back to article Xbox Live account takeovers put users at risk

Hackers have hijacked the Xbox Live account of a celebrity gamer and made off with a prized piece of virtual armor in a brazen act that suggests the online Microsoft service still puts the security of its users at risk. Colin Fogle gained widespread acclaim in gaming circles after posting a video showing how it was possible …

COMMENTS

This topic is closed for new posts.
  1. Dazzer

    DP?

    So if I ring up MS and give them 1 (one) piece of information, they will provide me with the address of that account. I see they are taking lessons from our government with regards to data protection.

    On a side note, when I had an Xbox I played it online about three times because I found (contrary to my experiences playing PC games online) that Xbox Live players were a bunch of cliquey, unfriendly twats.

  2. Morely Dotes
    Alien

    Well, let's help them make this a huge PR issue

    I've posted an opinion article at http://castle-anthrax.us/modules/news/article.php?storyid=15

    Feel free to copy it, link to it, or plagarise it.

  3. Eduard Coli
    Gates Horns

    Move along folks - nothing here to see

    I my humble opinion (ok, govnor?) M$ has always sacrificed quality over cheap.

    They seem to prefer the monkeys+typewriters route to Hamlet rather then a clever romantic. The difference being that the monkeys work for next to nothing and they'd have to pay the poet.

  4. Luiz Abdala
    Coat

    Been there, done that, bought the T-shirt...

    ... which reads "I´ve been pwned by h4xors". This kind of scum lurks everywhere, and will steal anything from you, either virtual, or real, if they get a chance.

    coat, wallet...

  5. Lupus
    Joke

    I guess...

    He CAN has Recon.

  6. Andy Bright
    Black Helicopters

    Isn't it pretty easy to find out who did it?

    Not in the physical world maybe, but online? I don't know how Halo works, but most other online games have complete records of how and where a user came by a piece of gear. In the case of a unique item it should be a doddle to work out who the miscreant is, return the armour to it's rightful owner and ban the account of the person responsible for the hack.

    It should also be rather easy to identify the mac address and ip of the xbox being used to access that account - and therefore ban it from joining any network that requires XBox account authentication.

    Maybe I'm being dense, maybe there are easy ways of masking the ip and mac address on an XBox, but I doubt it.

    Most likely the hacking skills of this spanner consist of being good at social engineering outsourced Microsoft employees - i.e. people that don't give a fuck. It's very unlikely he's capable of anything decent, like being able to hide his location. Also the way an XBox Live account accesses the internet makes it difficult for even a decent hacker to mask his location, so it ought to be a fairly easy to track down the ip and mac address of the offending unit.

  7. Paul Beattie
    Gates Horns

    Data Protection

    Next time I have some spare time on my hands I might just try this out on my own account. If Microsoft do give any information about my gamertag or whether it be mailing address, telephone number I'll be straight onto them and then the information commissioner with the findings.

  8. Aubry Thonon

    Re:Isn't it pretty easy to find out who did it?

    From what I understand, the *armor* hasn't been stolen (as such) - the *account* which contains the armor has been stolen.

  9. Lupus

    FAO Andy Bright

    It's not so much the item itself was stolen (the precious Recon armour is awarded by Bungie, the makers of the game), so it's not in need of tracking. The entire account has been purloined, precious Recon armour and all.

  10. Ian

    Not specific to XBox live

    As usual it's the old fashioned social engineering tricks that effect any similar service. MMO accounts are another frequent target for the similar prize of rare in game items which are often then sold on for real cash on ebay.

    Part the problem is more and more services worldwide are using these questions if you forget your password that default to easy to find out things such as "Where were you born". Obviously it doesn't take a genius to work this sort of things out.

    Personally for pay for services I'd have thought something people really would keep safe like part of their credit card details (maybe the CVV digits?) wouldn't be a bad idea, but that assumes the call centre staff can be trusted with them even of course, something that is more unlikely than ever in our outsourced world and it's not necessarily a xenophobic thing, personally I always worry about the fact my phone call, containing confidential information is travelling outside our borders across foreign phone networks through countries that don't necessarily have the same level of responsibility for security as BT does (slag BT off all you want for most things, but lets face it their phone network is pretty solid and secure and accountable when it comes to crime).

  11. Emo
    Dead Vulture

    oohh

    And what will the Information Commissioner do? Sweet FA.

    Unlucky.

  12. Andy Bright

    But that's even easier!??

    I realise the account was stolen, and if it's impossible to transfer gear from one character to another (therefore one account to another), why hasn't the problem been resolved simply by handing the account back to it's rightful owner?

    And this should make it even easier to ban the offending XBox from their networks. Because if the guy is flaunting his use of a compromised account, this means he's regularly logging into it. Can't the IP and Mac of whoever accessed that account in the last few weeks be looked at, and if it doesn't match the proper owner, banned?

    Again I know it's possible to avoid this kind of exclusion using a computer and the right software, I've tested such things on my own network - but surely this is much more difficult to achieve if you're connecting to the internet via a console account - and therefore have no control over how or where your console authenticates.

    You can't just pretend you're in Switzerland and mask your IP and MAC address, because you'd need some pretty clever software running natively under the XBox's own OS.

    So again, why can't Microsoft simply transfer the account back to the proper owner, then ban the XBox that was used to commit the crime? Possibly even tracking down the physical location of the offending unit too and getting his IP to ban his access to the internet altogether.

  13. Anonymous Coward
    Thumb Down

    Re: But thats even easier!??

    You expect Micro$haft to grow brains?

    They released Vista for cryin out loud! and Office 2007!

    Hell will freeze over before Micro$oft knows the true meaning of "intelligent security"

  14. Lou Gosselin

    Hold on, there isn't a way to track someone's MAC address!

    FYI one's mac address is generally never transmitted over the internet. It's just not the way IP routing works. Ethernet devices use mac addresses within the local subnet only. And anyways MAC addresses are trivial to alter in that context.

    Sure the IP can be polled up but unless MS can compel the ISP to release the user's information it won't help.

    They'll have to do like the RIAA and file a John Doe lawsuit. The ISP may not even be within US jurisdiction. Furthermore the IP might be tracked to a proxy, or the owner may have been victim to a trojan.

    This being said, I'd be surprised if the XBOX units don't transmit a unique serial number somewhere in the data stream to microsoft (is this what you guys meant by "mac" address?)

  15. Lance

    @Andy

    The IP address can change and most users have an address assigned by a DHCP server. Since it can change, banning it won’t do much as you can easily get a new IP. With that said, you also can’t look at before and after to see if it is legitimate or not. You could look at the ISP as that should remain constant, but that is not always the case either as people can take the console somewhere else. They could see which registry the IP is assigned too though.

    As for the MAC. You can change that and it is used for L-2. Every hop along the path changes the MAC address.

    All of the above is basic networking 101.

  16. Stuart Van Onselen
    Unhappy

    Just goes to show...

    ...that the entire *system* has to be secure. And the 'system' includes the users (in the broadest sense).

    So you can put encryption and digital signatures and Kerberos and all that stuff all over the hardware and software, but if your idiot call-center agents (or their idiot supervisors who designed the procedures) can be "socially engineered" so easily, all those sophisticated technical security measures mean diddly.

    I am despairing of this planet's computer and financial networks ever being remotely 'secure'.

  17. Snail
    IT Angle

    Social Engineering

    This is a far wider problem than just XBL. This is custom support services as a whole.

    I've had all sorts of personal information about my fathers bank accounts, by mistake, because the bank staff didn't ask the right questions, and logged into the wrong account.

    My father has also had all sorts of information about my credit card because a bank phoned asking for me by surname, then didnt bother with security questions.

    Since customer support centres started going out to india, and other places this type of thing gets more and more common. Good quality customer support costs a lot, but is worth its weight in gold. Its just a pity 75% of customer facing places dont realise it!

  18. Matt Bradley
    Pirate

    Criminal Matter

    The strongest reason for not blocking the MAC address or serial number, is that you're effectively bricking the unit. How long before the scumbag owner puts his bricked XBox on ebay, and buys another one do you think? Blocking the box's MAC or Serial number create yet another victim.

    To be honest, this is purely and simply a criminal matter. Obtaining somebody else's personal details by means of deception, and fraudulently accessing computer accounts belonging to another individual.

    I imagine that Microsoft are currently trying avoid the public embarrassment of a criminal proceeding relating to poor XBox Live security. However, once the whole thing is out in the open (get writing those blogs, people!), there will be nothing preventing Microsoft from reporting these matters to the relevant enforcement agencies, and pursuing them to the full extent of the law.

    IT would be nice to hear that the perpeterator here was not only stripped of his XBox, but in fact the ability to use any kind of computer for the next 5 years...

  19. amanfromMars Silver badge
    Alien

    Beagle has Landed in AI Brave NeuReal Wwworld of Milk and Honey.

    "You expect Micro$haft to grow brains?" ....... AC

    No, but one would expect that they buy some in. And any and all Failure to do that, must by default, render them Unfit to Lead and/or Govern their Empire. ..... which is just a Failed Command Structure at Head Office.

    New Blood and NeuReal Brains needed and needed badly ........ for the Changed Environments which Total Information Awarenesses Present.

    Should Microsoft realise/concede that its brains need to grow, [and they might fully realise the handicap of stunted and/or perverse, perverted growth] in Ultra Secretive and Sensitive Fields of Communications, across all EMP Spectrum, Wizards in the Mastery of TEMPEST can easily provide Running Repairs and ReBuild Facility to a Holed Vessel under sustained Attack via their Intellectual Deficit.

    Sink or Swim is the Choice which they freely make whenever they do not Purchase ITs Relief.

    This is Presently being Offered to them via their Tech Net portal e-mail service ........ A Plug In for ReGrouping and ReAssignment of Distressed Services. It is QuITe Simply AI BetaTest of the Brains for Fitness in Future Purpose ..... which does sound incredibly precocious but is merely AIMagical Mystery Turing XXXXPertTease in Real Virtual Machinery, the Significance of which, quite literally in every Sense of the Word, Defies Belief. It is a Plug-In though Available and always on Offer to any Operating System which you may care to Imagine.

    << AI Virtual Reality Server ..... for Greater Beta Vision .... and an Advanced Artificial Intelligence Development with HyperVisor Controls for Sublime and Subliminal Perceptions Management in the Virtual and Virtual to Real Realm. An AIDed Driver in CyberIntelAIgent Use for Capture/Migration* of Operating Systems.>>

  20. N1AK

    @Snail

    Your completely right, except the problem is not only that "Its just a pity 75% of customer facing places dont realise it!".

    90% of customers only give a toss about price / minimal effort. A business that charges 5% more but offers incredible service, will lose masses of business just for not being the cheapest option.

    Of course in MS Xbox Live's case this is a null point as they are the only option. As a subscriber I have no problem with the idea of paying for an online gaming service (even though plenty of games on PC have good free services) when it offers reliability and ease of use.

    Xbox Live has been crap since christmas, constantly dropping people and not blocking connections, and now it seems they can't even protect peoples details properly.

    I am paying £40 a year for a service that just has to introduce my xbox to other xboxes (as the hosting of games is done by players machines). For that I expect nigh on perfect service and it's woefully lacking.

  21. Anonymous Coward
    Anonymous Coward

    CVV

    Since its illegal for Microsoft to hold your CVV number surely the obvious thing to do would be to simply ask for that before allowing you to change any of your address/password details. Call centre staff can't have that info as quite simply Microsoft are obliged not to hold it so no number of calls would result in the "hackers" having access to your account.

    The call centre staff shouldn't have access to your password either, if you forget it they should simply email a new one (auto-generated, again they have no access) to your already registered email address (which with the above can't be changed).

    Problem solved.

  22. Sir Runcible Spoon

    @c v v

    good point about the registered email address notification - as this is pretty standard with most password resets these days, but in order for the support bod to verify your cvv they would have to process a purchase which isnt' likely is it?

  23. Steve Barnes

    Xbox Live

    I'd be pissed off if this was my PSN account and that isn't even paid for! If it was an online network that required my money, I would be fuming! As it's a paid for service Microsoft are offering, surely Consumer Protection & Trading Standards could help here a little & surely trading laws apply?

    Either way, as PS3-person (yes, I know there's going to plenty of abuse and flaming after this post) I do think it's crazy to pay for any kind of online gaming service. Even at half the price MS are charging, it's not really worth it!

  24. Maverick
    Thumb Down

    @N1AK

    "A business that charges 5% more but offers incredible service, will lose masses of business just for not being the cheapest option"

    sorry, a generalisation that is simply not true . . take one example;

    look at the growth of Entanet . . great 24x7 technical support (free with some resellers), very open in their approach to traffic management (which every UK ISP has to do) and simple policy for new business . . .

    - like our approach? then join

    - not like it? go elsewhere, thank you for your interest

    no way are they the cheapest ISP, but great value for money IMHO

    FWIW

    Mav

  25. Sampler

    Haxxors

    Not really hacking though is it in the technical sense - more the social engineering side of things.

    So it's not like Xbox live is technically open to hackers - just their support side is easily subverted by social engineers - which is true of most places unfortunatly.

  26. amanfromMars Silver badge

    Steganographic Interfaces for Secure Mature Networks

    "I am despairing of this planet's computer and financial networks ever being remotely 'secure'.....Stuart Van Onselen Posted Thursday 10th January 2008 07:32 GMT

    Stuart,

    The only secure network is one which can Operate Transparently and in Full Sight but at such a Level and in such Levels as to be Virtually Invisible by Virtue of ITs Enigmatic Programming.

  27. Slim

    @Lou Gosselin

    In standard networking 101 yes the MAC address of the object (pc, server, router etc) isn't sent through the network.

    I have however found out (had a problem with the built in NIC in my 360 and got talking to one of the xbox live server tech's) that when the 360 logs onto the server for xbox live it not only sends the account details but also the MAC address of the xbox, Bios information and information from the actual game (presumably to connect to the correct server for said game.)

    So in theory unless the "hackers" have managed to clone their MAC addresses or change their com chips fairly often they are not only traceable, but M$ can ban that MAC address from accessing xbox live.

    Supposedly soon they will also be able to ban machines by their bios/serial numbers.

    Still it doesn't do much for the security and stopping people having their accounts stolen

  28. Law
    Gates Horns

    M$

    Microsoft are the problem here - I can't delete my credit card information from my account once I have used it, I must instead change the details of that card - to another one.

    If microsoft gave users more control over the data they retain, then they would be less likely to have a huge disaster when their useless staff give away your account. When my xbox dies (not if - on my second already, and this one is half dead too) I won't bother getting another... they just don't care about their customers, and it shows at the point when you need them - in their "customer support"...

  29. TeeCee Gold badge
    Stop

    It's all very sad.

    Hmm, shooting and killing yourself with your own Sniper rifle. All very clever I'm sure, but why would you want to?

    Upshot is, someone sad had something that was given to him for doing something very sad, appropriated by someone even more sad.

    I'd be leaping up and down at the security breach too, if were at all important in the greater scheme of things. Which leads to a serious point.

    Security needs to be layered and classified. Putting your highest possible security level on everything has only two effects. 1) it pisses everyone off as the world grinds to a halt in a morass of Red Tape and 2) it provides a wider exposure of your best to those that want to beat it and, thus, renders it more vulnerable as the scrotes can practice on something that you're less likely to notice before gearing up for the real gravy.

    While Mr. Scrote is bigging it up in his purloined virtual armour, he's not exercising his skills stealing my Bank Account details. More importantly, I'd like to think that the flannel he fed the dumb MS crowd to pull this off wouldn't work on the (very hopefully) more security-aware staff on my Bank's helplines, rendering his new skillset pretty ineffective for practical purposes.

    Basically, let him have his fun where it doesn't do any real damage. With all the publicity, his details are almost certainly on someone's cybercrime watchlist somewhere. His Game is probably Over before it really started........

    PS: Don't bother. Virtual flamethowers don't hurt in the Real World.

  30. Ian

    Password to registered e-mail does not solve the problem.

    "The call centre staff shouldn't have access to your password either, if you forget it they should simply email a new one (auto-generated, again they have no access) to your already registered email address (which with the above can't be changed).

    Problem solved."

    I wasn't aware it was illegal to hold CVV but the problem is more complex than this and simply sending to a registered e-mail address doesn't solve the problem.

    The fact is, people lose access to their e-mail addresses, if my ISP cuts me off for missing a bill, by accident or for breaking non-advertised AUPs or some other reason then I could very well also lose access to my e-mail address. As such there has to be a way to get my e-mail address changed.

    You also have to cater for the eventuality that someone may lose their e-mail address AND their password - say someone had to work abroad for 6months it's feasible in this type they may have dropped/lost their e-mail address and also forgotten their password.

    As such social engineers can still attack the lost e-mail address or lost e-mail address and password methods that companies have to employee if the lost password facility by itself is secure in the way you mention.

    You can't even guarantee someone's home address is still the same either, I have witnessed first hand a scenario where all this is relevant, Dark Age of Camelot, European servers. They had their network hacked and as such locked down the service and sent passwords out to people's registered e-mail addresses, not everyone still had their address so they offered to send out to home addresses via snail mail but still some users had changed their home addresses. I'm not sure what their final solution is, being arguably the most incompetent of companies ever they undoubtedly just told these people to go f*ck themselves, but that's besides the point.

    There has to be a balance between security and recoverability, the key is to have multiple layers of authentication when people want to reset certain details and the security questions are those layers of detail. The problem is they're being abused, and things like "Where were you born" which are easily guessable are being used. Ideally questions that are a lot more personal such that likely only the correct user might know them are a better bet, whilst "Who was the ugliest bird you ever shagged" might be a good bet as few people will admit it in public we don't necessarily have to have things that are embarrassingly personal even things like "How many months old was your son/daughter when they first learned to walk", "What was your favourite furry toy as a child", "Who was your favourite TV show character when you were young" or even possibly "Whats your all time favourite film". Stuff that's simply not quite so guessable - a combination of 3/4 of this should do the trick in 99% of cases as it's unlikely someone on the internet could ever guess them and certainly pretty much never guess all 4.

  31. Mike

    The bigger issue is not social engineering......

    There's a war coming......

    Some people want to be able to prove who they are beyond all doubt, anti identity theft (whatever that means), and they complain when a social engineering hack shows weaknesses in lax processes or the ability to set up a direct debit for someone else.

    Some people don't want to be identified, the liberal (no2id) crowd insist they shouldn't have to be able to prove who they are.

    OK, so a token with RSA style cycling, two part biometric scanning and a password will solve the (so called) identity theft but at the cost of privacy.

    What do you want?

    It's one or the other, find something that does both and apart from solving this little dichotomy you may well become very rich.

  32. Jason

    @Matt

    I agree with you that this is in essence a pure criminal matter, however that doesn't mean that MS should not do anything to help prevent these crimes from being committed.

    Blocking Serial or Mac address (whichever is used when authenticating) would NOT "brick" the unit, it would only make it usable offline. In fact this would likely make it easier to track those committing these crimes. If a blocked box was picked up on Ebay, you go through Ebay's fraud devision, same as any other conterfit item. I believe ebay already files criminal charges against those with fraudulent auctions. MS could also add some means of unblocking these boxes with detailed info on the owner (ie only done at game stores, etc), and move that box to a watch list. Any more activity? You know right away who's responsible for the box.

  33. Ian Michael Gumby
    Gates Horns

    Microsoft and Security?

    Oh yeah Microsoft puts security as a top priority in *everything* they do.

    One has to wonder where the call centers are located?

  34. RW
    Unhappy

    CC info retention

    The first widely publicized mass theft of CC information was at CD Universe in 1997. No lesson was learned: to this day, many sites retain your CC info: number, billing address, etc. The reason, as far as I can tell, is as a *convenience* to the customer, saving them the onerous chore of re-entering that information when they make their next purchase.

    The only site I've run across that offers CC data retention as an option is Alibris. (Or maybe it's ABEBooks; one of the two at any rate.)

    The rest seem to be captive to the Microsoft-meme "hold still, we're going to do you a favor you didn't ask for." [This meme is at the root of a lot of the stupidities in MS Windows.]

    Isn't it time for Visa, Mastercard and their ilk to flatly forbid merchants to retain this information, no exceptions allowed? If merchants have to retain *something* in case a transaction must be reversed, they can put the CC number through a one-way hash function and use that to validate it when re-input.

  35. David Wilkinson
    Heart

    Thats why I like the idea of the google checkout

    Whenever a website lets me order via google checkout or paypal I go that route.

    Then only google/paypal has my credit card info, email address .

    All the store gets sees is the money and the shipping address. :)

    Would be nice if the credit care companies provided similar service, but then they get their fees for the transactions then their fees for the chargeback. Fraud makes them money. :(

  36. Andy Bright

    hmm

    The strangest part about all this is the way social engineering can yield a Live Account.

    "Hello, yes, I seem to have forgotten where I live, could you tell me please?".

    "Hi, yes, well this is quite embarrassing, but not only did i forget my own address, but somehow I seem to have forgotten my phone number too. Couldn't quickly look that up for me could you?"

    So okay, the more likely scenario is this

    "I just wanted to make sure my account isn't registered under my old address, could you verify that for me" and "I just wanted to make sure my old phone number isn't associated with my account - which one do you have on record?".

    But the point is neither of those pieces of information should ever be given out full stop.

    If i was a legitimate caller that forgot I registered my account while I was living at an old address, there's nothing to stop me remembering what that address was and trying again.

    If you really are smoking so much pot that you can't remember where you lived 2 or 3 years ago, then perhaps you have bigger problems than not being able to log into an XBox Live account. Perhaps, given your propensity for short term memory loss, you would be someone who benefited from writing your username and password down.

    Ooo nooo.. writing your username and password down. Now anyone that breaks into your house or pretends to be your friend could steal it. Again, I submit that if someone broke into your home, or you had "friends" habitually stealing from you, your problems are far greater than the loss of a gaming account.

    BTW - although you do save a few quid signing up for 6 months or more using credit cards, given the number of online gaming accounts that are stolen from all gaming worlds, I would think it would be just a matter of self-preservation to use gaming cards instead.

    I'm not casting blame or pointing fingers at victims, I'm just suggesting that now we know no one working for these corporations gives a shit about you, you would be better off protecting yourself however you can.

This topic is closed for new posts.