Microsoft Xbox Phone Staffers Giving Away Private Information

 
 
By Lisa Vaas  |  Posted 2007-03-22 Email Print this article Print
 
 
 
 
 
 
 

Hijackers are getting access to Xbox Live gaming accounts, credit cards and PayPal accounts by repeatedly calling customer service representatives.

Hijackers are getting access to Xbox Live gaming accounts, credit cards and PayPal accounts with repeated calls to support staff, who are easy prey for social engineering stunts.

Going against Microsofts own privacy policy, Xbox Live telephone support personnel are giving away gamer tags based on made-up information. One gamer who requested anonymity shared with eWEEK a taped telephone conversation in which he called the Xbox Live phone support number on March 21 and wound up getting a valid gamer tag based on simply making up a name and the state in which he supposedly lives.

An excerpt of the conversation:

Gamer: "Im trying to link my gamer tag to Xbox Live so I can log in on the Internet and check my stats and stuff. For whatever reason, its saying my account information isnt right. Im trying to figure it out."

On the recorded conversation, an Xbox Live support staffer asks for his tag, and the gamer gives her the legitimate tag of one of his friends who was on the conference call to Xbox Live with him. She tries the tag and informs him that "it wont come up." After verifying the tag spelling, the support staffer asks if the gamer has a credit card associated with the account.

"I dont know it off the top of my head," the gamer says.

The support staffer then asks the gamer to spell his last name. The gamer gives her a fictitious last name.

"OK, here we go," she says. "What state do you live in?"

"Ohio," he says—another fiction.

"In Wintersville?" she asks.

"Yes," he answers.

"OK, [the gamer tag is] Purplehat," she says.

At this point, the would-be hijacker would still need a credit card to access the account, but the gamer who recorded the support call said that given the information the support staffer had already provided, he was confident he could achieve enough information to break in after another few calls.

His experience backs up the modus operandi posted by the online gaming clan Infamous. It was posted here, but the site has been unavailable since the afternoon of March 21, after stories about the scam began to break. A screenshot of the hijacking recipe is below.

The gamers telephone conversation supports Infamous online description of its hacking method: "Its easy, you call 1800myxbox, pretend to be that person, make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah, you might get one little piece of information per call, but then you keep calling and keep calling every time getting a little bit more information every time. Once you have enough information you can get the Password on the windows live ID Reset, they may tell you they cant, but its bull [obscenity], people at bungie CAN and WILL reset your password. Believe me. :)"

Cyber-security and computer experts are increasingly concerned with threats posed by devices such as iPods and Xboxes. Click here to read more.

Microsoft issued a statement March 21 that suggested that the cause of compromised security is gamers themselves, who Microsoft officials said are likely being coerced into giving away personal information.

"Despite some recent reports and speculation, we want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of Bungie.net or our LIVE network," the statement said. "There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account. We think this is a good time to remind our members that they should never give out any of their personal information."

The statement went on to say that, to Microsofts knowledge, there has been no compromise of the Xbox Live network, nor has credit card or other personal information been exposed. The statement then suggests that gamers follow Microsofts conduct guidelines regarding giving out personal information.

Gamers have complained in Xbox Live forums not only of their accounts being hijacked but also of their credit cards and PayPal accounts getting maxed out.

Microsoft had not supplied a response by the time this story was posted.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel