gospvg

Copy & Paste from BETEO

Quote:
I just got hit with this on the 25th. My points balance was drained dry on
FIFA 12 Ultimate Team purchases and I have 3 FIFA 12 achievements. It also
looks like the hackers tried to purchase a 6000 MS Points bundle using an
expired credit card associated with the account. Fortunately, I had
cancelled that card some years ago after a previous XBL fraud incident and
moved entirely to prepaid for both XBL and PSN. Until recently, however, it
was not possible to remove a payment type from your account.

My password was not changed and there were no other alterations to the
account. I don't buy Microsoft's claims of phishing and social engineering.
I suspect there is an API breach permitting Gamer profiles to be downloaded
in an unauthenticated fashion. After I discovered the fraud, I took a look
at http://www.xbox.com/security and found that, by default, profile logins
from other consoles are not authenticated by password. This means that,
should a hacker find a way to download your profile, he has full access to
it without knowing your password.

Aside from changing my password, I also set my profile to require password
authentication on login for all consoles except my own. I set a four button
XBL passcode to be required for every login attempt, including on my own
console. Then I signed out of XBL and redownloaded my profile, in order to
invaliate all other copies. I secured the Windows Live account by adding
mobile/SMS proof for password reset/recovery. I removed the expired credit
card (it now seems to be possible to do this from Microsoft's Billing site).

At this point, I decided to contact Microsoft customer support. I explained
the situation, with which they are all too familiar. Importantly, I
mentioned the account hardening steps I had taken, so CS did not have to
lock the account for 25 days. The account balance is frozen, but I can
continue to play online as normal.

I'm going to do some more research on this and I'll update as the situation
progresses. Interestingly, I can see the hacker's Console ID under my
account billing history. I suppose Microsoft can ban this console, but it
may just be a mule hackers use to acquire FIFA content before trading it
away to another account.

If you haven't been hacked yet, I strongly recommend you follow the
procedures recommended on the Xbox Security site. Honestly, I think
Microsoft needs to enforce these measures universally through a system
update.



--
gospvg
[..getting old and still playing video games..]
http://www.gospvg.com

HarpingOn

On 06/01/2012 11:04, gospvg wrote:
> Copy & Paste from BETEO
>
> Quote:
> I just got hit with this on the 25th. My points balance was drained dry
> on FIFA 12 Ultimate Team purchases and I have 3 FIFA 12 achievements. It
> also looks like the hackers tried to purchase a 6000 MS Points bundle
> using an expired credit card associated with the account. Fortunately, I
> had cancelled that card some years ago after a previous XBL fraud
> incident and moved entirely to prepaid for both XBL and PSN. Until
> recently, however, it was not possible to remove a payment type from
> your account.
>
> My password was not changed and there were no other alterations to the
> account. I don't buy Microsoft's claims of phishing and social
> engineering. I suspect there is an API breach permitting Gamer profiles
> to be downloaded in an unauthenticated fashion. After I discovered the
> fraud, I took a look at http://www.xbox.com/security and found that, by
> default, profile logins from other consoles are not authenticated by
> password. This means that, should a hacker find a way to download your
> profile, he has full access to it without knowing your password.
>
> Aside from changing my password, I also set my profile to require
> password authentication on login for all consoles except my own. I set a
> four button XBL passcode to be required for every login attempt,
> including on my own console. Then I signed out of XBL and redownloaded
> my profile, in order to invaliate all other copies. I secured the
> Windows Live account by adding mobile/SMS proof for password
> reset/recovery. I removed the expired credit card (it now seems to be
> possible to do this from Microsoft's Billing site).
>
> At this point, I decided to contact Microsoft customer support. I
> explained the situation, with which they are all too familiar.
> Importantly, I mentioned the account hardening steps I had taken, so CS
> did not have to lock the account for 25 days. The account balance is
> frozen, but I can continue to play online as normal.
>
> I'm going to do some more research on this and I'll update as the
> situation progresses. Interestingly, I can see the hacker's Console ID
> under my account billing history. I suppose Microsoft can ban this
> console, but it may just be a mule hackers use to acquire FIFA content
> before trading it away to another account.
>
> If you haven't been hacked yet, I strongly recommend you follow the
> procedures recommended on the Xbox Security site. Honestly, I think
> Microsoft needs to enforce these measures universally through a system
> update.
>
>
>

And yet, there aren't the howls of derision against this, in which
actual value is taken.

I think it's a telling difference from the PSN hack, where, as far as I
know, no-one suffered any actual loss.

And yet, people came down on Sony like a tonne of bricks.

It's the cabal at work again.

HarpingOn

On 06/01/2012 11:04, gospvg wrote:
> Copy & Paste from BETEO
>
> Quote:
> I just got hit with this on the 25th. My points balance was drained dry
> on FIFA 12 Ultimate Team purchases and I have 3 FIFA 12 achievements. It
> also looks like the hackers tried to purchase a 6000 MS Points bundle
> using an expired credit card associated with the account. Fortunately, I
> had cancelled that card some years ago after a previous XBL fraud
> incident and moved entirely to prepaid for both XBL and PSN. Until
> recently, however, it was not possible to remove a payment type from
> your account.
>
> My password was not changed and there were no other alterations to the
> account. I don't buy Microsoft's claims of phishing and social
> engineering. I suspect there is an API breach permitting Gamer profiles
> to be downloaded in an unauthenticated fashion. After I discovered the
> fraud, I took a look at http://www.xbox.com/security and found that, by
> default, profile logins from other consoles are not authenticated by
> password. This means that, should a hacker find a way to download your
> profile, he has full access to it without knowing your password.
>
> Aside from changing my password, I also set my profile to require
> password authentication on login for all consoles except my own. I set a
> four button XBL passcode to be required for every login attempt,
> including on my own console. Then I signed out of XBL and redownloaded
> my profile, in order to invaliate all other copies. I secured the
> Windows Live account by adding mobile/SMS proof for password
> reset/recovery. I removed the expired credit card (it now seems to be
> possible to do this from Microsoft's Billing site).
>
> At this point, I decided to contact Microsoft customer support. I
> explained the situation, with which they are all too familiar.
> Importantly, I mentioned the account hardening steps I had taken, so CS
> did not have to lock the account for 25 days. The account balance is
> frozen, but I can continue to play online as normal.
>
> I'm going to do some more research on this and I'll update as the
> situation progresses. Interestingly, I can see the hacker's Console ID
> under my account billing history. I suppose Microsoft can ban this
> console, but it may just be a mule hackers use to acquire FIFA content
> before trading it away to another account.
>
> If you haven't been hacked yet, I strongly recommend you follow the
> procedures recommended on the Xbox Security site. Honestly, I think
> Microsoft needs to enforce these measures universally through a system
> update.
>
>
>

But also thanks for the info. I'm going to do these things tonight.

HarpingOn

On 06/01/2012 11:04, gospvg wrote:

> Aside from changing my password, I also set my profile to require
> password authentication on login for all consoles except my own. I set a
> four button XBL passcode to be required for every login attempt,
> including on my own console. Then I signed out of XBL and redownloaded
> my profile, in order to invaliate all other copies. I secured the
> Windows Live account by adding mobile/SMS proof for password
> reset/recovery. I removed the expired credit card (it now seems to be
> possible to do this from Microsoft's Billing site).
>


It won't let me remove my billing information.

Hope I don't get haxx0red.

deKay

On Fri, 6 Jan 2012, HarpingOn wrote:

> And yet, there aren't the howls of derision against this, in which actual
> value is taken.

Except there is.

> I think it's a telling difference from the PSN hack, where, as far as I know,
> no-one suffered any actual loss.
>
>
> And yet, people came down on Sony like a tonne of bricks.
>
> It's the cabal at work again.

On the evidence I've seen, I'm almost 100% sure this is all actually EA's
fault, not Microsoft.

There is, apparently, a way of accessing someone else's XBL account
details via an EA website. I've seen people referring to how it is done,
but all the blog posts, forum posts, and so on they link to have been
removed. Sometimes by request.

deKay
--
Lofi Gaming - http://lofi-gaming.org.uk
Gaming Diary - http://lofi-gaming.org.uk/diary
Blog - http://lofi-gaming.org.uk/blog
My computer runs at 3.5MHz and I'm proud of that

HarpingOn

On 06/01/2012 11:39, deKay wrote:
> On Fri, 6 Jan 2012, HarpingOn wrote:
>
>> And yet, there aren't the howls of derision against this, in which
>> actual value is taken.
>
> Except there is.
>

Really? I've not seen it on the same scale at all.

>> I think it's a telling difference from the PSN hack, where, as far as
>> I know, no-one suffered any actual loss.
>>
>>
>> And yet, people came down on Sony like a tonne of bricks.
>>
>> It's the cabal at work again.
>
> On the evidence I've seen, I'm almost 100% sure this is all actually
> EA's fault, not Microsoft.
>
> There is, apparently, a way of accessing someone else's XBL account
> details via an EA website. I've seen people referring to how it is done,
> but all the blog posts, forum posts, and so on they link to have been
> removed. Sometimes by request.
>
> deKay

Why isn't the PSN affected in the same way, I wonder?

Kendrick Kerwin Chua

In article <je6n5t$lk6$1@dont-email.me>,
HarpingOn <harpingon@127.0.0.1> wrote:
>On 06/01/2012 11:39, deKay wrote:
>> On Fri, 6 Jan 2012, HarpingOn wrote:
>>
>>> And yet, there aren't the howls of derision against this, in which
>>> actual value is taken.
>>
>> Except there is.
>
>Really? I've not seen it on the same scale at all.

I think it has to do with new releases. The PSN outage coincided with a
number of high-profile new games that were suddenly unplayable due to a
lack of network. Everyone's back to school and back to work after the
holidays during this paricular hack, so Microsoft has lucked out with
regards to the timing.

>> On the evidence I've seen, I'm almost 100% sure this is all actually
>> EA's fault, not Microsoft.
>>
>> There is, apparently, a way of accessing someone else's XBL account
>> details via an EA website. I've seen people referring to how it is done,
>> but all the blog posts, forum posts, and so on they link to have been
>> removed. Sometimes by request.
>
>Why isn't the PSN affected in the same way, I wonder?

If I had to guess, I would say that Sony swapped out their directory for
something else entirely, which negated all previous intrusion methods.
Microsoft, by contrast, has always used a slightly tweaked Active
Directory structure with extra bits specific to the game network. AD
weaknesses are widely known, and to be honest I'm surprised XBL isn't down
more often.

-KKC, who feels good about not renewing his Gold subscription now.
--
-- "Step 8: Make a list of all the persons I | kendrick
have harmed, and file them alphabetically | @io-nyc.com
for ease of reference." |
- David Javerbaum, "The Last Testament" |

gospvg

"HarpingOn" <harpingon@127.0.0.1> wrote in message
news:je6ltg$fsp$2@dont-email.me...
>
> But also thanks for the info. I'm going to do these things tonight.

Yep the passcode will be going on this evening.


--
gospvg
[..getting old and still playing video games..]
http://www.gospvg.com

jochta

On 06/01/2012 12:09, gospvg wrote:
> "HarpingOn" <harpingon@127.0.0.1> wrote in message
> news:je6ltg$fsp$2@dont-email.me...
>>
>> But also thanks for the info. I'm going to do these things tonight.
>
> Yep the passcode will be going on this evening.
>
>

"If you forgot your Xbox LIVE account pass code, download your profile
from Xbox LIVE."

So a pretty useless level of security if they have control of your
account already.

--
John Talbot
XBL, PSN, Twitter, Everything : jochta
Blog & Gaming Diary : http://www.buttonsofmymind.co.uk/
"Leading the fight..."

jochta

On 06/01/2012 11:38, HarpingOn wrote:
> On 06/01/2012 11:04, gospvg wrote:
>
>> Aside from changing my password, I also set my profile to require
>> password authentication on login for all consoles except my own. I set a
>> four button XBL passcode to be required for every login attempt,
>> including on my own console. Then I signed out of XBL and redownloaded
>> my profile, in order to invaliate all other copies. I secured the
>> Windows Live account by adding mobile/SMS proof for password
>> reset/recovery. I removed the expired credit card (it now seems to be
>> possible to do this from Microsoft's Billing site).
>>
>
>
> It won't let me remove my billing information.
>
> Hope I don't get haxx0red.

You can't if your account is set to renew automatically by CC. You have
to ring the MS monkeys and give up trying to ask them to do it for you.

--
John Talbot
XBL, PSN, Twitter, Everything : jochta
Blog & Gaming Diary : http://www.buttonsofmymind.co.uk/
"Leading the fight..."