XBL security concerns

http://whatthegeek.net/2011/10/05/the-tale-of-a-hack...

It seems reading many of the comments, that this is not that uncommon.
.

Funny really, but everybody seemed to find a reason to comment on Sony over the PSN hack. Not one person felt concerned enough though, to comment about what seems to be a regular occurrence on the XBL network?

It's a funny old world.
.

Lots of people hate Sony and like you say its a funny old world matey

They may have just cause to hate Sony, I don't know. But MS don't seem any better. They don't even want to pretend that no data has been lost. They just don't respond to the question, which I thought would be their legal responsibility after taking and not protecting users' data?

Seems some of the grandstanders who trumpeted the facts about the PSN hack are too busy with their hands in their pockets, staring at the floor and whistling?

Yep, a funny old world indeed. Anyway, in other news.........


.

Did you see Watchdog the other week with customers that have been accused of cheating having there 360 banned.

Mostly 10 year old kids that quite clearly did not look like hackers,but the mother of one had replaced his banned xbox 360 with a Playstation 3 and refused to support Microsoft anymore.

After appearing on Watchdog Microsoft as always after been on a prime television show decided to reimburse anyone that had to go out and buy a brand new console because of the bans,except the mother who bought a Playstation 3 who they told would not be getting any money because she has not bought there console.

This account exploiting is no where in the same league as what happened at Sony not even close .

I can see what your up to in this thread as I'm sure most other can and you replying to your self , did kind of prove that , hence why I did not reply .

It's not as wide spread as you might like to think ( blog post with 7 replies ) but all the time there is human interaction there is a chance to hack and exploit and Microsoft do swing the ban hammer as has already been pointed out in this thread .

As said not even on the same page as what happened at Sony , this is on a personal level not on a massive level .

Edited by deleted (Sun 09-Oct-11 11:08:49)

I can see what your up to in this thread as I'm sure most other can and you replying to your self , did kind of prove that , hence why I did not reply .

No you can't, and you've just proven it.

Theft is theft. End of conversation. I was clearly asking why people condemn one company over the other. You don't know how wide spread it is, and you dont know how much actual card fraud was carried out on either occasion.

You can make it a fanboy issue if you like. I personally treat all big companies with the contempt they deserve.
.

Micro do swing the ban hammer as has already been pointed out in this thread .

And the ban hammer helps in the disclosure of loss of credit card information and actually fraudulent misuse in what way?

Think before you troll. Apology accepted.
.

I don�t do anything with my windows live ID other than visit Xbox.com, and log into my Xbox 360

Phished/keylogged. His PC might have already been compromised if he was running a vulnerable version of reader, flash or java.

In reply to a post by Zadeks:

I don�t do anything with my windows live ID other than visit Xbox.com, and log into my Xbox 360

Phished/keylogged. His PC might have already been compromised if he was running a vulnerable version of reader, flash or java.

Yes, but that's not his complaint. His complaint is that someone has spent money on his account and MS do not seem to be prepared to discuss any data protection breach with him.
.

Why should they? It was his fault in the first place. The answers to his questions are pretty obvious.

First, how was my account breached?

How are they supposed to know? Someone stole his account steals. They aren't psychics.

which parts of my account were accessed by the hacker?

Points purchased using stolen xbl account. CC tied to account. CC information not compromised.

how do I go about removing all of my credit cards from my account?

http://lmgtfy.com/?q=http%3A%2F%2Fsupport.xbox.com%2...

How are they supposed to know? Someone stole his account steals. They aren't psychics.

You're joking right?
.

Nope. You were comparing this to the Sony incident. They are completely different. I don't expect you to understand.

In reply to a post by Zadeks:

Nope. You were comparing this to the Sony incident. They are completely different. I don't expect you to understand.

Right, so you weren't joking. That explains a lot. Think really hard and the penny will drop. I promise.
.

Protip: Accounts are compromised everyday. Incidents like the one at Sony aren't as common.

Except we're not discussing the incident are we?
.

Dude this is not a long thread and you very clearly made a comparison to Psn on your second post

In reply to a post by mrnelster:

Funny really, but everybody seemed to find a reason to comment on Sony over the PSN hack. Not one person felt concerned enough though, to comment about what seems to be a regular occurrence on the XBL network?

It's a funny old world.
.

My point is that this has been going on for years on the XBL.

http://m.zdnet.com/blog/security/xbox-live-hacked-ac...

I fail to understand why having all the accounts hacked in one go, should make the company any more or less culpable than another company losing it on a regular basis, day to day?


When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.

I'm not suggesting that this approach is appropriate or not But I don't understand why it isn't levelled at Microsoft or any of the other companies recently hacked.

That's why I said it's a funny old world.
.

We all now get that you don't get , I'm amazed as I'm sure other users will be amazed that your even trying to make the comparison .

People get hacked all the time from there mobile phones to there PC and even consoles from fishing sites to cameras fitted to cash machines , the thing you can not grasp is the scale Sony and there users where hacked , is like nothing anybody had seen before and that is and still is , Sony shame for making it so easy in the first place , which you have never excepted and probably never will .

So far you have produced a blogg post with seven replies and a 4 year old articular from zdnet ,im not saying xbox accounts don't get hacked its just shameful that your trying to make it so much worse than it actually is and the comparison between this and Sony could only of been made by your self .

Edited by deleted (Sun 09-Oct-11 16:20:38)

sony problem was down to an exploit in their own system, xbox problem down to user faults (user error in when it comes to protecting ones accounts)

look at it this way, lets pretend MS and Sony and loackmakers/locksmiths

Sony installs 100,000 new locks on people fronts doors, all nice and shiny, however they did not relises that the lock could be by passed with a key that anyone could create

Number of people effect 100,000 who fault sony


MS installs 100,000 locks on people front doors, everything works fine, however some users are stupid(1 in 1000) and lose their key while the are out, someone then find that key and uses it to access the person house and steal everything

number of people effect 100 who at fault the stupid user.



The difference is account that have been compromised on xbox live are down to the user action, there have been no known exploits found on XBXO live that compromises the whole system.

When a Xbox live account get hack normally due to th euse being stupid and doing any or all of the following (not a complete list but just there to give an idea)

- 1 username/email and password used everywhere
- uses the same logins on a rouge site possibly about xbox and the webmaster grabs those details and logs into that person account on xbox live
- website totaly legit gets hack and included details that match the xbox livea account
- user pC get infected
- uses a very easy to brute force passwords such as P@ss

the point I agree with you is that MS should give a details report to the customer but AT THE USER'S EXPENSE if they are to blame

Only way to protect against these attach is to assess every xbox user to see if the smart enough to uses xbox live, as that would not out 95% of the users would kida be a bit over kill

Edited by deleted (Sun 09-Oct-11 16:41:32)

the point I agree with you is that MS should give a details report to the customer....

Which was my point. I don't believe however that users are automatically to blame. Falling for a phishing scam does not denote somebodies character.

Knowing a bit about PC's and letting that make you think you are brighter than them, does however.
.

if user fall for a phishing they are stupid, not saying that people who know IT inside and out won't have stupid moments. I work in IT and I have had moments when I done something that I should have know better, but that my fault for my brain not kicking in when it should have.

the info is out there fore people to read and educate them selves but most don't that can't be MS fault

also if there was an exploint in XBOX live we would have heard about it, hacjers love hacking MS and bringing them down off their high horse but so far XBOX live stood their ground unlike the windows and IE software

can you not see our point that you are talking apples and oranges.

If users make mistakes that cause their account to get hack MS can't be help accountable however in Sony case it was their fault as the system they designed was flawed

Sony was a system vulnerability. The problem with xbox live is because it is associated with live id's and some people are idiots.

In reply to a post by Cobra001:

if user fall for a phishing they are stupid, not saying that people who know IT inside and out won't have stupid moments. I work in IT and I have had moments when I done something that I should have know better, but that my fault for my brain not kicking in when it should have.

the info is out there fore people to read and educate them selves but most don't that can't be MS fault

also if there was an exploint in XBOX live we would have heard about it, hacjers love hacking MS and bringing them down off their high horse but so far XBOX live stood their ground unlike the windows and IE software

can you not see our point that you are talking apples and oranges.

If users make mistakes that cause their account to get hack MS can't be help accountable however in Sony case it was their fault as the system they designed was flawed

So in other words you are clearing Microsoft of any liability based on what?

A few of the readers have automatically assumed that the victim has a role to play in this. How do you guys know this? Have you analysed the victim and all their hardware?

I love how a business that can't answer a simple question is faultless and never wrong (yes banning on Xbox is never wrong isn't it?).

I'm not trying to compare the two events. I was trying to point out that as an observer you can be as derogatory about Sony as you like. As a victim, the poster feels exactly the same about Microsoft. And so he should. Because he could suffer the same amount of distress as any of the 30 million individuals in the Sony attack. Being part of a smaller specimen doesn't lessen the personal effect any.

I'm not interested in Sony vs Microsoft. It's just I thought most of the rigamarole was related to PC gamers "looking out for their own". Obviously it was more about brand loyalty.

What is a shame though, is that a self confessed troll tries to invite other people in to attack the poster rather than the post. You know what they say. You can lead a horse to water, but a pencil must be lead.
.

can you not see our point that you are talking apples and oranges.

No I can't. Because we are not talking about the technical issues. We are talking about the individual company's responsibilities to their customers after the event. Not what caused it. That is what the post was about. How he felt he was being treated after the event, not whose fault it was.

The smart money knows it can happen to anybody. Sony made it easy for them granted. But that wasn't the real mistake. The real mistake was making themselves the target in the first place.
.

ok but from the way you tackled the topic its was sounding like you were maintaining that xbox was worse than sony

you comparing sony response to a major fault that was all over the news to MS response to non news based incident that effect a single user. They would be treated differntly. It would be better to review how sony treats user that have the account hicked on a singular basis as that would be a fair comparison

also MS are in a no win spot, if they turned around and said If you a report will cost you £150 but you get it refunded if you were not at fault, they would be hammered for that and users would not be happy.

Why should MS pay for extra work that not their fault which would then have to be passed onto the the user of the xbox live system.

quite simple, it would have made the news, MS is more of a target than Sony, there will be lots of people trying to find a flaw to exploit. It not something you could keep quite for long.

Just look how often IE and windows is updated because hackers have found a hole. Fact that tere are no report according to google (other than game cheats ) on xbox live means that it would be a safe bet it would be user fault

Not really, Sony didn't hit the news until 2 weeks after the event started...

Windows exploits are found so often now, it barely makes the news on tech websites.

In reply to a post by Gzero:

Not really, Sony didn't hit the news until 2 weeks after the event started...

Windows exploits are found so often now, it barely makes the news on tech websites.

That tends to happen when you have the number of users that windows does....

I'm the author of the article that inspired this thread, and I saw a lot of great points being made here, and issues being brought up, so I wanted to hop in and say a few things.

First, as to my account getting hacked thanks to a phishing scam - nope. I take online security very seriously, and I'm well aware of how to spot and avoid a phishing scam. I'm also cautious (perhaps excessively so) about keeping my computer free of spyware and the like. On the rare occasion when a virus scan, or a malwarebytes scan turns something up, I make it a point to change passwords once the offending piece of software is gone. The odds that my account was breached because of some stupid thing I did are extremely low.

If I had to guess, I'd say it was more likely a social engineering attack on XBL customer service - those guys don't have the best reputation for keeping accounts safe and sound, but keep in mind that's just a guess - I don't have anything to back that up.

If someone does fall for a phishing scam,, personally, I don't think they should be blamed for it. Sure, it's a boneheaded move, but obviously they didn't set out to have their account information stolen. Think of it like this: if someone leaves their car unlocked by accident, and some [censored] comes along and steals it, the victim isn't going to be charged with grand stupidity, but the thief will most certainly be charged with grand theft auto.

As for the comparison to the PSN attack, one hacked XBL account obviously isn't as significant as the millions of PSN accts that got breached, BUT it's not just one XBL account. From the response I've seen to the article I wrote on various forums and websites, it looks as though this happens fairly often. That's strictly anecdotal, but it seems pretty safe to assume that this is happening at least a couple hundred to a couple thousand times a month - add that up over the course of a year, and you have a pretty significant security problem at Microsoft. Microsoft's response to that security problem is to completely ignore any concerns regarding personal information, and pretend that all the issues can be wiped away with a password change. If we're gonna get mad at Sony for giving out everyone's account information all at once, let's get mad at Microsoft for giving out our account information one person at a time.

Same thing would happen at your high street bank, i.e. if someone guesses your pin, in fact worse they make you prove you did not give out the pin to people.

Passwords are always guessable, and with enough time people will simply sit down and figure them out. How many people actually have unique passwords for every website and service that requires them?

In short we don't know that the information was given out by MS - if you do then time to go to the press, and the journalist would attempt the same phish on a test account.

In reply to a post by MrSaffron:

Same thing would happen at your high street bank, i.e. if someone guesses your pin, in fact worse they make you prove you did not give out the pin to people.

Passwords are always guessable, and with enough time people will simply sit down and figure them out. How many people actually have unique passwords for every website and service that requires them?

In short we don't know that the information was given out by MS - if you do then time to go to the press, and the journalist would attempt the same phish on a test account.

Assuming that it wasn't a security breach on Microsoft's end, they still refused to provide me with any concrete information on exactly how my account was used during the time it was hacked., I don't know whether the hacker gained access to my credit card information, my address / phone number, all of those pieces of information, or none of them.

Also, as I mentioned before, I'm extremely cautious about my passwords, and account security. None of my passwords would be easily guessed, and a brute force attack on an XBL account would almost certainly set off some flags at MS, effectively keeping the hacker out of the account. Their CSR's might not be to blame, but they definitely dropped the ball here between the breach itself and their refusal to work with me to help to keep me safe from identity theft and fraud.

For all they know you could be the person who has acquired the information falsely.

Revealing too much information, that then gets blogged could lead to more copy cat issues. On security issues not unusual for a firm to clam up.

Welcome to the murky world of internet security.

Best advice use pre-paid credit cards, so that any banking details do not lead to main account, and only limited funds would be available.

For all they know you could be the person who has acquired the information falsely.

I think that's a bit of a cop out.

Whatever they "think" they have a responsibility to investigate and share their findings with "their customer". If they thought the complaint was a fraudulent attempt to gain information then they would have a responsibility to inform the real account holder, "their customer".

Sure, your bank has particular protocols to establish who you are before disclosing information on any issue. But to ignore your requests for information pertainng to possible fraud on your account?

If your bank responded like this, I think you would feel rightfully aggrieved, as whathegeek does. I know I would.
.

Welcome to the gaming forum.
.

Try reading moneysavingexpert and you will see people being treated like this by the banks after cash machine fraud etc

In reply to a post by mrnelster:

Welcome to the gaming forum.
.

Thanks! Funny story - I didn't know about this site until I saw traffic coming to my site from this thread - seems like a pretty awesome forum.

In reply to a post by MrSaffron:

Try reading moneysavingexpert and you will see people being treated like this by the banks after cash machine fraud etc

Just because it happens, that doesn't make it right. Consumers deserve better treatment from the companies we entrust with our personal information.

I don't doubt it, but I bet those victims weren't happy either.
.

Yes people deserve better treatment, but be aware with online security the tendency is not give out too much that may help those crafting these attacks.

Drawing attention can all too often result in others who have a grudge causing yet more trouble.

Xbox live is far from unique, happens to many webmail accounts every day.

...seems like a pretty awesome forum.

It has it's moments.
.

In reply to a post by mrnelster:

For all they know you could be the person who has acquired the information falsely.

I think that's a bit of a cop out.

Whatever they "think" they have a responsibility to investigate and share their findings with "their customer". If they thought the complaint was a fraudulent attempt to gain information then they would have a responsibility to inform the real account holder, "their customer".

Sure, your bank has particular protocols to establish who you are before disclosing information on any issue. But to ignore your requests for information pertainng to possible fraud on your account?

If your bank responded like this, I think you would feel rightfully aggrieved, as whathegeek does. I know I would.
.

Good luck getting your bank to tell you how someone got into your account.

here's the thing - I don't really care HOW they got access to my account, but I do care what information they had access to.

I even made it clear when emailing Microsoft that the details of the investigation process were their business, not mine, but that I did need to know what information on my account was accessed so I could take necessary security precautions.

They were either unwilling, or unable to tell me anything more than what I already knew - someone that wasn't me used my account.

A hacker might have access to different amounts of my personal information depending on how they accessed the account. For example, a disgruntled MS employee would probably be able to poke at all sorts of fun information like credit card numbers, and the answers to my security questions, while an ordinary hacker wouldn't have direct access to that stuff through xbox.com or the Xbox 360.

Again, they don't have to tell me how. I'm curious, but ultimately, that part doesn't matter. As a customer trusting them to be careful with my personal information, they really should at least tell me what information was accessed though.

In reply to a post by whatthegeek:

For example, a disgruntled MS employee would probably be able to poke at all sorts of fun information like credit card numbers

Very unlikely.

Presumably Microsoft comply with the various standards and regulations around storing credit card details which means employees poking around credit card numbers is impossible.