Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Xbox Phone Staffers Giving Away Private Information



 By: Lisa Vaas
2007-03-22
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Hijackers are getting access to Xbox Live gaming accounts, credit cards and PayPal accounts by repeatedly calling customer service representatives.

Hijackers are getting access to Xbox Live gaming accounts, credit cards and PayPal accounts with repeated calls to support staff, who are easy prey for social engineering stunts.

Going against Microsofts own privacy policy, Xbox Live telephone support personnel are giving away gamer tags based on made-up information. One gamer who requested anonymity shared with eWEEK a taped telephone conversation in which he called the Xbox Live phone support number on March 21 and wound up getting a valid gamer tag based on simply making up a name and the state in which he supposedly lives.

An excerpt of the conversation:

Gamer: "Im trying to link my gamer tag to Xbox Live so I can log in on the Internet and check my stats and stuff. For whatever reason, its saying my account information isnt right. Im trying to figure it out."

On the recorded conversation, an Xbox Live support staffer asks for his tag, and the gamer gives her the legitimate tag of one of his friends who was on the conference call to Xbox Live with him. She tries the tag and informs him that "it wont come up." After verifying the tag spelling, the support staffer asks if the gamer has a credit card associated with the account.

Resource Library:
"I dont know it off the top of my head," the gamer says.

The support staffer then asks the gamer to spell his last name. The gamer gives her a fictitious last name.

"OK, here we go," she says. "What state do you live in?"

"Ohio," he says—another fiction.

"In Wintersville?" she asks.

"Yes," he answers.

"OK, [the gamer tag is] Purplehat," she says.

At this point, the would-be hijacker would still need a credit card to access the account, but the gamer who recorded the support call said that given the information the support staffer had already provided, he was confident he could achieve enough information to break in after another few calls.

His experience backs up the modus operandi posted by the online gaming clan Infamous. It was posted here, but the site has been unavailable since the afternoon of March 21, after stories about the scam began to break. A screenshot of the hijacking recipe is below.

The gamers telephone conversation supports Infamous online description of its hacking method: "Its easy, you call 1800myxbox, pretend to be that person, make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah, you might get one little piece of information per call, but then you keep calling and keep calling every time getting a little bit more information every time. Once you have enough information you can get the Password on the windows live ID Reset, they may tell you they cant, but its bull [obscenity], people at bungie CAN and WILL reset your password. Believe me. :)"

Cyber-security and computer experts are increasingly concerned with threats posed by devices such as iPods and Xboxes. Click here to read more.

Microsoft issued a statement March 21 that suggested that the cause of compromised security is gamers themselves, who Microsoft officials said are likely being coerced into giving away personal information.

"Despite some recent reports and speculation, we want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of Bungie.net or our LIVE network," the statement said. "There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account. We think this is a good time to remind our members that they should never give out any of their personal information."

The statement went on to say that, to Microsofts knowledge, there has been no compromise of the Xbox Live network, nor has credit card or other personal information been exposed. The statement then suggests that gamers follow Microsofts conduct guidelines regarding giving out personal information.

Gamers have complained in Xbox Live forums not only of their accounts being hijacked but also of their credit cards and PayPal accounts getting maxed out.

Microsoft had not supplied a response by the time this story was posted.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Microsoft Xbox Phone Staffers Giving Away Private Information
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}ks۸qf89zڎ-9։mXJ5̑GAnnkp[J^׵Sq>t;'=r:;{'׼ ;Aڼ+ o$&7 JDTRBp$" PcbCG$@Bs.oVS+~ASC T$0L" J1zĢ>QukOEuuyHu|ztn |')ĠV*PFbЊ%+gxk_-:OOfKN:W>nu83`BәmiqmUZv\? /xSR&چa#U}IͽGb9}lIo]~::k$ׅcYn0o-Yn]H.ޕ|T|Y|ěa0̱o>0@|sH`6dʱ(|ǺrN~mE'}6kiB! )B:%y[5Hr Ca)#8?%Wi8@rYSl \o4'M2X U >hI,A[!fT}N}%I FBBp4]-7+De,,ɺ s5-w:Y?iQw9~j>]{ٹvym|hUbyƆƇj",$ uuTSt*t ?J jExQWWL@F m!S[ö@ .C:gV},}0 ZC>/=S:4g@Ӑ?: M/6C˥~j11 @ LNa 8V83 tCuәݰ=U sJ}D%h-DCw`c˦MB9;ǻerkmM~(wE@>X^0G`^@Z8`88ʼ E]qb3B7}woNou&̠޻Ԇ!~9.Wb&;A/tStI!VB!7OH wz@neHݤ|r%e{R{`ELE2a5=%ӻ>^`3h{q#%Ag =e河xOtYKnuo?յ݋pz9(KӺJj'/H#o` m_EڠueLGi K-C IP֦(X +ezdxy62&CInQx{gOk]0\PeeȄenê%M*K ʸA>`@DLl5K թw츀4="I;k\Ocg@>`әǟG(a!w1JkX$l M=̔:Y[ |@'K |o2tJ.k>uM^\Ζݓ#]4ޙ|rj P[aHz{>cTfla82-|?x;؈y /ƨ'Q?{2,exY΁5mIr'j3s4\}Zj,89!Po5>  4 đMTBYaX;(l]x|굇12qŝa&1?@&R)Ö1Sg`iG[T&Ał4q ֚p̈́OuϘc_g>Ѐ!ak"A.4b>\PXt> r+b$8:T:$ަ݀RI?IL!B3ݧ]=1g 2~3@@hVBc{ZYUKâZTPY+g7#SFOH.5`}g4ڗ'y_ޝ{7ưeO)Z`3TxK}`x䓋2,*`Ȳ|˘ մv2RWo鸙 kQ葫VJ lHDO"K>A:T{% 30XfSf~ruWKU08. (wtf_MWEnCzORD7PUL xg4sDcC6VNL헅m"Z;"V ̼~j~9p驔rgPWtqM×[;jKo3_靦cORzQ|Z%W:ju[|$cPQ]|UCUX)TԒ?IXᐋN#EZk"ZAX_xLl5AKfl!/`.P(c/hDmR.)3na/ ~egm> Q?PG e-BwYb @ +3kKqmO+Kz&u UP6ndU:*ijARO“pӁ9tGl~"tDơh2)dnQ==׵!n@ ?ws~̾>adJ@*5]*; 1ss81ZbzQ"Y @rrjT + ePxp|{W !CM8q=^a?qp-49^I(4T xϰL' eVqm2 cov/?Bﵪ01AE6 wcyIV~ZgZq t,+?v~n7{}EO:iϾ!(=~fm?<{aAVi/ЏWKΟKKx4Ծh~= C:.R&Ӹoٷ)P K1NCbw}ɾ3zZ^6銿F>;kk"$r:yCB|IsֹGY%%{u.[Oj܉g, Y# BW ͦ5fpR`Qs 5{0L5)/sl]qbiNZ _Ok5W'7haF`vY_aݪ,$"!|C(Wtzȃ}E9{B*lw/_#i9LB `E/ԩ #~DrIGzRFijfsDg G1^VR-[N7c+d$#?^/8݃͟*WVRǭϤsGHY 8/g`!IB882 7{KP .Mu>RQJh"g8Q;)~ڰ{, /=;SL$M(4ia%uyjdJ1%SBt 2L P,O&y=%lQ1 i(KBih%lbTHRoN{ٸ6<1ަm晿LƗHã ,-I+4$/EiA0ǍPR#AhqP>XkI)j[YUH*?vƇ!qbwy~@0GW倜|1{~T߯Hl3`=Ҷ_mzǜGoQM21ɘKԍ A/ֳs4GלO)|si9<3m~`'6<U]q")6Xfx>TA vY?yxXn8ivEGgi\|靂&G-Я>w H-Э>5?y{ho&<)sdzIlu 9obJgfnהŞ`6 ݥovV8}'i?vݷ;޽¾"CWqjk:i)@Nt,$$yUZ/WU3$]te%FtZx@2M3}:JfzӼ4iAhfl3O7nC\j~l]C@{~mq.e~W(TR-.bOk$J骇v9c]MT--^\RK>]+Uk< hvo"Y!0N آ7=ef7#Ÿր!{ Rb'ᛜ;a!ϑ +Ӡ9m&s{$;gr0 )$T0hl?|nwcLRx266y)1h4Ro7lf8W  ֍N 7V9e/QFD5>>dFh>`eݢ^7v=3J+-`rd%qSdR6KmjGѴ=;C =9| d؀Ûp/UP@=ݮ %-[H`^ >3B4=5'x6sizuԅn@KkS_Œt] ʥJA)e$B -gP* &coRk{rQ+K 4Љ 2eƗڥtRuZ,h AAī ;!e*Qz6DzH:,Üb=UK)]sHoƥ(`e:f[*B5zy:$Ml`0:ߋ`+DS/)/I,@0_(KUIcT20q8/0*RXT,A'fdJM":6DbzȊ*be@G8D 1̳*YPosjqR~`_*°zqwwwwwwww5twp,+,ÅkݗR{Hu TQZ9L9WޯW{O6jqQEGVlTXsgb@dllѭ/*3L t)^4}/jj;MPo\uCJ(<7~L(XzsM300kxgwxCR=xé{6!sr {U5-$FHDIlC /SK6OŖ<1!e7C}Lj"Z?řyLܗ.Re'`G]PH ȣѰ@ E7ӽ LL+5R9 PZxDD!0խ h(q$ R@>I)ooHXPV2 CY*PVb1(մ n>}phW]!Qߝ^ߝ^ߝ^ߝ^ӫZ.jE+{&g *-k. kC1^&^&2 ׫;?mݓ}7]jV| S~ԝ8Sk(2U@BfڷyMHV3=t9l6r{y!Թ)~Msl%a%]6X@K ,a ½u0X$jHyoηvEw2ԱcY:^fͤaq$n #>g֐l,͐$KJ>ն , v-}5󌨉D͖oOQD(U``.-LIǺe0s'`Yn(u[jxmRSLJݹzH A.6>/oτƕ1w)x@X?fK6NϹ_8{7.U >\Z)}nK[(CZPBZj’kM=I\tp0RG5Śx KN^r59#Ÿ R"RV./>Jl?QXRC /(/͛I~1e40bS,^4ҨJ11ǜS+<\(.HQ,:-~e=_@Fw3 n /TJ9t[`ɣ.j". JD-~0h1]ggCyZŠx!Vi ?l+=q,vX5.zu3Zi<"} ޼vgO%ܬDMn߬ڝ5&<-1ڢ#R;ˮ #X@w [K`65~OR.g@%[5\Z 0./5)lX-TsZ.WsW5Upc"j\i<׹)2`zEڒVo4Jz ,AM O@99m6=h0,;@$]jg~R߈uXy0W0~dF+iFwF# I=_!Ƙu)K Ɖxb*1bFeզɝ$7xgi u/x{~ B {=Ll~GhM,kx|Ul|%w[9ަ۶ IJXF[FS.o ^j$w{p><<|6ژykiF$YcV`_q!ԓFG)׀!T"Ba=X@*>IoH&]U# `xJQ<[Hh]wZ^몋V <3Cym"yf"Ж~)TfR|E2ѱ CO좺txY& 寀R,tQ:..( o$H([PXP؟?&1P7Rjs# a/x ` 3 u|``EP00aLn?ѧaP/nNti @fy,p͒w\j:rtT(ʞ2|{@u3sRS¤vxX-><' .yHcI ^iN4_X"o64| =܇>RXX_1[> MꪂOJ 2,=VR"<>A~guEQq H@+^@03:%bƤ=`frMtc޸+bzh,.6!2= vL*a^e5DM@*8!(6Fyvllŵ6vg5^Lˢcg!uD t{r:X)` ZQe p!>EZ=ҹhIJ/6΀2?BnjP5 ʯ֗7R(d#֗7VF1/?dCF?|OO۹i{}yпvF?Ӿ(3f/Y|v9gggssyρ>3<>G/2?gBiF?P~Q{1?sw1'? ɐ/@q _fsA?]7c]7c=^~_חA_sV9s>>gʯʁ~3ڿh:N272q S*R~A/2ȋ+OY射8(߇ yVV<^`]dkx.rf f{%;[?_ۗǝfr]!,.5PUZk3/Y[Sݴq c- {}ih}0^Z/ޤ2/ydֺWWVWlNAm(O5y}³2پGY]Vl<-t&j\ef(+@J~t p7xifz:t}aOvHqֿl|hlZ+O>j*85ߜ:RN ?,RKtAc,޻'/!4Dz|jpO4psn ~}}7,Hj$RiErT)ܑN0mFGDd10UUEVro9 VVK D`q9CTx|Feiګ,Psc<{+4wаY-P=^?FG&jlk_ƴmBfPսD<'u~m

oє^\CrN*˗ X֭2qdxd`a{:՞/kf7:aKƈ DMKIn_!gmx'G[̗`wȼ!V0BNXs?/ C弡t'asbLZ mf9>wjqe ̸R_`v;]3&2D §n3 &`Th$Ơ}֝D#[#XYNƄ_ðh_n=,N7"4΃ouݞ45"v[~m@8>qcm og[=Ǚ*;Svԙ%O_M70ƚ1)M::D{5`/C 8$Ҵ)ILt1?ul71/t}$n︀.;osO)D^P&d7 ?>KGJ= 9$Id`M߀93t^ ɡ=$>x*8]vu$$}9= zH{GVߜs7QH頲;ȹ]0 @ .)H[a>$_{6UA%#;ql>;Kuonu }@͸1,;ԟ"12qjF߮eh#IM&Ah&.W5b8gCbjBZ9= S%JuF*HԲx*D[:SAWC 3қ1]c *|? Oe Mwt0͡okn>Q$L{ˍ_$%\"d<l4@FWD0;"6Zim,#sE%X,8/# kuf_-r ΦkOWtm:y@t z-EOfu ݎ2JL\iĶ`:Vږ*zYD1e~}=3Ӳg(q",@PކᠢW5`/9H^(|9NRjãHǸӭ [ qy6` <Щ1D\bգ˶)E9b릍 ѨpCTؖE'dS^m'7u ۲|ږa=rks`CΜ U  =[=܋;}#\:1F`w^=͓ lI12, $8jVI;;a0&iE-㨤t`C v_ʉ~ph[?҈>A wVǰYF!Ƨ7'TS*4.>ϭn/4xDh^wL_ x%L+DdzUN Z ^chX$֬-"K꺘#'yQs3=v-x7M&Sga+cPMYjcL1G],@<փ LW{څGQ lv* X>ˣŬ"&D0Ȯ'R:tsh;h[3T*Da$8R3 ⛌Ej Z.t3\0OyqBaʩȩ(v}_\%hw2b5Š biS