorite color,
      Nextcaller: Hmm.. I'm going to have to think about this. I usually answer questions like that with a lie so someone how knows me cannot guess it. Is it blue? no- how about red.

      Then repeat this several time until successful.

      A security breach is were your interactions can compromise security. there is a finite probablility of colors. It is just a matter of time before the right one is used. But it could be something other then color too. I just demonstrated how to get what the answer should look like from the operator.

    9. Re:Method? by CRiMSON · · Score: 1

      Ever better I found was the get very aggressive. Complain about how much money you've paid for the system and now your can't get back into your fucking live account and this is bullshit, yadda yadda yadda...

      Keep doing it and eventually you'll get a customer service reps who just wants you to go away and will give you whatever you want.

      --
      oogly boogly!
  4. Please Sony ... Nintendo ... by powerlord · · Score: 1, Funny

    ... don't include this "feature" when you update your on-line to be more like XBox Live! :)

    --
    This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
  5. Same old story? by Xest · · Score: 2, Interesting

    Accounts for all sorts from MMOs to bank accounts to ebay get hacked online, I'd argue however that MS has an even tougher job than usual here as console users are probably often even less security-literate than PC users.

    I doubt this is much different from the trojans that target WoW accounts or the organised crime financed hackers that go for people's bank, paypal and ebay accounts.

    1. Re:Same old story? by fistfullast33l · · Score: 2

      I'd argue however that MS has an even tougher job than usual here as console users are probably often even less security-literate than PC users.

      So your grandma is more computer literate than a gamer? Hmmm...I don't think so. Not to mention that while a PC is more of an open system (even MS Windows is more open than the console), the console is definitely a little harder to break into as it doesn't allow the user to have administrative rights as easily, especially for downloadable content from a store like Arcade, PSN, or whatever the Wii one is (can't remember).

  6. Check the PCs by ewhac · · Score: 2, Informative
    XBox Live can be accessed both from within the XBox (obviously), and also over the Web. You use the same password for both. It therefore seems most probable that they either obtained some malware that harvested their passwords, or that they got phished. Wipe and reinstall the PCs -- preferably with Linux -- and negotiate with Microsoft to have the passwords changed and reputation restored. After the machine is cleaned, change all passwords on all other sites as well.

    It is highly improbable that Microsoft's servers were compromised. Administering their own network is one of the few things they do relatively well.

    Schwab

    --
    Editor, A1-AAA AmeriCaptions
    1. Re:Check the PCs by stratjakt · · Score: 1, Redundant

      No, just social engineering. Calling support, saying "I'm so and so and I forgot my password. I don't have the credit card my mom paid.. blah blah"

      --
      I don't need no instructions to know how to rock!!!!
    2. Re:Check the PCs by Sibko · · Score: 1

      You don't use the same password for both. To log onto xboxlive you have to enter a 4 digit code based off the buttons on your controller. Your live ID password is entered using a keyboard when you log into microsoft stuff online - hotmail, bungie.net, xbox.com, etc.

    3. Re:Check the PCs by Anonymous Coward · · Score: 0

      When you initially setup your live account you link it to the live password by entering it through the on-screen keyboard. Having a 4 digit code is optional and if you don't have one, you will just automatically be logged in.

  7. Live website by Salamande · · Score: 1
    As of this moment, live.xbox.com is having all sorts of problems. Wonder if it's related...

    I just hope I'll be able to download Symphony of the Night when I get home.

  8. Didn't you read the post? by SuperKendall · · Score: 3, Informative

    I find that highly unlikely. Let's say the only thing you need to reset password is the name. How would you possibly ever get this information no matter how many times you called? Do you call them and say hi I'm the owner of this ID but I'm not sure what name I wrote down?

    Read the very post you responded to. The caller is askign exactly that, with the excuse that a brother or kid created the account with false info... in that context it sounds reasonable to ask what name they put on the account. I can easily see this tactic working.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley