Xbox account hacked rage-all

Clemenstation wrote:

I still don't have my account back and I've had to give up smoking and I'm starting to rage hard.

But maybe it's a blessing in disguise that I can't play multiplayer online right now?

Weird. Because, you were online about 3 weeks ago for a few hours. I remember thinking, "Cool. Clem got his account back."
So, if that wasn't you, what was it? Strange.

skeletonframes wrote:
Clemenstation wrote:

I still don't have my account back and I've had to give up smoking and I'm starting to rage hard.

But maybe it's a blessing in disguise that I can't play multiplayer online right now?

Weird. Because, you were online about 3 weeks ago for a few hours. I remember thinking, "Cool. Clem got his account back."
So, if that wasn't you, what was it? Strange.

I'm guessing the xbox folks who are supposed to be sorting things out? Very slowly, as the case seems to be . . .

Well, you were online again yesterday, so someone's looking at your account. Don't know if that makes you feel better. (I'm sure it doesn't)

Putting this here because it seems the best spot...

This weekend, on the Major Nelson Radio podcast, Alex Garden (GM of XBox Live) indicated that they will be, sometime in the next couple of months, rolling out dual factor authentication to XBox live services.

Link to podcast: http://majornelson.com/cast/2012/02/...

I'm already enjoying the passcode to sign into Live on the 360. Not quite so much that I've put my credit card back on my account and am not just still buying points cards though. Baby steps and all.

I'm still waiting to get my account back. Nearly 2 months later. This is unbelievable! At this point I feel more hatred towards Microsoft's investigation team than the hackers, and am totally regretting that I reported the incident. Should've just sucked up the $80 in lost MS points, changed my password to something crazy inscrutable, and moved on with my life.

Well, you can welcome me to the club. Hacked before my very eyes. A fine way to end Easter Sunday.

I was enjoying a bit of Darkness 2 when a pop up told me that my profile had been signed on to another machine. As I returned to dashboard and signed back in, my iPad pinged 3 times and i received 3 emails that I had bought 3 packs of 2000 points.

I immediately tried to change my 360 password, but he kept logging onto my profile on his machine I was able to block any new transactions by immediately logging back onto my machine when he logged on to his. At the same time, I cancelled my credit card.

I couldn't remove my card from my XBL account as it insists on keeping a live one, apparently.

The transactions didn't actually go through that card anyway, as I had PayPal set up on my 360. While playing log in tennis with this f***ing pile of ****, removed the card from PayPal, cancelled it with the issuer and filed fraud reports with everyone.

Eventually, he gave up, leaving me with £51 worth of MS points.

I can't get into Windows Live to change my password. It would seem that he got into my XBL through windows live, and changed the password. The really annoying thing is that the email address I used to set up windows live is for company that no longer exists, a fact that I was not aware of until tonight, so I can't even send for a reminder, and get into the account to sort it out and prevent any further access.

Given the day and hour, MS customer service lines are shut, so I went to the online chat option with Xbox customer support. I was told that they can't suspend my account as I can't log into Windows Live, because this distended piece of vestigial rectal flesh changed my password. Only Windows Live support can sort that, and they aren't open until 8am.

It's been 2 hours since he last tried to use my account, but I am worried that he will try again before morning, being quite a determined shred of partially decomposed faecal matter. As far as I can tell, he can't cost me any more money, since everything connected with my XBL account is now cancelled, and I have changed all of my passwords, except Windows Live.

Oddly, the 6000 points have now vanished. None of the companies involved have emailed me to say that the transactions have been blocked, and there isn't 6000 points worth of new content on my account, so I'm a bit confused by that.

I just don't see how MS don't have a kill switch available to staff 24/7 when this kind of thing is reported. "Wait til 8 am", which was 10 hours away when I was first told that, simply doesn't cut it when dealing with people's personal details and money.

Edit: MS refunded the money already! Good on 'em. Bloody paypal charged a handling fee! I set up the pin code thing, so Twatface McThievesalot can't get in now.

Glad to hear you at least got a quick turnaround on the refund, spider_j! I was going to ask if you had the PIN code sign-in thing turned on or not—I got that set up the moment it was available.

If the 6000 points disappeared, what I would guess happened is that the hijacker attached your profile to another account and transferred the points there. That's what happened to me.

CS should take your credit card off your account, that was the first thing they did for me. Now I don't have any payment methods on my Xbox account: when I want to make a purchase, I do it through marketplace.xbox.com, add my PayPal account, buy a thing, then remove my PayPal account.

Good luck with the account restoration.

Thanks Gravey. I didn't even know that the PIN code was there until last night. Given the timings between the points vanishing and the refund, I suspect that MS removed them. My account was logged into my machine the whole time.

spider_j wrote:

Thanks Gravey. I didn't even know that the PIN code was there until last night. Given the timings between the points vanishing and the refund, I suspect that MS removed them. My account was logged into my machine the whole time.

Is this PIN code for XBL or Paypal; I'm interested in it for either.

XBL. You can either set up a password to be entered every time you log into XBL, or you can set up a 4 number pin where the numbers are entered using buttons on the controller rather than the on screen keyboard. It's in account settings. They told me today that they are adding some additional levels of security soon, since this is such a huge problem.

There is also another level of security that you can add to Paypal, in the account section.

I have managed to change my Windows Live password now, but still can't change the username from the defunct email address to an active one. I get an error every time.

I spoke to MS this morning, the Xbox team again, and they told me that there is no call centre for Windows Live. I can't even find a way to start a complaint/issue; everything is automated and doesn't help.

I use Windows Live purely for XBL. It is the first time I have ever had anything hacked or hijacked, and they just don't seem to have any decent system for it.

Incidentally, I found a Chinese email address ([email protected]) on my Windows Live address, which must be how they changed my password. Obviously, I have removed it now. When I tried to find a way to tell yahoo that it was being used to commit fraud, I got nowhere at all.

.cn is the China Top Level Domain (TLD), .ca is Canada.

Sorry, mistyped. It was cn.

Hacked this morning. Received a couple of emails with "confirmation codes" from XBOX Live, followed up by SmartGlass notifying me that someone was using my XBOX account. 10,000 points were purchased, and then someone started playing Flight -- which I've never played -- using my account.

Changed all passwords, contacted Microsoft support. Blech.

TheHipGamer wrote:

Hacked this morning. Received a couple of emails with "confirmation codes" from XBOX Live, followed up by SmartGlass notifying me that someone was using my XBOX account. 10,000 points were purchased, and then someone started playing Flight -- which I've never played -- using my account.

Changed all passwords, contacted Microsoft support. Blech.

Good luck with the resolution, HipGamer! Hang tight, but at least take solace in that these things are typically 100% resolved (eventually).

What sort of account security did you have in place? I read an article the other week that hijackers are getting access to accounts through social engineering, I'll try to look for the link.

And by "the other week" I meant "the other month": Report: How Scammers Are Stealing Xbox Live Accounts, and the Few Things You Can Do to Protect Yourself

The key distinction between "jacking" and "hacking" is that these guys aren't forcefully circumventing any software protection measures. What they're doing is, in a nutshell, contacting Microsoft, pretending to be the legitimate account holder, and through poor security and a whole lot of bluffing (usually making excuses as to why information was incorrect or why passwords could not be remembered), getting hold of the necessary reference numbers and information they need to then go on and access a stranger's Xbox Live account.

The hijackers' process is described in the article (by a hijacker), and it's as fascinating as it is concerning. Top tips: don't play Call of Duty, and don't have a desirable gamertag.

This is why I've stopped storing credit cards with any online vendors anymore (except Amazon).

I've either gone all PayPal if it's available, or with my Bank of America credit card they have a tool called ShopSafe where you can generate a unique one-time credit card number. I'm pretty sure other banks have similar tools as well.

PaladinTom wrote:

This is why I've stopped storing credit cards with any online vendors anymore (except Amazon).

I've either gone all PayPal if it's available, or with my Bank of America credit card they have a tool called ShopSafe where you can generate a unique one-time credit card number. I'm pretty sure other banks have similar tools as well.

Something to consider: PayPal is neither a bank nor a credit card issuer, and is not FDIC insured. Should someone gain access to an account tied to PayPal, they can then use any linked payment method or stored funds without any recourse available to you. Many folks tie their PayPal account to their checking account (a terrible idea), meaning that they can have their personal funds drained and have no easy way to reverse those charges.

One-time card numbers are a good idea, but impractical for something like Live, where you need to have a recurring payment method in place and cannot easily add new card numbers given the interface.

Gravey wrote:
TheHipGamer wrote:

Hacked this morning. Received a couple of emails with "confirmation codes" from XBOX Live, followed up by SmartGlass notifying me that someone was using my XBOX account. 10,000 points were purchased, and then someone started playing Flight -- which I've never played -- using my account.

Changed all passwords, contacted Microsoft support. Blech.

Good luck with the resolution, HipGamer! Hang tight, but at least take solace in that these things are typically 100% resolved (eventually).

What sort of account security did you have in place? I read an article the other week that hijackers are getting access to accounts through social engineering, I'll try to look for the link.

In my case: my XBOX profile is blank, I use unique and secure passwords for every login I have, I have a controller-based PIN on the XBOX, and I have only a single credit card tied to the Live, so that nobody can drain my primary bank account or get access to checking funds.

I was one of the early hires doing vulnerability testing at @stake, and I still work in the security field. I'm not (well, not that I know of) duped by phishing scams, I generally follow best practices around security and account management, and I'm fairly informed about how these types of things happen. At some point, the onus is on the service provider to train their CSRs better; there was nothing more I could have done to lock down my account on my end. While some form of two-factor authentication for Live would be nice, there is a deeper problem if an "informed consumer" can be victimized so easily.

I just went through my Paypal profile and cancelled a ton of old outstanding billing agreements, just in case. Microsoft in particular was set up to just bill me instantly through PayPal if I bought stuff, and considering all the hack issues, it seems smartest to deauthorize them until I want to buy something, and then deauthorize them again.

TheHipGamer wrote:
Gravey wrote:

What sort of account security did you have in place? I read an article the other week that hijackers are getting access to accounts through social engineering, I'll try to look for the link.

In my case: my XBOX profile is blank, I use unique and secure passwords for every login I have, I have a controller-based PIN on the XBOX, and I have only a single credit card tied to the Live, so that nobody can drain my primary bank account or get access to checking funds.

I was one of the early hires doing vulnerability testing at @stake, and I still work in the security field. I'm not (well, not that I know of) duped by phishing scams, I generally follow best practices around security and account management, and I'm fairly informed about how these types of things happen. At some point, the onus is on the service provider to train their CSRs better; there was nothing more I could have done to lock down my account on my end. While some form of two-factor authentication for Live would be nice, there is a deeper problem if an "informed consumer" can be victimized so easily.

Oof, yeah that's what I was wondering: to have done everything right, and still get hijacked. That Kotaku article sounds on track: where was the weak link for you? Maybe the Xbox CSRs, and then what can you do?

There is two-step authentication for Microsoft accounts, though I think it's only for logging in through the Web (I get a text with a code whenever I log in to xbox.com, forzamotorsport.net, etc.).

So between the two-step authentication, PIN code, a random password, requiring that password on any console that isn't mine, and not having any payment method on file, I've done all I can. Hopefully nobody in the seedier corners of the Interwebz think they can make much money selling a stupid gamertag like mine, or is lusting after my mediocore and out-of-date MW2 stats.

TheHipGamer wrote:
PaladinTom wrote:

This is why I've stopped storing credit cards with any online vendors anymore (except Amazon).

I've either gone all PayPal if it's available, or with my Bank of America credit card they have a tool called ShopSafe where you can generate a unique one-time credit card number. I'm pretty sure other banks have similar tools as well.

Something to consider: PayPal is neither a bank nor a credit card issuer, and is not FDIC insured. Should someone gain access to an account tied to PayPal, they can then use any linked payment method or stored funds without any recourse available to you. Many folks tie their PayPal account to their checking account (a terrible idea), meaning that they can have their personal funds drained and have no easy way to reverse those charges.

One-time card numbers are a good idea, but impractical for something like Live, where you need to have a recurring payment method in place and cannot easily add new card numbers given the interface.

FWIW, you no longer need to have a recurring payment method on file for Live, and you can easily add or remove methods on the dashboard and on xbox.com. That's what I do, as I've posted about before: go to marketplace.xbox.com, add PayPal account, buy thing, remove PayPal account.

But yes, I do have my PayPal account tied to my chequing account. That's how I lost $290 when my Xbox account was hijacked. Fortunately for me, PP refunded the money within days. I guess I should consider tying it to a credit card instead, which has its own fraud protection (even though my (low) credit limit is way higher than any amount I usually have in my chequing account ).

The other other thing is that I use the same e-mail for Xbox and PayPal, which I guess is another security no-no. But do I really need to make a new Gmail account for every profile? I only have 99 invites left.

I was about to remove my payment methods from my (mostly idle) paypal account, but decided to look in settings. There's a security key you can activate via SMS. Start a payment, receive a text, enter the pin, the payment processes.
EDIT: Not sure if this would still allow you to make payments via XBox... or how that would work.

Gravey wrote:

There is two-step authentication for Microsoft accounts, though I think it's only for logging in through the Web (I get a text with a code whenever I log in to xbox.com, forzamotorsport.net, etc.).

So between the two-step authentication, PIN code, a random password, requiring that password on any console that isn't mine, and not having any payment method on file, I've done all I can. Hopefully nobody in the seedier corners of the Interwebz think they can make much money selling a stupid gamertag like mine, or is lusting after my mediocore and out-of-date MW2 stats.

That tipped me off first -- at 7:40am EST, someone triggered that code. They bypassed it, however, likely through social engineering.

Forgive my ignorance about PayPal, but every time I purchase something with it the service kicks me over to PayPal where I then have to login to PayPal and authorize the purchase. It's another step, and an attacker would have to have gotten into two different services of mine to authorize payment. (Say Steam and then PayPal for example.)

Am I missing something?

PaladinTom wrote:

Forgive my ignorance about PayPal, but every time I purchase something with it the service kicks me over to PayPal where I then have to login to PayPal and authorize the purchase. It's another step, and an attacker would have to have gotten into two different services of mine to authorize payment. (Say Steam and then PayPal for example.)

Am I missing something?

On the 360 (rather than on the PC), that's not how saved accounts work: credentials are stored on the console, tied to the account. If you have PayPal stored as a payment method, gaining access to your Live account via social engineering would immediately give up access to PayPal as a payment method for Microsoft Points.