Microsoft admits uptick in Live account hacking, writes it off to social engineering
By Evan Blass 
posted Mar 21st 2007 11:31PM
posted Mar 21st 2007 11:31PM
Everyone enjoys a good Xbox hack, but they're not so fun when the tables are turned and it's your Live account that's been commandeered by crooks -- who are supposedly draining your credit card while you're stuck on the sidelines with a duplicate, unusable Gamertag. While it's not surprising that hackers would hijack online accounts to snatch valuable personal info, the question being raised in forums and now in the media is how Microsoft has been dealing / plans to deal with these breaches. The company first admitted that "there have [recently] been reports of fraudulent activity and account theft taking place" on Live when contacted by CNET, and went on to say that it is "actively investigating all reports of fraudulent behavior and theft." However, Major Nelson is now reporting that Redmond has found "no evidence of any compromise of the security of the Xbox Live Network or Bungie.net," and is attributing all of the recent incidents to "malicious users...attempting to draw personal information from unsuspecting users." It's hard to imagine that the uptick in fraud revealed to CNET is due solely to an increase in gullible gamers, but unless Microsoft plans on tightening security, all you can really do is continue to exercise the usual precautions or cancel your account and get your MMO fix from Yahoo! Bingo.[Via Joystiq]
ouch, i just added my sister's credit card so i could change my GT about a week ago. on my old GT i had my mom's credit card i don't there was ever any charges that i never made. i hope they will allow people to remove their credit card numbers from their account to prevent any theft of any sorts. another thing to do is you can simply buy your membership/points from stores such as gamestop, best buy, etc...
Yeah we all know how good msoft is at fixing security problems.
Actually, as hard as it is to believe, Windows is a much more secure OS than OS X, according to this link: http://www.internetnews.com/security/article.php/3667201
So what do you have to say to that?
I was actually referring to internet explorer seeing as how they begrudgingly put out patches for egregious security flaws and never seem to want to update. And who said anything about os x? I didnt realize i owned an apple... hmm funny
Don't have a credit card linked to my account. Haven't even bought anything over Live, if I ever do I'll be buying cards at retail stores.
Apparently the social engineering is not on the gamers themselves but on the Live customer service. They call up a bunch of times, getting little bits of information each time, and build from there with a different sob story each time. I only hope the customer service guys log these things and can find them out easily. If not, then we're all fucked.
"It's hard to imagine that the uptick in fraud revealed to CNET is due solely to an increase in gullible gamers..."
I should say that they haven't stated at all that there has been an increase (in fraud), only that there have been reports of an increase and that they are looking into it. Reports of increased fraud do not not equal increased fraud when bloggers and the internet are concerned. I really do think this issue has most likely been blown up far beyond any realistic degree.
I thought I might also reprint the conclusion to the cnet article, restating that it may be a new phishing scam which agrees with Major Nelson's assessment and, if true, would account for some uptick in fraud.
"While some users believe the security of Xbox Live was breached, others suggest that users were tricked into giving up enough information while in a game so fraudsters could call Microsoft to change the account information. Users may also have been duped into giving up their account information through phishing scams."
Gah, I also thought I would point out that I believe the initial reports dealt with stolen .net passport (now windows live ID) accounts which were tied to an xbox, so they weren't (it wasn't?) stolen over the xbox either way, xbox account hacking would have merely been a result of theft of the .net account if it was tied to the xbox.
I just wanted to put things into prespective before things went crazy. I've been following the story, and it does look like a much smaller event than previously imagined by various bloggers. Rumors just travel so fast on the internet and seem to get amplified to hysteria before any real research can even be done to confirm or deny.
How many of the mac vulnerabilities were actually dangerous? they never tell you they just say that they were more. Windows also has viruses that steal data, are those considered vulnerabilities in the windows OS?
Did you even bother to read the article? Basically the criteria only involved time to patch. Over the same time period Windows had 12 severe vulnerabilities compared to 1 for OS X.
Ok, one final note.
I thought the two writeups (this and the source from their sister blog "joystiq")were somewhat amusing in their differing opinions. While this author wrote with a very suspicious and unbelieving tone, joystiq was completely different. I doubt there's a hidden bias, just an honest difference in approach to the story, but I thought I would share a bit of the joystiq article for the lazy (there are many).
"Major Nelson has issued a statement dismissing recent reports that there has been a collapse in security with Xbox Live and Bungie.net. Nelson says, "Despite some recent reports and speculation, I want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of the Xbox Live Network or Bungie.net."
Nelson goes on to say that there have been "isolated incidents" where users are trying to gain personal information. Microsoft is offering a PDF on how to protect yourself against identity theft. Seriously though, it's the internets, there are predators out there trying to steal your identity. Don't ever give someone your passwords or personal info."
Amusing, eh?
Full disclosure, I'm a mac(book pro) user who owns an xbox, so my take might be tilted somewhat.
I am a victim of gamertag theft.I am not a gullable gamer, I have never even remotely come close to revealing any information over xbox live or bungie (halo 3) I don't even sign into my windows live ID on my computer. I do anything that needs to but done with that on my xbox. I had my gamertag recovered to someone else's machine, and while they had it, they purchased and spent 9000 microsoft points charging my credit card 114.50 You can bet I'm gonna remove my credit card from my microsoft account, and use prepaid cards from now on, But I just wanna point out that microsoft's data base has been breached, there's no way anyone could have phished my info from my Pc or me playin Halo.
People who buy Macs are popular--and they don't develop viruses. You don't write a virus when everybody likes you and wants to be your friend. People write viruses because they're not in a band, they're often broke, their car sucks, they don't play sports, they love Linux (and believe that they'd have a girlfriend if Windows was no longer the dominant OS), they're chubby and/or ugly, and sometimes they get tired of whacking off. That's why there are more viruses on PCs.
It did not take Microsoft or their Live network for one of my major credit cards to become compromised last January. All it took was a food-service retailer that conveniently had a read-writer in the back. While the credit card issuer handled me the correct way, it only goes to show that the activity can be quite local to the card holder.
I am curious to know what the Live system in so insecure compared to other Microsoft websites. For anyone with more than a handful of paranoia could be put to rest by signing up using a credit card and then three or more days later having the issuer issue a new card.
The group claiming they did the hacking was -Infamous- and as of last night, their site was hacked. I don't have the link but it should be listed on the front page still of http://www.shacknews.com
I will continue to use my Credit Card over live. This sounds like phising scams not hacking. this is senationalism jornalism. Major nelson clearly states their is no evedince of anything being hacked.