Hackers Targeting Xbox Live

darthcamaro writes "Windows isn't the only piece of Microsoft technology that hackers are attacking anymore. During a presentation at the SecTor security conference in Toronto, a Facetime security researcher revealed numerous methods by which Xbox users are being hacked today. 'Though the Xbox doesn't have the number one market share, it is the top target for hackers,' Boyd said. 'Xbox Live has 17 million plus subscribers, and that service requires payment.'"

That explains it!

[hags2k]

That explains why these 12 and 13 year-old kids keep pwning me in Halo. Damn hackers.

Re:That explains it!

[Grieviant]

That is just mostly people who have "hacked" in a keyboard/mouse combo. When you combine autoaim with a keyboard/mouse you're able to easily beat people who are using the controller. This is particularly true because there are two extreme long distance "one shot kill" weapons as well as a MUCH higher damage value for head shots with ALL weapons. So if you have your little mouse/KB combo you can direct all your fire right at the opposing player's head and they are owned before they even knew you were shooting at them. There isn't much to be done about it. They can turn off autoaim and that would make the mouse/KB combo more awkward. But it would also make controller aiming extremely frustrating. If you want proof of that just try to betray a teammate with a pistol while using the controller. It is virtually impossible because autoaim is turned off when you're aiming at teammates.

I think these claims are speculative and misleading. Have you any evidence that "hacking in" a keyboard/mouse combo in place of a controller is commonplace on XBL? It might be feasible from a technology standpoint, but I've never heard it discussed in regards to Halo 3. I do know that a large portion of the best Halo players don't use any such cheats because they actually attend tournaments in person and win on LAN as well. Believe it or not, there are kids out there, many of them 12 or 13, who are capable of dominating you in Halo without cheating. If you're deluded enought to deny it, go to MLG's site (mlgpro.com) and watch some of the gameplay vids.

I'm wondering whether or not it became apparent that you basically volunteered yourself as the butt of the parent's joke.

Your grasp on Halo mechanics is a little flimsy. First, most weapons in the game aren't even headshot capable, meaning there is no extra damage conveyed by shooting at the opponent's head. Second, even for the medium-long range headshot capable weapons like the Battle Rifle and Carbine, headshots only matter once the opponent's shield is depleted. It's not simply a matter of much higher damage on every shot - once the shield is down (several shots), a single headshot kills instantly as opposed to a few body shots. Actually though, it's not very difficult to land head shots with these weapons anyway because the headshot hitboxes are huge. The sniper rifle kills with a single headshot or two body shots and is much harder to aim in general (low magnetism, small hitbox), so yes, there would be an advantage there.

It's a common error, but what you're really talking about is "aim magnetism" (aka "sticky aim"), not "auto-aim" (aka "aim-assist"). Magnetism causes your reticle to slow down when passed over the opponent (friction) and even be actively dragged when the opponent moves (adhesion). Auto-aim is what causes your shots to land even when your reticle is slightly off-target.

Not much else to say really - it's an FPS, they're supposed to require aiming skill by definition - so of course an aiming cheat would give you an advantage. I don't believe a keyboard + mouse combo would allow a bad / mediocre player to dominate though. There are just too many other elements to the game (grenades, knowledge of spawns, teamwork, decision making, predition, reaction time) besides raw aiming skill.

Same old MS

[mcgrew]

According to Boyd, the friend request DoS has been minimized in recent months as a result of Microsoft actions. Microsoft has now limited the number of friend requests a user can send, so there is now a time delay that mitigates the DoS risk.

Not if the attacker is using a botnet, unless TFA means the number of friend requests a user can receive.

One way that attackers enumerate their targets is by way of information that is easily publicly accessible. Xbox users gain points during gameplay, which leads to a gamerscore metric. The higher the gamerscore, the more valuable the gamer account. Boyd noted there is no easy way to keep a gamerscore private.

"If you go into the Xbox privacy settings, you can't block the gamerscore," Boyd said. "All you can do is hide your list of most recently played games."

Boyd added that sites like Mygamercard.net promote users' gamerscores, in effect painting a big target for attackers.

Typical, and depressing.

Re:Same old MS

[Canazza]

so your e-peen IS worth something after all :D

Re:Same old MS

[reginaldo]

The higher the gamerscore, the more valuable the gamer account.

Achievement Unlocked: Hack-worthy Account!

Re:Same old MS

[Mateo13]

Why does having a high gamer score make it more valuable? Other than that it's annoying to lose it if you invested all that time into it.

Re:Same old MS

[brkello]

There is a way to DoS pretty much anything connected to a network. How does that have anything to do with MS? And as far as the Gamerscore goes, it isn't some sort of sensitive information...just another case of hackers finding creative ways to use an otherwise benign mechanism. Your bias is preventing you from actually thinking. This is a game console. Not a mission critical military device.

Re:Same old MS

[IamTheRealMike]

Not if the attacker is using a botnet, unless TFA means the number of friend requests a user can receive.

Having a botnet doesn't do much good if you can't automatically create accounts. As you need an XBox to sign up for an Xbox Live account restricting the number of requests an account can send is trivial.

Re:Same old MS

[Danse]

Why does having a high gamer score make it more valuable? Other than that it's annoying to lose it if you invested all that time into it.

How would you like it if someone stole your penis, huh?

Re:Same old MS

[Morgon]

As the owner/founder of MyGamerCard, I hope that you're not claiming it's typical or depressing that I run a service that organizes gamers by their GamerScore?

MGC exists primarily to allow people to share their GamerCard (i.e. their gaming history) with friends. In addition, the stats I collect are used to foster competition and for personal tracking. The Leaderboards (which organize gamers by their score) are to incite people to play more and induce curiosity; I do not promote or condone any illegal activity.

Apologies if I'm being overly defensive or reading too much into your quote.. just seems that every six months or so, something comes around about GamerScore, and MGC gets thrown in the middle like it's intentionally trying to cater to idiots.

Re:Same old MS

[mcgrew]

As the owner/founder of MyGamerCard, I hope that you're not claiming it's typical or depressing that I run a service that organizes gamers by their GamerScore?

No, what's typical and depressing is MS's actions. I can see where your site would be a good thing.

Re:Same old MS

[damien_kane]

People would be more likely to add as a friend someone with a high gamerscore, as that usually correlates with credibility, due to the player having been around long enough to have such a high score.
Someone with a low score could be a new account created for phishing, or just some random n00b that friends everyone he sees.

I'll put it into a different perspective for you:
Why does having a low /. UID make it more valuable? (low-digit /. UIDs have sold on eBay before for a decent amount of money)

Re:Same old MS

[radish]

Which actions? I fail to see anything MS has done wrong here. You have a gamerscore, it's public. That's what it's for. What I don't get is why an account with a higher GS is more "valuable" in the first place.

Re:Same old MS

Not if the attacker is using a botnet, unless TFA means the number of friend requests a user can receive.

It's a closed system. The "botnet" can only spam their IP, not constantly send friend requests. I imagine the friend request goes from the user to Xbox Live, and not from user to user.

Typical, and depressing.

I am a little surprised that they have not added the ability to show gamerscores to "Friends Only," but I cannot help but think that it is a sadder state when people are trying to social engineer a gamer score, which means absolutely nothing, rather than a missing privacy setting for something that a lot of people really work hard to achieve.

Then of course there is the other segment that cheats to get their gamer score up.

Everything is said.

'Though the Xbox doesn't have the number one market share, it is the top target for hackers,

This phrase says everything.

Re:Everything is said.

[erroneus]

Indeed it says a great deal in that the myth that "Microsoft is the number one target because Microsoft is number one" is now shattered with this reported fact/statistic. But before we start citing this fact/statistic, let's do some fact-checking first and get some other parties checking these statistics. I have no leaning either way for this to be true. I actually have XBox360 and XBox Live so that I can play with my older children, so I would like it to be true that it's not driven by weaknesses and vulnerabilities in Microsoft's Windows driven network.

Another thought that hit me, and it was my first thought, was "compromised XBox360s joining botnets." The evidence for an infected PC is often readily available through various clues not the least of which are severe decreases in performance and software installed that the user doesn't recall installing. But with a very closed system like XBox360, the evidence wouldn't be nearly as obvious unless these machines set themselves up to power on in the background while disabling front panel indicator lights. (Since the indicator lights are mostly controlled by software, that would not be surprising to see.) And since XBox Live relies on home routers having specific ports forwarded to the machine so that game sessions can be hosted, port scanning could relatively easily identify machines running XBox live. Should a vulnerability be found to compromise the machine, you can bet that silent and worm-like infections would quickly follow even getting past NAT connected XBoxes as they connect to the infected game hosts.

Bad enough that yet another class of Windows machine is being targetted, but even worse that the liklihood of it being detected is significantly lower and that remedies to the problem are effectively limited to pulling the power plug from the wall even if it COULD be easily detected.

Re:Everything is said.

[megamerican]

'Though the Xbox doesn't have the number one market share, it is the top target for hackers,

This phrase says everything.

It does have the number one market share for paid online subscriptions, which means it'll be a big target for phishers. Xbox live accounts have real value, which means it will be a target for hackers and phishers.

Re:Everything is said.

[mcgrew]

I would like it to be true that it's not driven by weaknesses and vulnerabilities in Microsoft's Windows driven network.

According to TFA, most attacks are from phishing, but Microsoft makes the phishing easy by putting your CC info where everyone can see it. They say you should lie on your user page.

Re:Everything is said.

[BassMan449]

I think if they turned the Xbox on with the indicator lights off that would be a quick signal that something is wrong. I don't know about you but even though my Xbox is hidden behind my TV, I can tell you exactly when it's on. The 360 isn't exactly a quite machine.

Re:Everything is said.

And since XBox Live relies on home routers having specific ports forwarded to the machine so that game sessions can be hosted, port scanning could relatively easily identify machines running XBox live.
  I don't have any ports forwarded for my X-Box, and haven't had any issues with any games yet.

Re:Everything is said.

[RoadDoggFL]

It doesn't have the number one market share in units sold, but I'd be surprised if it wasn't number one in online gaming population.

Re:Everything is said.

[DdJ]

Indeed it says a great deal in that the myth that "Microsoft is the number one target because Microsoft is number one" is now shattered with this reported fact/statistic.

This is misleading.

XB360 is not the top console, no. Wii is. But how many of those Wii players network their machines? And how many of those also attach payment information to their machines?

In terms of network accounts with cash flow attached to them (ie. paid subscribers to a network service), Microsoft is number one. There are more paid XBox Live accounts worldwide than there are active "World of Warcraft" accounts! When looked at this way, Nintendo and Sony aren't even close. And so, the priority for hackers makes a great deal of sense.

Re:Everything is said.

[jayme0227]

Actually, this news doesn't shatter the theory. Basically it reaffirms it. XBox Live is the #1 for-pay console network, hence it is the biggest target.

Re:Everything is said.

[brkello]

Umm, no. It is not a myth that hackers target MS because it is the most target rich environment. That is just common sense. There are all kinds of hacks out for the iPhone. Why? Because they are so popular it makes sense for hackers to go after them. Taking one piece of data and making a generalization to something unrelated is a bit stupid.

Quite frankly, you are just using poor science as well. Instead of asking why, you are jumping to the conclusion that fits your bias. So the Wii has a bigger marketshare...why are the hackers not going after Wii's? Maybe because their internet capabilities are less. Maybe because people play their Wii's a lot less that people play the 360. Maybe it is because the hardware is less sophisticated or interesting. When you stop asking why and just buy in to the BS Slashdot group think...you are no longer a nerd. Just a part of the herd not caring about reality.

Re:Everything is said.

[jittles]

There aren't more Xbox's than other consoles yes. But, Xbox Live is the premier console gaming network. Also, the person below noted that he has ports forwarded to his Xbox to play on live. This is not required. I've played countless times without forwarding any ports on my router. I've played with other NAT'd friends and family members. We've played over XBL even on the same DSL line.

Re:Everything is said.

Indeed it says a great deal in that the myth that "Microsoft is the number one target because Microsoft is number one" is now shattered with this reported fact/statistic.

Welcome to many years ago where we are discussing why IIS is more exploited than Apache even though Apache is FAR more prevalent.

Re:Everything is said.

[IamTheRealMike]

Another thought that hit me, and it was my first thought, was "compromised XBox360s joining botnets."

You need to read up on the Xbox 360 security system. You can't compromise an Xbox 360 that's connected to Live, it's not possible. There are no botnets of Xbox 360 machines, and it's highly unlikely there ever will be.

Re:Everything is said.

[Bemopolis]

But with a very closed system like XBox360, the evidence wouldn't be nearly as obvious unless these machines set themselves up to power on in the background while disabling front panel indicator lights. (Since the indicator lights are mostly controlled by software, that would not be surprising to see.)

Fortunately the 360 is immune from sub rosa operation by a botnet, since when the thing is on it's so loud that Helen Keller wakes from the dead to complain about it.

Re:Everything is said.

[harl]

You can't modify the 360 enough to bot it. Especially over the network. You have no way of downloading payloads and it doesn't listen on any ports.

It has PC hardware but that doesn't make it a PC.

Re:Everything is said.

[Lectoid]

Well the Wii and PS3 don't charge for their network usage, so that makes Live competitor-less in the for pay console network. Wait, that's a monopoly... someone call Congress!!!

Re:Everything is said.

[KDR_11k]

The Wii tends to sit connected online even in standby so it'd theoretically make a nice bot but I don't think it's as easy to install malware on the thing without causing mass bricking which would alert everybody.

Re:Everything is said.

[fyrewulff]

More than likely because the Xbox supports UPnP so you don't have to forward them yourself.

Re:Everything is said.

[radish]

What are you talking about? CC information certainly isn't public anywhere on XBL.

Re:Everything is said.

[bloodhawk]

Actually that phrase says almost nothing and is VERY misleading. Xbox does not have number one market share, But Xbox Live certainly IS the largest online gaming network with more users with CC details than any other network, not even WoW has as many. besides which they are social engineering attacks rather than Xbox Live hacks or console hacks.

Re:Everything is said.

[mjwx]

In terms of network accounts with cash flow attached to them (ie. paid subscribers to a network service), Microsoft is number one. There are more paid XBox Live accounts worldwide than there are active "World of Warcraft" accounts! When looked at this way, Nintendo and Sony aren't even close. And so, the priority for hackers makes a great deal of sense.

Or in other words, just like Macintosh PC's it makes no economic sense to attack the Wii as returns will be low. Hacking (Cracking/botnets) is a big business now and it's all about getting the best and fasted return on investment, almost no one hacks for street cred any more, at the few events that are for glory like Pwn2Own the Mac usually goes down first.

Does Pwn2Own have a console hacking contest? Would this even be possible.

Re:Everything is said.

Not all, you could actually say as far as online gaming networks goes, Blizzard with Wow would be directly comparable, though it has lesser numbers than xbox live it is also a pretty active target for hackers.

Re:Everything is said.

[bloodhawk]

These hacks are not installing malware on the xbox either, they are social engineering attacks, neither the Xbox nor Xbox live are being attacked (as usual the article summary is misleading). The reason the Xbox is a better target is 2 fold.

1) Xbox Live tends to have CC details tied to the account making it a far juicier target
2) Xbox360 may not be the largest marketshare but its online gaming (XBOX Live) certainly is the largest online gaming as it is even bigger than Wow.

Re:Everything is said.

[neumayr]

Now that would be something - a network of compromised 360s.
There are some practicability issues though.. These boxes are loud, would not be hard to notice one running even though it seems to be turned off. Then, they need to be fully patched to even connect to XBox live, so you'd need a zero day remote exploit. Compromising those boxes even locally is no easy feat. Maybe I missed something, but I've never heard of a remote exploit for the 360, and last I heard from a local exploit was ages ago, and it only worked for one particular firmware version.
So anyways, I disagree on the detectability part of you message. For most XBoxes (I don't know about those special, more expensive editions), their sheer loudness is a pretty good intrusion detection, harder to miss for the average user than slow PCs with additional software.

Re:Everything is said.

[mcgrew]

The FA. Like the 1930s humorist Will Rogers said, "all I know is what I read in the papers", or in this case, TFA.

Re:Everything is said.

Wii Connect24 and Wiishop

Man

[Random2]

I'm so glad I went with the PS3, I'll never have to worry about hacking if my firmware doesn't even work!

Re:Man

[dnahelicase]

They put a rootkit in there for just such a situation. Anybody tries to hack and it's dead! My computer is protected by the same rootkit in case the pirates try to sell me fake BRD.

Re:Man

[rdnetto]

Unless you have to hack it in order to get the firmware to work...

Top target?

[6031769]

Though the Xbox doesn't have the number one market share, it is the top target for hackers

But MS have been telling us for decades that the reason so many viruses are written to target Windows is that it is the number one OS in market share. So that quote from the summary can't be right.

Can it?

Re:Top target?

Isn't PS3 online play free? In which case it would make no sense to bother hacking it?

Re:Top target?

[Crash+Culligan]

Don't be surprised if they keep saying it, too. Cognitive dissonance is so out of style these days.

Re:Top target?

[CaseCrash]

Or it could be that the Wii has the biggest market share, but its online presence is... well, lame, and since xbox live is definitely the place for online console gaming with a successful online store model so it's a better target?

Microsoft bashing is all fun and good, but at least think a little bit about what you've written before posting.

Re:Top target?

Your post is stupid. Hackers are going where the marketshare and money are.

Re:Top target?

What they meant to say was "... it is the top target for hackers [in the list of web-based console communities named Xbox live]"

That help?

Re:Top target?

[Datamonstar]

You can still make purchases over the network. Games and DLC and what not. I don't play consoles anymore, so I don't know.

Re:Top target?

[CannonballHead]

It's comparing two separate things. What market share are they talking about? The online user base or the consoles-sold user base? The real question would be how many active online users, not how many consoles sold. It's comparing two separate and independent statistics.

I wonder who the number one market share is, anyways.

Re:Top target?

Microsoft has the biggest online (i.e. hackable) console market share by miles.

Re:Top target?

[untouchableForce]

No that simply means it's not the most accurate.

Hackers target the platform that is the most valuable to them. In the case of traditional operating systems or computers the market share numbers are so vastly different that the number one platform is target.

In the case of consoles, the numbers are close enough that hackers have chosen the platform with the most likelihood of having credit card information stored on them which happens to be number two.

I will leave the comments about which platform is easier to hack for someone else.

Re:Top target?

[ArundelCastle]

Not really right, no.
Xbox does have the number one market share in active online players (excluding the PC "open market"). Especially notable considering the annual fee.
Nintendo has the number one share in consoles currently sold. Online support on the Wii is basically neutered by the friend code system. Many games don't even try to do online multiplayer, and no financial information is stored on the system or your "profile" which really isn't a profile in the same sense.

TFA is pretty vanilla on the details and doesn't offer much new information to anyone actually familiar with XBL. DoS attacks are hardly a surprise for Microsoft, and mainly it's social engineering. That's so old news the Major Nelson podcast practically includes a weekly disclaimer now, that giving out your password is always a scam. But a kid looking for $50 of free purchasing points may be willing to take the chance.

Re:Top target?

PS3 isn't the one with top marketshare. It's the Wii.

Re:Top target?

[jason.sweet]

TFA does not mention any virus. In fact, the bulk of the attacks it mentions are social engineering attacks. There's nothing the OS can do about that. Some OSes may allow you to do things in a "smarter" way, but, to the best of my knowledge, there are none that can prevent you from being stupid.

Re:Top target?

[bluefoxlucid]

The Wii doesn't rely on a subscription. You put in your credit card at some point, it goes to Nintendo, gets eaten, and then you get points. Your credit card's wiped from the machine after that (RAM stored only). It's possible to only buy Nintendo Points cards, too. Also, Wii Points aren't transferable between consoles. Put all this together and there's nothing really salable here to target....

Re:Top target?

[VisiX]

RTFA, there is no hacking being done. It's all DoS attacks, social engineering, and phishing scams. These methods are all independent of the hardware and in most cases the services being offered.

Also, while the xbox may not have the largest marketshare I would argue that it is very likely to have the largest and most active online community. The article is about "hacking" account information, not the hardware or software itself.

Re:Top target?

I don't play consoles anymore, so I don't know.

Then why the fuck did you reply? Oh, I get it. You replied just so that you could say that you don't play console games. Jackass.

Re:Top target?

[CastrTroy]

The friend code system is only used if you want to specifically play against your friends. For MarioKart, you can play randomly against anyone in the world, no friend code neceessary. The system is only neutered in the sense that there is no voice chat. However, based on the kind of chat that goes on for XBox 360, I would have to call that a feature.

Re:Top target?

[Mr2001]

It's possible to only buy Nintendo Points cards, too

This is true of Xbox Live as well. You can subscribe and have your credit card charged automatically, but you can also survive on membership/points cards that you buy at the corner store instead.

Re:Top target?

[WagonWheelsRX8]

I'm glad someone pointed this out...phishing is NOT the same as hacking...this is a poorly titled and written article...

Re:Top target?

[bluefoxlucid]

Yes but I don't need to buy a $50 Wii card EVERY SINGLE MONTH. I buy points when I want games. With XBL, it's like WoW... it costs you $$$ to stay in the game, and when you stop paying you get banned until you put up again. We have direct debit for our car loans, mortgage, credit card bills, and auto insurance... who wants to manually pay one more bill when they can automatic billpay that too?

Re:Top target?

[damien_kane]

They email you/notify you when your gold subscription is about to expire (like a month in advance or something)
1-year gold membership cards retail for $60CDN in many online and b&m retailers akin to Future Shop/Bestbuy.

Just buy one when you're in buying the latest game anyways.

Re:Top target?

[Mr2001]

Yes but I don't need to buy a $50 Wii card EVERY SINGLE MONTH.

You don't need to spend that much on XBL either, or re-up every month. On Amazon you can get a subscription card for $45 that lasts for 13 months.

Also, on the Wii you don't get the same level of service. Most (all?) multiplayer Wii games make it very difficult to meet or message anyone who you haven't already exchanged friend codes with; there's no community other than the one you've already formed on your own. There's also no global friends list, voice chat, party system, game invites, achievement leaderboards, etc. One could still argue that Xbox Live is overpriced -- Steam has most of the same features for free -- but you are getting something for your money.

Re:Top target?

[radish]

Online market share? XBL, no doubt. They have in the region of 17 million users. Consoles sold? Obviously Wii.

Re:Top target?

[reiisi]

Microsoft has the biggest online [elided] hackable[elided] console market share by miles.

Fixed that for you.

Re:Top target?

[bluefoxlucid]

Level of service is irrelevant. I don't need to pay unless I'm acquiring a new game, therefor the console has no need to store my credit card number for more than a few seconds in RAM during a transaction, therefor nobody cares and they all hack the XBox accounts instead.

Re:Top target?

[Lumpy]

After a major fight with Microsft and Xbox live only a complete fool would put their credit card number in their system. Use only points cards. They cant rob you blind from the points cards like they snagged an extra $250.00 from my credit card.

Yes I was able to stop it by stopping the charge at my CC company, but microsoft was unwilling to work with me.

Finally, I pay FAR less for my gold membership than anyone with a credit card in the system does. I pay a little over 1/2 the price by buying cards discounted off amazon.com

Re:Top target?

[Mr2001]

Like I said, if you're that paranoid, you can get the same security on XBL by buying membership cards once every 13 months. Pay cash and wear a Nixon mask so even the store clerk won't be able to trace you.

Hacked?

[f5hacka]

Maybe I read the article wrong, but I don't see how someone can get hacked outside of being socially engineered into it...

Re:Hacked?

[Lost+Engineer]

Don't know how it happened to me, but it did. If they had my CC number they never charged anything but Xbox points to it. Seems like a real stupid thing to steal. Maybe it was a kid or something?

Re:Hacked?

[megamerican]

Not only that but the Xbox is the only console with anything of value to target (Xbox Live accounts).

What's the point of hacking someone's Wii? Are you going to change their weather information or change someone's Mii to look like Hitler?

Re:Hacked?

[Beardo+the+Bearded]

At least then I'd GET weather information. All I get is a -- C when I look at the summary screen.

Not that I live in an urban centre or the capital city or anything. Oh, wait, both of those ARE true.

Phishing, not Hacking

[Silentknyght]

Don't be confused. They're not hacking your hardware or the Xbox Live servers. They're using social engineering and any publicly available information (courtesy of things users choose to divulge in their profiles) to attempt to get passwords.

Big difference between hacking & phishing. Moreover, there's nothing particularly unique to the XBox Live service & this phishing, either.

Re:Phishing, not Hacking

[ZekoMal]

It sounds like the people who complain that they were "hacked" on MMORPGs, when in reality they were just "stupid". So many people say "hacker" when they really mean "some guy asked for my password for a 5 billion gold trade and then logged into my account and emptied it out".

It just sounds better to be "hacked" because hacking implies that it was entirely out of your control. There is some poetic justice to the Xbox fanbois being attacked based on how "good" (read: how much time spent) they are at a game. The better you are, the more time you waste, the more likely you are to be attacked. Casual gamers, I suppose, are safer by default. Irony, maybe?

Re:Phishing, not Hacking

[FrigBot]

Heh, joke's on them - I forgot my password.

SOCIAL ENGINEERING IS NOT HACKING

[Com2Kid]

The "researcher" who is quoted in this article comes off like a moron.

He complains that there is no way to hide one's gamerscore. NO SHIT. It is called social networking. GAMERSCORE = (imagined) PENILE LENGTH INCREASE. You don't farking hide it, the entire point is to show it off.

Next up, sending someone a message "g1ve me urz PW and I'll givez you 1,000,000 gamerscores!!" is not hacking. It is exploiting people's greed. There is a big difference.

Likewise wussies DOS'ing a game server to get back at the people who kicked their wimpy arse is also not new, it happens WAY more often in PC games, since the majority of PC games have dedicated servers whereas only a few (but popular) Xbox 360 titles use dedicated servers.

In summary, these are not "hackers targetting Xbox Live". 99% of them don't even rank as script kiddies.

Re:SOCIAL ENGINEERING IS NOT HACKING

[Thanshin]

"g1ve me urz PW and I'll givez you 1,000,000 gamerscores!!"

My pw is 12345!!!

Thank you for the gamescore!!!!!

Re:SOCIAL ENGINEERING IS NOT HACKING

[Dyinobal]

according to an article yesterday you just gave out a lot of peoples password.

Re:SOCIAL ENGINEERING IS NOT HACKING

[RiotingPacifist]

I was pretty disappointed, I see xbox-live as a very interesting attack vector, but now if you google "xbox live security details" all you get is this story going on about phising!
It would be interesting to find out what sort of encryption, authentication, etc xbox-live uses, the information must be out there as the xbox1 os has been thoroughly dissected. It seams that xbox-live would be particularly susceptible to cheating because of the lack of dedicated game servers/communities doing proper verification (ofc i the verification may still exist that is another IMO interesting question) and untrustworth "servers" (e.g the l4d attacks).

tl;dr xbox-live security is interesting, phising is not!

Re:SOCIAL ENGINEERING IS NOT HACKING

[Talderas]

1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!

Re:SOCIAL ENGINEERING IS NOT HACKING

[Com2Kid]

It seams that xbox-live would be particularly susceptible to cheating because of the lack of dedicated game servers/communities doing proper verification

Cheating is rampent on Xbox live. So is the ban hammer.

As an ultimate punishment, MS can disable one's entire Xbox live account. Worst case, that costs the cheater $$. Or of course they have a huge supply of 48 hour free trial gold cards, but then they have to spend their free time hunting additional 48 hour free trial gold cards. :P

Most cheats for Xbox live games are fairly low tech. Purposefully inducing lag spikes, crap like that.

Re:SOCIAL ENGINEERING IS NOT HACKING

1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!

This needs to be Modded UP!

Re:SOCIAL ENGINEERING IS NOT HACKING

[RiotingPacifist]

Most cheats for Xbox live games are fairly low tech. Purposefully inducing lag spikes, crap like that.

This is the stuff that would make an interesting article, can they do any other kind of cheating? They can play copied discs but can they modify the discs to contain aimbots/wall hax/etc (AFAIK they can't)?

Re:SOCIAL ENGINEERING IS NOT HACKING

[interkin3tic]

He complains that there is no way to hide one's gamerscore. NO SHIT. It is called social networking. GAMERSCORE = (imagined) PENILE LENGTH INCREASE. You don't farking hide it, the entire point is to show it off.

For you perhaps. Not for all of us though. I don't care about showing off or even the gamerscore itself. Or rather, I only care about it BECAUSE it could make my account more attractive to steal. In my case, and numerous others, "the entire point" of the gamerscore seems to be to let people know how valuable your account would be to other people.

It's extremely stupid to not be able to turn it off IF YOU DON'T CARE TO SHOW IT OFF.

Granted, you'd have to intentionally work at increasing your gamerscore to make it really attractive to steal, my gamerscore after several years is only at 5,000, no one is going to pay for that when gamescwhores seem to buy games based on how easy the scores are to rack up. So if you have a high gamerscore, you probably had to do it intentionally. And if you're putting in work for it, you undoubtedly want to show yours off, so this is not a huge vulnerability for those of us who don't care about gamerscores. Still, pretty stupid to have them all displayed.

Next up, sending someone a message "g1ve me urz PW and I'll givez you 1,000,000 gamerscores!!" is not hacking. It is exploiting people's greed. There is a big difference.

You know that and I know that, but let's be honest: we're in the minority. It's not just the writer who makes this mistake, most people do. I might have expected better from "internetnews," though.

Re:SOCIAL ENGINEERING IS NOT HACKING

[tlhIngan]

Most cheats for Xbox live games are fairly low tech. Purposefully inducing lag spikes, crap like that.

This is the stuff that would make an interesting article, can they do any other kind of cheating? They can play copied discs but can they modify the discs to contain aimbots/wall hax/etc (AFAIK they can't)?

No, they can't. The only thing the copied discs hacks do is tell the Xbox360 when the disc is queried, instead of returning stuff like "DVD-R", it'll return "Xbox360", and the like. The actual code signing mechanism hasn't been broken, so adding an aimbot is pretty much impossible right now. (The signatures are checked always).

Even the Halo cheats don't work anymore - at least for Halo 3 I believe...

Re:SOCIAL ENGINEERING IS NOT HACKING

[damien_kane]

Gamerscore isn't that hard to accumulate.
I've only had my 360 for about 4 months, and am already over 4000. This is playing mostly RPG-type games (Sacred2, Fable2, Lost Odyssey)

In the case of most games I've played so far, simply finishing the game gets you around 500 GS, once all is said and done.
After that is the hard-to-get achievements.

Re:SOCIAL ENGINEERING IS NOT HACKING

[interkin3tic]

Gamerscore isn't that hard to accumulate.

It's not hard no, but if you don't care about gamerscore and don't intentionally select games that give easy points, I'm thinking you probably won't find yourself in the 100k range. Therefore, unless you're trying to get as high a gamerscore as you can, your account isn't going to be very attractive to people who sell accounts with high gamerscores, so you wouldn't need to hide it. On the other hand, if you did have a really high gamerscore, you probably worked at it intentionally and do, like OP said, want to show it off.

That's all I was saying. And I'll say again, this shouldn't be the reason why MS doesn't offer you the option to hide your gamerscore.

Re:SOCIAL ENGINEERING IS NOT HACKING

That's my luggage combination, you insensitive clod!

Re:SOCIAL ENGINEERING IS NOT HACKING

That's amazing. I've got the same combination on my luggage.

Happened to me

[Lost+Engineer]

My account was stolen. It sucked. It took me months and way, way too many phone calls to get it back. The asshole who hacked it had changed so much information, including the gamertag, that they didn't even want to talk to me on the phone at first. Xbox customer support is absolute shit. Their reps are totally unhelpful, refusing to deviate from the script despite the fact that "account stolen" is apparently not in the script. There was not one that I called that was comprehensible in English.

Oh and this whole thing started because I found over $100 worth of Xbox points charged to my credit card. To this day I have no idea whether that person actually got my CC number or figured out how to charge without it. I executed a chargeback on that $100, and have yet to see another fraudulent charge.

Re:Happened to me

My account was stolen. It sucked. It took me months and way, way too many phone calls to get it back.

So, how did this happen? Weak password? Weak "forgot password" hint? Were you phished? Did you voluntarily hand it over? Was a computer that you've used to log into Xbox.com or another Windows Live account compromised?

The article doesn't present any way to simply steal accounts, and neither has anyone else. All of the methods presented involve social engineering.

Re:Happened to me

[ZekoMal]

As the Anon. coward stated, stealing an account is quite a bit different than a simple snafu. You are suggesting that someone hammered away at logging into your account, and then charged $100 to your account. That seems like a lot of effort just to play your games for free, especially when they could have just used TPB and some tools to get a similar experience.

The more logical option is that you had a weak password, you gave it away, or you were phished. None of these involve someone forcefully stealing your account; they involve poor protecting on your behalf. To put it simply: if you spend more than $100 on something and connect it to every e-peen-seeking fanboi in the world, maybe you should make sure they can't figure out your login info.

Re:Happened to me

[ZekoMal]

Sorry for the repeat post, but one more thing: your credit card info is tied to your account if you ever used it. Go on, check it. Fascinating, no?

Re:Happened to me

[Inda]

People using the same username and password on forums is the easiest way to get your account stolen.

Re:Happened to me

[The+Moof]

To this day I have no idea whether that person actually got my CC number or figured out how to charge without it.

Buying stuff via your Xbox console is uncomfortably easy. There's no validation and no need to see your information (by default). If I have your e-mail and password for your Xbox live account, I can buy MS points up the wazoo for you, and use them for downloads on my Xbox. As long as I use the HDD on the same Xbox, I don't have to be logged in as you to access my 'stolen' DLC.

Re:Happened to me

Microsoft billing keeps your credit card numbers on file. If you purchased a gold account on your CC it is in their system. I had some problem with my account earlier this year and had to go to their billing site. Found they had info on one of my cards that I originally had used that had expired over a year ago. If someone gets your xbox live email and password they can access Microsoft's billing website to get your credit card info. (Google microsoft billing to find it). Thing is, if you have a gold account, you can not delete your credit card info from the system since they want to automatically be able to charge your card when your renewal is due. (My credit card offers virtual numbers that expire after a month or two which is what I use for XBOX to prevent people from easily finding my account number even if they got into my live account. From what I have heard though, this isn't enough to stop MS from charging your account anyways.)

Re:Happened to me

[harl]

If you bought points with the card before the account was stolen then they just have to hit X and grab points. It stores your card info.

Live charged my _expired_ credit card for a year of service. Took many calls with Live to accomplish nothing. I had to bring VISA in to eventually get it sorted out.

Lesson learned: Never ever never give Live your CC#. Buy pre-paid cards. Sometimes they're even on sale. Free money WooHoo! They're never on sale if you pay with a credit card.

Re:Happened to me

[radish]

And if you have my Amazon password you can order real stuff with my CC, and if you have my banking CC you can steal all my money. That's why we protect our passwords children :)

Re:Happened to me

You know what else is tied to your credit card? Your credit card number. Fascinating, no?

But seriously, a good password and not falling for social engineering will protect your account, and your card, from any feasible attack.

Re:Happened to me

[MikeBabcock]

And then you call your credit card company and explain those are fraudulent purchases and they refund them using their fraud insurance program. They also don't have you talk to police (despite a crime having been committed) because its bad for business, and they want people to believe credit cards and banking data is completely safe to use.

If your bank won't give you your money back no questions asked, just tell them you're filing a report on the fraud with a local detective and they'll change stories.

Re:Happened to me

[Lost+Engineer]

Did it not used to be the case that you had to have the CC number associated with an account to transfer it to a different Xbox, and therefore to login? Up until my account was stolen, I had never even *used* a password to login to Xbox live.

No I was not suggesting that someone "hammered away" at my account. I have no idea what the method was because Microsoft would never tell me.

What the .... ?

[X.25]

What the hell is this piece of shit, called "article"?

Using social engineering to obtain Xbox account details?

Oh my God, I would have NEVER thought something like that could happen.

Re:What the .... ?

[ZekoMal]

Ssssh! Next you'll be telling me that my Runescape account is compromised when the gold sellers ask for my password to transfer the funds!

Re:Anotgher Linux-inferiority-complex induced arti

[RiotingPacifist]

Who the fuck mentioned linux? sounds like your the paranoid one with the inferiority complex!

So thats why

[KingHuds]

I keep trying to play Halo but get the RPoD (Red Ping of Death).

This is not what I had in mind for "hacking" Live!

Here I was hoping that some security researchers had broken the authentication and key exchange algorithms used by Live!, and that the information was being used in the wild...

That kind of hack would be the most interesting, since it could be used as a foundation to create a surrogate for an Xbox Live! server in a LAN, much like bnetd. The number of ways you could manipulate the implied "trust" the console has for a crypto key supplied from the "Live!" server to run privileged instructions is tantalizing.

As-is though, the article is just about kids changing their gamerscore because they suck at playing games and "want to look cool", and about same-said kids griefing each other with malicious friend requests.

Not exactly what I call news-worthy "hacking"

I'm surprised there isn't less of this

[MobyDisk]

Ever since multiplayer PC gaming, I have been surprised that I have not heard about phishing mods or virus mods. When you connect to a modded server, most multiplayer PC games will automatically download and execute scripts that run within the game engine. It shocks me that nobody has found a way to break out of the game engine sandbox and compromise a machine.

Now, consoles don't (AFAIK) support downloading mods. But I imagine that there would be similar attacks based on sending garbage data to the server as a way to compromise it. From there, you should be able to access a lot of information or launch more serious attacks.

Does anyone know of this happening?

How to remove credit card info?

[sherriw]

Where is this option to remove your credit card info? I keep trying and it won't let me. I don't have anything on automatic renewal.

Re:How to remove credit card info?

[sherriw]

Actually I see the option but each time I try to remove the card, it tells me that a service is still attached to the card- and points me to an EXPIRED gold membership. I have since bought and activated a pre-paid gold membership so this makes no sense. Arg!

Re:How to remove credit card info?

[CreamyG31337]

Haha well make sure you figure it out, Microsoft managed to charge to my expired credit card when I refused to provide them with the new number :( Have fun on hold!!

Read on, McDuff

[westlake]

The XBox is an appealing target because XBL has 17 million paying subscribers.

s/Hackers/Phishers/g would be a good start..

[bmajik]

if you RTFA, what you basically see is this
- Xbox LIVE accounts are worth something, and often have CC info embedded in them
- all of the techniques are for getting control of an XBOX live account or DOSing an XBOX live user
- all of the non-DOS techniques are SOCIAL engineering "attacks"

The XBOX Live network is actually pretty solid, with IPsec between endpoints and servers. The successful "attacks" at the network layer are essentially ping-floods or traffic stoppages [i.e. the Halo bugs where you could turn off your cable modem and thus disconnect without killing your ELO ranking].

Finally, regarding the point about market share / attractiveness to hackers: this is stupid.

XBOX Live has more paying customers than any other console gaming network. Looking at # of consoles sold is not the same thing as attractiveness for phishers/scammers.

So, Mod the Article (-1: Epic Fail)

Re:s/Hackers/Phishers/g would be a good start..

DOS'ing sounds like a terrible way to hack someone's Xbox.
C:\>pwn n00bz
Bad command or file name.

The cell processor

[goombah99]

Another explanation is that xbox uses a somewhat more conventional architecture processor. the Sony PS3 Cell is notoriously difficult to program for and thus requires uncommonly sophisticated skills in the hacker.

That of course is not perfectly true. Each Cell also has a conventional co-processor that could be attacked. but still the over all problem is probably a lot harder.

Maybe this is the way to get more trained cell programmers. Put tempting targets out there running on cells.

Re:The cell processor

[CastrTroy]

Why not target the Wii then. It is the most popular, and it has a PowerPC CPU, just like the xBox 360.

Re:The cell processor

[erroneus]

I think that is pretty much irrelevant. People coding malware use the same tools for writing code as legitimate programmers. All they would need is a development system to create the binary. They can test their own gear to find vulnerabilities that could be exploited to cause the game system to either download, install and run the code from the internet or otherwise use an exploit to insert code for execution in some other way such as an overflow. Once identified, it is merely a matter of writing the malware code and getting the remote machine to run it. The processor architecture should be irrelevant. Most, if not all malware on PCs don't need to be multi-processor aware. Perhaps you are under the misconception that game consoles don't run a modern OS inside the box?

Re:The cell processor

[gnick]

I can't google numbers (gaming sites are blocked here at work), but my gut instinct tells me that, even if the Wii is the most popularly sold gaming platform, it probably isn't the most platform for gaming online. If true, that would make it a tougher target despite containing a similar processor.

Anyone with a citation to support or debunk my guess, please share.

Over rated sensationalism

[dave562]

Despite what the article might lead one to believe, the Xbox hardware isn't being hacked. User accounts are being compromised. The accounts aren't be compromised due to weakness in the software, authentication mechanisms, or by virii/malware. They are being compromised by social engineering and phishing. The only slightly disturbing subject mentioned involves introducing latency into game connections by way of DoS attacks and botnets. That sucks for people who play the games, but that isn't a weakness limited to the Xbox. Any internet connected device is susceptible to DoS attacks in some way.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I get phishing messages almost every day now

[brienv]

Microsoft seriously needs to do something about this. It's gotten so bad that I get a phishing message almost every single day I play online (CallOfDuty mostly). They're usually "msg me for free MS points" but the scams vary. I report them every time but I have no idea if Microsoft actually does anything with them.

Re:Anotgher Linux-inferiority-complex induced arti

[JStegmaier]

You're right. Anything that criticizes Microsoft is always a Linux shill piece... Microsoft never does anything wrong.*

*Not saying Microsoft did anything wrong in this case.

Ergo, Nintendo understands security.

[reiisi]

More to the point, Nintendo understands on-line security in ways that Microsoft has been deliberately misunderstanding for a decade and a half.

Re:Ergo, Nintendo understands security.

considering both nintendo and MS handle security almost identically for payments I am not sure how you can claim nintendo understand it while MS don't. If anything due to how big a target MS are and the fact no one has managed to hack Xbox live I would say MS probably handle security sigificantly better than nintendo.

has the credit card info on the box's HD?

[reiisi]

Is that typical Microsoft engineering, or what?

Much more hackable when you do that.

credit card information?

[reiisi]

If your credit card information is embedded in your account info, I'd say that's (yet) a(nother) Microsoft Engineering failure.

It is precisely this kind of selling the customer dangerous convenience that earns Microsoft the scorn it gets.

Hurpdy-durp

that service requires payment.

Nope.

Comment removed

[account_deleted]

Comment removed based on user account deletion