DVDFILE.COM Forum - View Single Post - XBox live hacked and my friends credit card # swiped?

Ruined · 05-05-2008, 04:30 PM

It does suck but there are a couple of things to keep in mind:

1. There is no realistic way to hack or steal an XBOX Live account password without the user somehow compromising it. Some examples of this might be:

* User voluntarily enters their XBOX Live username/password in a phishing/scam email that appears to be coming from XBOX.COM but if looked at closely is actually from a rogue website. This is also usually how identity theft happens, as well as stolen Steam accounts.

* User enters their XBOX Live username/password in friend's console, and saves the information there. Their friend may then compromise the password in any of these ways alos.

* User's password sucks. An example of this is a person with gamertag "Freddy" and password "freddy". Might be convenient to remember, but it is also easily guessed. It is always good to use numbers in your password as well as words that will not easily guessed, with a length of ~8 characters minimum to be immune to brute force attacks.

2. The person who hijacked the account essentially has permanent free copies of the XBOX Live Arcade games and DLC he bought on his XBOX 360 hard drive, wherever that XBOX 360 is located. However, these games and DLC are also permanently stored in the original user's XBOX Live account. So this person's son's account now has access to all of these games bought. If the charge is disputed, Microsoft is going to have to go through the person's account and remove the DRM license for all games claimed to not be downloaded by the original user otherwise the son will have free access to all of the games bought by the other person. Note that Microsoft keeps track of the IP address of all download purchases, so they will likely not refund the money if the content was in actuality bought by the son in his own house and he is using the theft as an excuse -which is of course a possibility Microsoft must investigate.

3. The whole Zune points thing baffles me. As far as I know any Zune points bought with the account are deposited directly into the account. While that person could then buy Zune songs, Zune DRM is setup that it requires online re-authorization of songs at certain points (unlike 360 DRM) I believe. So while those downloaded songs might temporarily work, once the account is recovered I believe they will cease working so buying them would be pointless in the first place.

4. Everytime Microsoft points are purchased, Microsoft immediately notifies the person via the gamertag-associated email how many points were purchased and on what date/time they were purchased. Therefore this person should have been receiving emails every time the thief bought points, as he claims his email address remained intact for the account. This should have immediately prompted him that his account was hijacked and if he was more cogent he probably could have prevented the said damage earlier.

Just some points to keep in mind. There is no real reliable way to "intercept" or "hack" a 360 or Steam password through the internet. Some sort of user error is generally involved whether it is falling for a scam email or using a weak password, where the user voluntarily gives up their password to the thief unknowingly or simply does not use a good password to protect their account in the first place.

05-05-2008, 04:30 PM	#11 (permalink)
Ruined It's Good to Play Together Join Date: Oct 2001 Location: NJ, USA	It does suck but there are a couple of things to keep in mind: 1. There is no realistic way to hack or steal an XBOX Live account password without the user somehow compromising it. Some examples of this might be: * User voluntarily enters their XBOX Live username/password in a phishing/scam email that appears to be coming from XBOX.COM but if looked at closely is actually from a rogue website. This is also usually how identity theft happens, as well as stolen Steam accounts. * User enters their XBOX Live username/password in friend's console, and saves the information there. Their friend may then compromise the password in any of these ways alos. * User's password sucks. An example of this is a person with gamertag "Freddy" and password "freddy". Might be convenient to remember, but it is also easily guessed. It is always good to use numbers in your password as well as words that will not easily guessed, with a length of ~8 characters minimum to be immune to brute force attacks. 2. The person who hijacked the account essentially has permanent free copies of the XBOX Live Arcade games and DLC he bought on his XBOX 360 hard drive, wherever that XBOX 360 is located. However, these games and DLC are also permanently stored in the original user's XBOX Live account. So this person's son's account now has access to all of these games bought. If the charge is disputed, Microsoft is going to have to go through the person's account and remove the DRM license for all games claimed to not be downloaded by the original user otherwise the son will have free access to all of the games bought by the other person. Note that Microsoft keeps track of the IP address of all download purchases, so they will likely not refund the money if the content was in actuality bought by the son in his own house and he is using the theft as an excuse -which is of course a possibility Microsoft must investigate. 3. The whole Zune points thing baffles me. As far as I know any Zune points bought with the account are deposited directly into the account. While that person could then buy Zune songs, Zune DRM is setup that it requires online re-authorization of songs at certain points (unlike 360 DRM) I believe. So while those downloaded songs might temporarily work, once the account is recovered I believe they will cease working so buying them would be pointless in the first place. 4. Everytime Microsoft points are purchased, Microsoft immediately notifies the person via the gamertag-associated email how many points were purchased and on what date/time they were purchased. Therefore this person should have been receiving emails every time the thief bought points, as he claims his email address remained intact for the account. This should have immediately prompted him that his account was hijacked and if he was more cogent he probably could have prevented the said damage earlier. Just some points to keep in mind. There is no real reliable way to "intercept" or "hack" a 360 or Steam password through the internet. Some sort of user error is generally involved whether it is falling for a scam email or using a weak password, where the user voluntarily gives up their password to the thief unknowingly or simply does not use a good password to protect their account in the first place. __________________ For every shadow, no matter how deep, is threatened by morning light. Last edited by Ruined : 05-05-2008 at 04:38 PM.