|
Added by Gauss on 26.05.2012 |
...and a few things you can do to protect yourself.
|
An interesting article by 'Hacked On Xbox' shows us how and why XBL accounts are getting broken into. Also, Microsoft advices how to protect your account.
|
 |
 |
Total Likes : 7 |
Total dislikes : 1 |
|
|
|
|
|
As you may know, Xbox 360 owners have been complaining of a surge in account thefts, like in the FIFA Phishing incident.
At first believed to be the result of hacks in relation to EA's FIFA series, it's now looking more likely to be the result of a widespread scam run by shady types out to either make money or score cheap games.
Now, a victim, Susan Taylor, was somehow contacted by members of the jacking community and tipped her off to sites and forums where "jackers" congregate and trade.
There, she discovered a "black market" forum where members sell stolen Xbox Live accounts, and was also able to "learn" the techniques on how they manage to obtain someone else's Xbox Live account information:
The key distinction between "jacking" and "hacking" is that these guys aren't forcefully circumventing any software protection measures. What they're doing is, in a nutshell, contacting Microsoft, pretending to be the legitimate account holder, and through poor security and a whole lot of bluffing (usually making excuses as to why information was incorrect or why passwords could not be remembered), getting hold of the necessary reference numbers and information they need to then go on and access a stranger's Xbox Live account.
|
Here's what she was able to obtain, outlining their strategy:
PERSON A
1. First you go to Xbox.com and click support at the top left of the website.
2. Then go to the bottom of the page and click Contact Us.
3. Once on that page click the Email Us link. Then click Xbox Live.
4. Now this is where it gets SERIOUS. For the name put a name. I personally use an actual agent's name ([Name redacted by Kotaku]) then put there employee ID which I put a fake ID. For the reason put Technical Support.
Then for the email put XXXX@microsoft.com or something to do with the agent's name but Microsoft. For the reason put something like this "Customer (put there name if you have it on the account you want) verified the 16 Credit Card digit number. He has made an inquiry about how he has forgotten his accounts information, since I am a Tier 1 agent I am unable to view the customers GT. He has requested to have the answer changed to (put some realistic for the answer). The Xbox Live Gamertag is (put GT). – [Name redacted by Kotaku]"
(IMAGE)
5. Now you should see something like this
(IMAGE)
6. Call up Xbox 30 minutes later. After they answer say that you were disconnected from a Tier 2 agent and ask to be transferred back.
7. After they transfer you to the Tier 2 agent give them the number (remember your the customer so you have to act like you have pretty much no idea what's on it). Once they pull it up they will take a little while and change it. DO NOT ASK FOR THE EMAIL so that you can know where to reset it.
8. Then call back and say you forgot your email but know your Secret question answer. They will ask for the GT and answer tell them and they will give you the email.
Congrats now you get the OG. This wont work every time so don't get discouraged.
|
And here's another one:
IT HAS NOTHING TO DO WITH PHISHING clearly as you know all too well but MS tries to hide this very well. This is called by the hackers ad "Jacking an account" and what i talk about below is probably not even entered your head as how your account was taken.
The main thing is that reference number you get, see how they helped you with just a reference number and no other proof you were who you said???
Basically they ring other small companies associated with MS after getting a reference number associated with your gamertag/zune account.
To get the reference number they ring either xbox or zune support and when asked about security info such as name they give fake info and then say "Oh if thats not right my brother must have changed it, hes not in so can i have a reference number to call you back when he is home?"
These smaller companies release your name and more and literally all i or the hacker would have to say after giving them the reference number is "Could you help me verify the information on my account please". Being a smaller, clueless company they give info out like your name or address. They then call back repeatedly getting different info (this is a lengthy process as not every agent is stupid but these people spend days/weeks targetting accounts)
Bear if mind they will get your email address from this process and that pretty much seals the accounts fate into being hacked. Most people use the same email and their real/same info for everything so if they see on xbox.com you have netflix or something similar like that they will call netflix and they have all the right name and address ect.
So one example of something i would do and what these people do is to say to netflix "I purchased a new subscription but its not showing up can you check you have the right payment option on file" because the hacker can give all the correct info to netflix or whoever elses service it is and they will cluelessly give out the last 4 digits of the Credit Card. Now with the last 4 digits of a credit card a password reset form is almost certain to be successful when the hackers submits one through the windows live page when you click forgot password. But there are also hotlines were agents will reset the password over the phone when the hacker provides all this info because they are bound to believe someone with the last four of a CC right? so they help the hacker get your account.
There are literally TONS of different little tactics here and there that these people or I used to use to get different bits of infomation and i only skim over it briefly above obviously because it would be too lengthy to try and explain it with written words in one email.
|
WHY? The main reason is money, of course!
The raft of thefts reveal that Xbox Live accounts are big business. Definitely worth the trouble of getting hold of. But why? It appears there's a market for all kinds of accounts and the things related to them. The most obvious, and lucrative for the more criminally-minded, are accounts with credit card or PayPal info linked to them. Once loaded up with "free" Microsoft Points, they're then sold off to buyers who get thousands of points for a lot less than they'd normally have paid for them.
Another money-saving motivation is free games. If an account has purchased any Games on Demand titles, for example, those games are linked to the account, meaning the new owner can jump onto Xbox Live and download the games "again" for free. Surprise surprise, the most valuable accounts are ones with Call of Duty titles attached.
|
Finally, here's Microsoft official statement and an advice from them to protect your account:
There are several different methods malicious users employ to gain unauthorized access to accounts; social engineering is one of them. We are aware of the vulnerabilities that social engineering poses, and continue to address these through tools and training to help keep our members safe and secure.
The security of Xbox LIVE member accounts is a top priority and we continue to take aggressive steps to protect our members against ever-changing threats. This includes continually evolving our security practices and staff training to help prevent these scenarios from occurring.
[...]
We really appreciate that these issues have been raised; however, the specific examples in this article contain information that is invalid and out-of-date. We would welcome the opportunity to work directly with Ms. Taylor and the members who have contacted her with unresolved cases. We have done a considerable amount of work to resolve cases for our customers in the last several months and will be reaching out to her to provide further assistance.
[...]
Engaging in identity theft, trading in stolen accounts and committing credit card fraud is all illegal, and those involved in this activity risk criminal prosecution. The activity also violates our Terms of Use, and we are actively stepping up account and console bans for both sellers and buyers of known stolen accounts and content.
Finally, many of our security enhancements and recovery processes, should an account become stolen, are dependent upon our members being able to verify their identities using additional proofs, such as secondary email addresses, phone numbers, security questions and answers, or trusted devices. Adding strong identity proofs to an account provides multiple layers of identity verification, which can drastically reduce the incidence of identity theft and other online fraud.
|
Not enough? You can also:
About the only recommendations would be to do what you should be doing anyway: keep your passwords separate, don't link credit card information to an account and use a dedicated email account for just your Xbox Live, nothing else. At least then you're minimising the damage, cutting down on the possibilities that by stealing your account details these scammers also get access to other online services of yours.
|
Well, there you go. Protect yourself and be EXTRA careful.
You can check out the full article below, which is extremely interesting and informative!
Maxconsole:
The reference in consoles, computers, and smart phones/tables gaming
|
 |
|
Click to enlarge to original size
|
|
Kotaku
Report How scammers are stealing Xbox Live accounts and what they do with them
Click here to visit link
|
|
HackedOnXbox
How and why your Xbox Live accounts are hacked
Click here to visit link
|
|
Discuss this in our forums |
|
Click here to discuss about this news in the forums
|
| |
|
|
|
